hacked

[Steve Buehler]

Ok.  It looks like I have been hacked and they have put in a 
directory in my webspace that is just a space.  In there, is 2 
directories and 1 file:
-rwxr-xr-x  1 root root    0 Oct 12 00:01 php.php
drwxr-xr-x  2   48   48 4096 Oct 11 23:54 signin.ebay.com
drwxrwxrwx  2 root root 4096 Oct 11 23:54 www.paypal.com

I can delete everything in the 2 directories, and edit/change the 
php.php file to empty it out because it was a php script that allowed 
someone to do anything on the server they wanted, but I can not for 
the life of me delete them.  I thought maybe they replaced the 
/bin/rm file, but it does not appear to be a hacked "rm".

Also, every minute the following cron job runs and I am not sure how 
or where it is being run from.
chown root:root /tmp/local/local5 && chmod 4755 /tmp/local/local5 && 
rm -rf /etc/cron.d/core && kill -USR1 30447

There is no /tmp/local directory and in my /etc/cron.d directory, 
there are 2 files:
-rw-------  1 root httpd 696320 Oct  6 09:45 core.30448
-rw-------  1 root httpd 909312 Oct 11 14:14 core.8811

I do not see anything like that on my other servers.

My firewalls don't allow ssh access from other than my address and 
only with a public/private key pair.

Any help would be appreciated since this person is going to get me 
blocked because of them trying to fish for ebay and paypal logins/passwords.

Thanks
Steve