my server was cracked; now what?

[Aaron Vegh]

Hi there,
I discovered this afternoon that my server was rooted. I don't think
they were in there very long, but after noticing some of my services
down, I went in and through the .bash_history file, saw some commands
that were not issued by me. I changed the password on the root
account, rebooted the box and made sure all services were running.
Other than seeing some passwords missing in my mysql database I don't
know what else was done.

Does anyone have any guidance for what to do with a machine after it's
been rooted? I feel violated, but the server is also running important
parts of my business, so I have to keep it going. I'd also love to
know how they got in...

Thanks,
Aaron.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml