Most sites have been restored, if you tried to go to your website and got here, that means I have temporarily turned off your site. please go restore from your backups, and if you're running any kind of dynamic site powered by PHP, such as Mambo, Wordpress or PostNuke, please upgrade to the latest version also. Let me know when you do this and I can turn your site back on for you first.

the attack was most likely from the XML-RPC exploits in php packages, probably from old installation of Wordpress. And it used several Linux kernel exploits to gain root access. I have deleted all xmlrpc.php, please make sure the version you're restoring are free from exploits.

I have upgraded my kernel and there is no known kernel-level local/remote exploit now.

I also recommend changing your shell passwords.

-Andrew Ng