Well, today is the day
The first time in 10 years that one of my server has been compromised.

My dedicated server started DOSing the embassy of Brazil, here, in Switzerland.
Sheesh, this is annoying....

How did you figure out you were being used?

when I've got disconnected from my ssh session, and that each ping takes 5 seconds between them, but with a round trip of 16 ms, I knew it was not my connection that had a problem.

And a couple of hours later, after I sent the data center a mail, they told me that there was a DOS occurring.
But what surprised me is when he told me that it came from my server.

My data center gave me back ssh access (and ssh only), and I spent the evening trying to find where they entered, but with no extends.
I have no idea how they got in, and that pisses me off.

I hope I covered it by changing the certificates, keys, and removed the sudo with no password policy.
I've just recompiled a new kernel, so if they got the old one tainted, it should do the trick.

And this time, I will run tripwire. It takes a checksum of the most vitals file and report each changes in size, date/time and owner.
The only problem is that I'm not sure that the current system state is "clean".

What was the server being used for?

Quote:

What was the server being used for?

Mail, db, ldap, subversion repository, my screenshoting web service and a few web sites where on it.

and what happened to the service and those websites?

First, the datacenter restarted the server and turned everything off.
They enabled ssh traffic between the server and 1 ip I gave them, and I am in the process of re-installing everything.

Thanks for gentoo, I can rebuild a bootstrap without much problems.
Most of the base is rebuilt, I am now working with apache, python and such.

I hope the server to be up and running tonight.