First, I feel compelled to warn you that if your server was rooted and you don’t know with pretty high confidence how they got in and what they did, you can’t possibly trust the server anymore and you need to migrate to a new server or reinstall the OS and restore your data and sites and such from backups (being very careful about what you bring over, so you don’t invite the same attacker back in). An exploited server can never really be trusted again…if you really know what you’re doing, and can boot from a trusted read-only image, you can get pretty close to confidence, but other than that, a knowledgeable attacker can hide their tracks so well you can not see them without outside intervention (i.e. booting from trusted other media).
OK, with that out of the way, to address the fastrpc issue:
Webmin->Webmin->Webmin Servers Index lists all of the servers you have configured connections for. This includes servers used in Cluster modules and used in BIND module, and the database modules.
It won’t list other servers that may have your server listed in their Cluster servers. And, it does not mean those fastrpc processes aren’t actually somebody else’s exploited version. That may be providing a back door to control your system.
I assume you have changed your root password? Check the
/var/log/miniserv.log to see who is making that request. Assuming it hasn’t been modified to hide information from you, of course (if I were an attacker and I were planning to come in through Webmin’s fastrpc in the future, I would make it hide my requests), it will provide the IP(s) that are making those requests…if you don’t recognize them, you can block them.
But, you had cronjobs using fastrpc…so, your system was presumably configured to copy something to other servers (there’s no other reason you’d have Webmin fastrpc functions being called from cronjobs). I don’t think you cleaned up your exploited system as well as you think you did.