No damage was done as far as i can tell - apart from installing a “virus” that had “infected” all the binaries that i checked - in /sbin, /usr/sbin, etc. The cracker could have been intending to run a spam remailer or something, i dunno. Whatever, there was a lot of network activity going on at a time when there should have been none. I’m pretty sure i was onto it very soon after it being cracked.
I checked them by comparing them with binaries from another install of the same distribution on a different machine - the files had identical dates and file sizes, but ‘cmp’ or ‘md5sum’ showed they weren’t identical files.
Fortunately i’ve seen this sort of crack before and i didn’t waste time trying to work out what was going on, i just took the system offline and did a complete re-install. It was a pain in the arse, but only wasted about half a day. Last time i had to deal with a crack like this i wasted days trying to work out what was going on. The problem with this type of crack is that every command you run on the system, as root, runs the “virus” software and re-infects all the binaries - so you can’t replace a dodgy tool such as ‘ps’ with a new one without it getting modified almost straight away.
It’s always good policy, when running an internet-connected server, to set the system up so it’s a trivial matter to do a complete re-install from scratch - rather than from backups.