LKM and Bindshell!!! I NEED HELP

Hello every one I got some crazy stuff going around me. One of my resellers give out to one russian person a testing account that person with evel script upload an LKM and bindshell to server and install it. What should I do now. A lot of hosting forums in russia selling now from one of my servers root password for $$$$. I need help to remove it. I have 260 clients on this server. Most of them is a small forex traders. I need some how to remove it and get more secure my server. Please any one who can help me. Also If any one interesting in this Evel script do not ask me to email you it is very bad script I will not give out to people on Internet. I try to contact autor of the Evel script and he tell me "F@#% OFF" thats all.

Here is a copy from my chkrootkit day before this.
Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero
nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth1: not promisc and no PF_PACKET sockets
And this is from today.

Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth1: not promisc and no PF_PACKET sockets

Also I try it with rootkit.nl and it find the same problems.

 

 

 

 

Top