I'd argue this response was insufficient. I've always been taught that a clean wipe is the response to your box being rooted.
At step 3 one should be thinking "I now know nothing about this box, what's installed? What's modified?" You can't know if its been modified or rooted.
While I'm certain its possible to replace software in the system piece by piece until you trust it again, but that's much harder than what I would say is your only option:
Wipe the disk, put a a new install on it and restore your sites from backups.
Yep, what should have been done if you absolutely had to know how it happened (not that bad an idea but for smaller places they don't have the time or money to do it) is take a disk image of the compromised system for later analysis. For right this second, get the site back up on a clean, updated install. You can not trust the existing one now, don't even try.
EDIT: BTW this is also why you should be backing up your data and config files, not a bare-metal image of the system. OS installations are quick and the bare-metal image is just going to put the problem back in place. Remember, you probably do not know exactly when the break-in actually occurred.
This article is about some webspace on presumably some kind of shared hosting account being compromised. Not a box being rooted. No doubt scripts in his account run with very limited privileges.
If hosting companies wiped a server every time one of their customers sites got owned the servers would hardly be online at all.
You are right, this was just a shared hosting package from 1&1. Nothing I have root access to. Nothing I can do. I thought it was clear when I wrote the provider shut me out from my webspace.
Calling the guys who hacked you "script kids" and "idiots" is just childish. You failed to take basic security measures and got fucked over by people who know better than you. The bigger idiot here is the one who was hacked.
No it's not. I call everybody an idiot who breaks into another server to post spam. No matter what his reasons are it is just an idiots behavior. Script kids - why not calling em like that? Taking scripts from a random website and using them is what I call a script kid.
Anyway, I have already mentioned in my post that I was an idiot to forget about the installation. Sure, and that is what I have learned about: not to forget again.
That said, hacking is non acceptable no matter what mistakes the owner of a website has done. I really have no respect for such people.
At step 3 one should be thinking "I now know nothing about this box, what's installed? What's modified?" You can't know if its been modified or rooted.
While I'm certain its possible to replace software in the system piece by piece until you trust it again, but that's much harder than what I would say is your only option:
Wipe the disk, put a a new install on it and restore your sites from backups.