I was just hoping that i dont have to reinstall it.
Unfortunately a root account compromise means unlimited access to any resources so yes, you will have to.
There is no chance of recovering from this situation.
Please start by reading Steps for Recovering from a UNIX or NT System Compromise (CERT):
http://www.cert.org/tech_tips/root_compromise.html. Then:
- stop using the box and do not allow the box to be used. This and the next two steps should be executed ASAP, there are no valid reasons to wait.
- raise your firewall to only allow access from your management IP or range, then bring down all services that are not vital to management. Basically you will only need SSH to backup stuff.
- notify any users the box was compromised. They should inspect their boxen for anomalous activity and change passwords.
- Prepare backups but make sure to not backup binaries. Store backups separately and do not use them for recovery, only reference unless you have means to verify their contents integrity. Do not use old backups for recovery unless you can make onehundred percent certain the compromise was not due to flawed software or misconfiguration before the backup date.
- Repartition, reformat, re-install from scratch.
- Harden your box properly. See the LQ FAQ: Security references:
http://www.linuxquestions.org/questi...threadid=45261
If you would like to gain more indepth knowledge about your compromise please read Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html post any info you got but please perform the steps above first and with the highest priority.