I am running two Redhat Linux boxes. One sits outside my router and has an external IP address. This box is a Webserver and DNS server. Runs Apache and mysql.
The other box is a Mail Server and Webserver. This box sits behind a port forwarding router.
Both my servers have apparently been compromised. I started getting errors when attampting to start and stop certain services. In diagnosing this behavior I came across entries in my "root" history that shows someone gaining access to the root account and downloading and installing applications. These application appear to be geared towards attacking other machines. Slowly more and more of my system is getting crunched as now netstat no longer functions on this machine.
I tried locking down the machines by killing all unfamiliar services, checking all accounts for cron jobs, changing root passwords, and restricting what ports were being listened to on each machine. I thought this would at least keep the culprits out until I could determine the extent of the damage. But I have evidence that they got right back into the machine. Not sure how yet.
So my question is, All I want this Linux box for is to run my Mail Server with a Squirrelmail front-end, a webserver, and to handle DNS services for my domains. What should I do at this point? Are these boxes salvageable, or should I back up as much as I can and re-install?
If I reinstall, what dist should I use? I'm currently looking at Fedora, or Trustix.
Any help VERY appreciated.