Quoting "Loren H. Burlingame" <there.can.be.only.two.apparently at gmail.com>:

> I recently noticed that a system I am responsible for was sending out
> a bunch of spam messages. I logged into it and sure enough it was a
> cracked user account which was responsible.
>
> I immediately locked down SSHD to certain users with strong passwords
> (should have done this before, I know), killed the offending processes
> and looked for replaced executables.
>
> Fortunately, the "hacker" (more like script kiddie) was not able to
> get access to root by the look of it. Also they managed to not delete
> their .bash_history file.
>
> It appears the programs he was downloading and running were meant to
> brute force crack passwords and look for Samba vulnerabilities.
>
> The system definately is not sending anymore spam but I am not
> convinced that I have undone everything that was done. Take a look at
> the bash history and let me know what you think.

<snip history>

Once a system is compromised it can no longer be trusted. Odds are good that
this kiddie didn't do anything too exotic, he left some fairly traceable
footprints, but then again maybe he left those footprints to keep you from
looking at the really sneaky stuff he did.

This system will need to be reloaded, no two ways about it. Data should be
restored from backups.

Josh