Alfred von Campe wrote:
My home system has been hacked. It's running CentOS 4.4, and I recently added an account to play around with Samba shares to back up PCs here at home. I had set a weak password for that account and forgot to disable it after my testing. I could hear the disk being accessed constantly, so I knew something was up. I disabled the port forwarding to my CentOS box on my Linksys router (only ports 22 and 80 were being forwarded).
if for sure only 22 and 80 were forwarded, then it wasn't Samba.
There's no default account I see here on my 4.4 boxes named backup, was that something you'd created? some package you'd installed?
what was on your website? any canned php scripting or whatever?
re: cleanup... look very carefully for directories in odd places with . names
I'd run rkhunter to see if tehre's any other well known root kits on your system.