Got hacked?

[Jim]

Last night I came home from work and sat down at the computer.  I 
noticed the lights on the DSL router were blinking very rapidly.  I have 
an ftp server running on my linux box (Slackware 10.2).  So I thought 
someone might have been uploading something.

Ftpwho showed no users logged in.  I checked the incoming directory and 
saw nothing there.

Tcpdump showed me that they were sending something using ssh.

I used find to look for anything they might have been uploading, but 
found nothing.

/var/log/syslog contained the following over and over for about 4 hours 
before I got home

Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0] 
printing/print_cups.c:cups_cache_reload(85)
Feb 22 20:43:56 ladmo smbd[6375]:   Unable to connect to CUPS server 
localhost - Connection refused

Then I found in /var/log/syslog this over and over

Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow 
information for NOUSER

I stopped sshd and edited /etc/sshd_config by adding the following:
AllowUsers root jim
AllowGroups root

To test the change, I tried to log into the server via ssh and using 
another account.  It wouldn't let me log in using that other account via 
ssh.

I also tried
find / -mmin 1200 -size +100k
and without the size option, but found nothing from the time this was 
going on.

After all this I tried to send an email, but sendmail wasn't working.  I 
backed up my sendmail config files, uninstalled sendmail, reinstalled it 
and restored the config files.  Sendmail worked after that.

Is there anything else I should do?

thanks

-- 


"That income tax you know it's nothing more than legal robbery"
Sidney "Pa" Larkin