Bob,
I wanted to get that last bit out before I did some investigating of my own.
I really don't think that ssh was the problem as I could only find theoretical attacks, but nothing in the wild. More likely they got in another way.
- pam
- xinetd
- ftp - this seems like the most likely
It is an interesting puzzle that I am going to try to figure out. I really think it was your ftp that allowed them in and then a bad pam that let them get root.
FTP is evil and should be taken out of every distribution ever created and if the MS users don't like it they can get their own servers!
Anyway, it shows that even in the linux world you need to keep up with patches. I am also a little concerned at the CWD of pgsql and the session close for nsadmin, unless you did that why would a hacker give a crap about aolserver unless some of your pages were defaced.
