my server is hacked

Ok... I know for a fact that my server's been compromised. I'll admit that I am simply a cpanel web sys admin and not a security expert.

I have noticed that I have some rogue processes running like eggdrop and psybnc. I do not know how it was installed but I do know that it was installed under the /usr/sbin/clamav and /usr/sbin/awstats folders.

The owners of these files are clamav and awstats. I run CSF v4.66 and my server score is currently 93/122. However it was running an older version 4.2x at the time I discovered that my server was compromised.

I have since upgraded to the latest CSF version and I have upgraded cpanel to the latest release version. For some reason, it wasn't configured and normally, I do have it automatically set for cpanel and security updates.

I already managed to remove psybnc and delete the process but I see that it is still trying to run even though the directory has been deleted. I used crontab -e to see if any cronjobs are running for it but I do not see it. I'm not sure where/how to remove this completely.

Fortunately, I know about eggdrops and psybnc enough to know how to install/use/configure. But this install is very complex, I know it is a botnet of some kind but it's hard for me to understand.

Hmm, as I type this, I'm discovering more things like seeing Anope installed.

I guess the biggest question right now here is this..

- how do I find out how this was installed?
- Do I have a "hidden" user that is logging on my server uploading these files and creating these directories?
- is clamav and awstats users that can log into the system? or are these cpanel accounts?

To me... all these files as I look through them tell more and more of a story of what's going on. But I don't want to delete so quickly to see how this has all happened.

What I do want to do right now is... stop this all so the hacker cannot use these services... and I can "comb" through these in more detail. I have a cpanel box mainly to service web clients and that's all I really use it for. I cannot take the server down because of that reason. But I do want to get to the bottom of this... fairly quickly w/o disrupting service or risk getting my server hacked more.

If anyone can advise/suggest anything.. please let me know.

[/usr/sbin/clamav/public_html]# ls -lsa
total 10492
4 drwxr-xr-x 9 root clamav 4096 Apr 26 05:16 ./
4 drwx------ 7 root clamav 4096 May 1 18:02 ../
4 drwxr-xr-x 2 root clamav 4096 Oct 27 2008 bnc/
4 drwxr-xr-x 10 root clamav 4096 May 1 17:54 cewek/
7764 -rw-r--r-- 1 root clamav 7934929 Oct 6 2008 cewek.tar.gz
4 drwxr-xr-x 2 root clamav 4096 Oct 16 2008 cgi-bin/
4 drwxr-xr-x 3 root clamav 4096 Apr 27 02:30 compile/
4 drwxr-xr-x 9 root clamav 4096 May 1 17:54 eggdrop/
2472 -rw-r--r-- 1 root clamav 2523167 Feb 4 08:09 egg.tar.gz
4 drwxr-xr-x 3 root clamav 4096 Mar 10 22:44 Network/
220 -rw-r--r-- 1 root clamav 218464 Dec 16 16:58 psy.tar.gz
4 drwxr-xr-x 7 root clamav 4096 May 1 11:25 www/

 

an update.. I clicked on "Background Process Killer" and after clicking on Save. All those eggdrop processes and psyBNC was killed. So that's a good thing... but I'm sure the guy is "tipped" that I found out.

9671 (psybnc) (deleted) /usr/sbin/awstats/public_html/cgi-bin/psyBNC/psybnc (deleted) /usr/sbin/awstats/public_html/cgi-bin/psyBNC

How do I stop the process above from starting?