Date: 22-09-08 20:39
I would have loved to see what was in sshd0, among other files on your system. did you "rm" that directory completely? if your running inetd, shut that off and if you do need it, comment out # all the 9000 plus lines that are open on there.
research various ssh attacks on various hack sites, and see what you can find regarding dan's comment, what ports are installed, and to really get things done, work with nessus to see what exploits are known on your server from here on out, otherwise, you just might "owned" again.
There are lots of monitor progs out there; monit, fam, so forth in /usr/ports that will email you quickly when something is touched, chown'd, etc... on critical files and entire directories.
Unfortunately, there are ways to stop email from "getting out" to you, as these types of services are halted before the crack gets to work.
Let us know what you find out?
Sorry to hear bout that...
... And Dan, how about a Security Forum? :) Justa thought...