During a routine "find" command I discovered a number of files in my OSC installation that had no business being there.

There were in osc/catalog/pub/.../.sh/, and appeared to be the components of a program called "PsyBNC".

(... is literally a directory named that, so you have to ls -a to see it; ditto its subdirectory .sh)

So it looks like I've been hacked. I'm running 2.0RC3.

I don't remember if the pub directory was always there. If it was I am somewhat comforted as the permissions would isolate most attackers, but if the exploit is such that they can create new directories in the osc/catalog hierarchy, that is very frightening.

What can I do?