One of my servers which hosts 200 domains is being attacked by hacker(s). It seems any world writeable files are being replaced or modified by the linux account nobody. How can I secure this account? Is it safe to change the password? I know many processes depend on using the nobody account to run.
Unfortunately the problem is that your PHP scripts are running as nobody. Changing the password for nobody won't help at all.
Are you running a cpanel server? If so, turning on "suexec" and "phpsuexec" will cause your user PHP scripts to run as their own userid and thus they won't have any access at all to other user directories. There are a few things to watch out for - file permissions and use of php directives in .htaccess files are the main ones. You can find more info in the cpanel forums at http://forums.cpanel.net - you should be able to fix the permissions with a system script (which WHM may run for you).
If you can find the user account being used for this attack you can disable it - probably a good idea anyway. You may be able to see longrunning scripts hanging around on the system if you check and that's a dead giveaway.