My linux server was just hacked, ask me anything!

Here's the list of what was running on it...

Fedora Core 2
* sshd (SSH Server)
* vsftpd (FTP Server... yes, I know... insecure... but what I am doing requires FTP)
* httpd (HTTP Server)
* webmin (Web-based server admin)

And, all packages were updated to their latest versions about a week ago.

The person who hacked created a user named "Timo Thal", and installed a whole crapload of replacement services and shells that log everything and send it over IRC.

Fun stuff, huh?

We just go into the allowed hosts and put "none" for everything, then only allow logins from a couple secretly known ISPs. We get all kinds of attempted logins. A lot from France for some reason....

on edit: I guess I should ask a question. What processors/OS are you running?

Also, we're not hosting web pages, so that simplifies things.

more ways to lock down the server just yesterday.

That was one of the ideas that came up

Gotta hand it to those guys, they're good.

lol.
Angry bicyclist.. http://www.worldcycling.com

Damn, that really really sucks. I guess it just goes to show that just about ANY server, no matter how secure it may be, can get cracked if the cracker has enough motivation (or free time).

My sympathies.

yet

First idea, buy a small server to host your web pages and
place it in the untrusted area of the network.

Second, you have SSH, so see if you can't use scp instead of ftp
for all file transfers, both external and internal (if you HAVE to
allow random internet users download files, start thinking of a
"outside the firewall" ftp server).

Linux is a fine OS, but you might want to consider FreeBSD, as it's
a bit more secure than Linux, especially if you any of your own
OS upgrades. But no matter what, systems are destined to be hacked,
all you can do is make yours harder to hack than the vast majority,
and keep yours updated (as you did) with the latest versions of
stuff... and, finally, don't keep anything real important (like, say,
voting machine results) on any computer connected to the internet.

The server was only used to test FTP/HTTP connectivity from another set of devices, so those two services were a requirement.

by running root-tail on my root window. That's just one of the things I keep track of, but it helps. It gives me color-coded info about what is going on with my servers, in real time. Here's a screenshot, it doesn't show much right now aside from routine web activity, unfortunately.