Hello and welcome to LQ. Sad to see it had to be on such an occasion.
My home server has been hacked
Then act accordingly. A compromised box needs to be reinitialised. Don't try to "fix" or "restore" unless you have the expertise to determine how serious the breach of security is.
1. Please read the first two docs first:
- Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html
- Steps for Recovering from a UNIX or NT System Compromise (CERT):
http://www.cert.org/tech_tips/root_compromise.html
- LQ FAQ: Security references:
http://www.linuxquestions.org/questi...threadid=45261
2a. After that:
- shut down the box and only reboot it (for making backups) using a Live CD
- Backup /etc, /home for reference purposes only (not restore). Do not backup binaries. Backup temp dirs and /var if you want to peruse the logs and auth info.
- Repartition, reformat, re-install from scratch.
- Harden.
2b. If you OTOH want us to help you determine how serious the breach of security is, post the following information. Please answer as fast as possible, do not skip questions, post exact results and *then* shut down the box (only to be booted again using a Live CD):
- purpose of the box?
- date of incident?
- distro+release+kernel?
- do you make regular backups?
- do you run a file integrity checker like Aide, Samhain or tripwire and if so what does a check say? If not, what does your distro's package manager say if you verify packages?
- do you run Chkrootkit or Rootkit Hunter and if so what does a check say?
- do you run an IDS?
- What anomalies can you see in system, daemon and firewall logs?
- What accessable software was installed and was it up to date?
- What services where running at the time of compromise?
- Did you find any setuid root files in temp dirs?
- Can you see any activity from user shell history files?
- What does "lsof -n" say?
- And "ps axfwwwe"
For any logs larger than 10 lines please tarball them up and provide a download location.