HOWTO Bust Script Kiddies? (Score 1)

If you've been broken into, first thing you should do is take it off the network ASAP. Then, if you like, you can try and track down where he came from by looking through the logs. Note though that most script kiddy root kits do a pretty decent job of covering their tracks once they get in. And really, finding the little twerp should be secondary to getting your own machine online again.

This is where you demonstrated the greatest failure - your system has been compromised, so as far as you should be concerned, every binary is untrustworthy now. ls could have been modified to not show their files, ps modified to not show their processes, and there's probably a number of setuid root bash binaries lying around. The only truly safe thing to do is reinstall the OS from scratch - trying to track down all of their modifications is a waste of time, and you'll probably miss a few anyways, with potentially disastrous results.

In the future, it's always worthwhile to invest in tape backups (if you can afford the server, surely you can spare about $200 more? this doesn't have to be some super-automated DDS3 drive...), and to keep up to date with security patches.