My server had recently been hacked and the root password changed. I was able to recover the server and change the password, however it seems the offender has been spamming since the server has been recovered. Offender was also able to create a PayPal pfishing site in a website sub-diractory (since removed). Also, this is the second time the server has been compromised and after the first breach I modified the hosts.deny to exclude sshd access to only two ip addresses. However, the hack was able to change root once again. I'm not a UNIX guru and could use some suggestions on how to clean and secure from future negative events.
There are so many different answers to that question It depends on your level of paranoia some say, but it is actually not paranoia, if you know how easy it is to become owned. Really after being rooted, unless this is not possible I would wipe the drive with Dariks nuke after performing proper forensics. So first thing is disable the network connection, don't power down so you can still catch anything in memory before you do any shutting down(this is if you have a box to run server on while investigating or can take a few hours downtime). This is where things go down different avenues of opinion, you see any utilites you use inside os probably won't detect much because the kernel could have a dynamically loaded module which is rootkit hiding all activities of attacker. You can check /var/log/authlog, /var/log/messages, /var/log/syslog, /root/.bash_history, or any /home or other folder with .bash_history in it, this is all if they are complete noob/script_kiddie. If they are the real deal, this will have been thoroughly cleaned by attacker. You can't just think ssh is the only way in, did you find this was how they got in from logs? So they could have control of your os outside your os on empty part of partition man, and dynamically load and listen to port like netcat every time you boot up. You need to use other box while you investigate way further than it seems like you are doing, you must, must wipe hard drive after investigation and reinstall clean os. Then put bastille and/or tripwire and/or AIDE, harden your /etc/sysctl.conf file, there is how to on net to just copy and paste directives into /etc/sysctl. First and foremost do investigation outside of native os, it has been infiltrated and backdoors possibly installed in any number of 100's of thousands of places. So after you finally shut down from studying running memory with sleuthkit or BackTrack 3 live cd, load up BackTrack 3 live cd and learn how to use forensics tools that come on cd, that way you never get owned, well hardly ever.
All those twicks will be useless if you are not able to determine how the server was hacked in the first place. I am suspecting that a vulnerability on your server is what is being used to break into your system
