[PLUG] Got hacked last night - HELP!

[Bill Thoen]

Well, lucky me. My RH 8 box got hacked again. That makes Linux just as 
insecure as Windows. The only visible damage (so far) was that my home web 
page got changed to "un-root crew ownz you."

But what happened? There is nobody who should be creating users named 
'luis' or 'dudu', but here's what I have in /var/log/secure.1:

Oct  2 09:37:06 gisnet sshd[467]: Bad protocol version identification 
'NICK idz' from 200.146.22.105
Oct  2 09:37:58 gisnet useradd[484]: new user: name=dudu, uid=0, gid=0, 
home=/home/dudu, shell=/bin/bash
Oct  2 09:38:41 gisnet sshd[487]: ROOT LOGIN REFUSED FROM 63.164.60.12
Oct  2 09:38:41 gisnet sshd[487]: Failed password for dudu from 
63.164.60.12 port 43195
Oct  2 09:38:41 gisnet sshd[487]: fatal: monitor_read: unsupported 
request: 24
Oct  2 09:38:49 gisnet useradd[492]: new group: name=luis, gid=504
Oct  2 09:38:49 gisnet useradd[492]: new user: name=luis, uid=504, 
gid=504, home=/home/luis, shell=/bin/bash
Oct  2 09:38:56 gisnet sshd[494]: Accepted password for luis from 
63.164.60.12 port 43518
Oct  2 09:41:08 gisnet sshd[496]: Disconnecting: Command terminated on 
signal 9.Oct  2 09:41:31 gisnet userdel[1180]: delete user `luis'
Oct  2 09:41:31 gisnet userdel[1180]: remove group `luis'
Oct  2 09:41:33 gisnet userdel[1181]: delete user `dudu'
Oct  2 09:47:00 gisnet useradd[1204]: new group: name=dudu, gid=504
Oct  2 09:47:00 gisnet useradd[1204]: new user: name=dudu, uid=504, 
gid=504, home=/home/dudu, shell=/bin/bash
Oct  2 09:47:40 gisnet sshd[1221]: Accepted password for dudu from 
63.164.60.12 port 52405


What else should I check? At the very least how do I keep 63.164.60.12 out
of my SSH system?

- Bill Thoen