my server was rooted via h00lyshit exploit, any good advice?

Solution 1:

You should restore the server from a known good backup. There's no real way to know that no other back doors were installed is there?

Solution 2:

I would always advocate a complete rebuild in the event of a known compromise. It's the only safe way.

Assuming you have backups, and they're recent, and they cover more than just the data on the server, you have material for forensics.

If you're not already using a tool such as Chef or Puppet to make fast rebuilds to a known state, then get started.

Once the machine has been rebuilt, you need to think about attack vectors and how to mitigate against them. You mentioned your ssh config - there are many others - for a Redhat-centric, and paranoid approach, look here:

http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf

For a Debian and similar approach, look here:

Debian dot org /doc/manuals/securing-debian-howto/

Good luck.

Solution 3:

Unfortunately since he had root access there is no way to really know what the hacker did to the system. They could have modified logs to hide their tracks and any other damage done. Format and reinstall or restore from known good backups is the only safe way to go. Good luck.

Next time disable root login, change ssh port, and get iptables going right away.

Solution 4:

Personally if I get rooted, grab the data from a backup ideally. If not grab it from the server and boot and nuke it. (http://www.dban.org/)