[CentOS] I've been hacked -- what should I do next?

Fri Dec 1 06:12:13 UTC 2006
John R Pierce <pierce at hogranch.com>

Alfred von Campe wrote:
> My home system has been hacked.  It's running CentOS 4.4, and I 
> recently added an account to play around with Samba shares to back up 
> PCs here at home.  I had set a weak password for that account and 
> forgot to disable it after my testing.  I could hear the disk being 
> accessed constantly, so I knew something was up.  I disabled the port 
> forwarding to my CentOS box on my Linksys router (only ports 22 and 80 
> were being forwarded).  

if for sure only 22 and 80 were forwarded, then it wasn't Samba.  

There's no default account I see here on my 4.4 boxes named backup, was 
that something you'd created?   some package you'd installed?

what was on your website?   any canned php scripting or whatever?

re: cleanup...   look very carefully for directories in odd places with 
. names

I'd run rkhunter to see if tehre's any other well known root kits on 
your system.