Ok here is my horror story, it's a little long and since it was on linux it gets a bit technical.
I maintain a website which is hosted from my desktop computer. At the time(about two monthes ago) I was running Slackware, a linux distro. I was only running slackware because I had not found the time to install Gentoo Linux(a very popular linux distro) yet. For those not familir with Linux, it is suggested that you never use the admin(root) user except for when installing software. This is a rule that I have always obeyed and maybe took to an extreem. I created several user accounts for different task; a day-to-day user, a test account for trying new software, a user for my sister, and shell accounts for the people that I hosted(note pass tense). When I created my test user I did not use a very good password, actually I just used the username.
One night I was working on my website and listening to music when I noticed that my computer was being very sluggish, like when I compile a really big program. So my command line reflexes took over and I instictually opened a command line window typed "ps -aux" and prepared to kill off some uneeded processes. But to my dismay there were over 200(normally I only have 70-100) processes running and must of them were being run by my test user, which I had not used in days. Even more odd was the fact that one of the listed processes was run by this user was apache(this should not be possible because of my security configurations). When I checked to see what binary file was being run I relized that the programs name and the location of the executable file were both spooffed(forged), signalling to me that this was much more than me forgeting to logout of an ssh session. At this point I realized that there was a hacker logged into my computer and he was in the process of compiling some programs and had already starting running several others.
So I decided I had a unique chance to catch this hacker and the act. First I used "netstat" to find his IP address. I then sent him a message, using "wall", which was to the effect of "How dumb do u think i am boozoe!" but a bit more profane as the situation called for it. Finally I unplugged my ethernet cable and began picking apart everything that had just happend. I located the files and programs he was in the process of installing and found the config files for a progam that he had installed. The config files had several passwords and usernames in it. The logins where for an IRC chat server. The next day I used one of the logins to connect to the IRC server and surprised the hacker by starting to chat with him about why he was trying to use my server.
Luckily this guy was not very bright and did not seem to realize that his every move was being logged. I used the logs to backtrack his activity and to find out how he had downloaded the files to my computer. He had used several ftp servers and used the IP address instead of domain names. I gathered up all of the IPs and did a little poking around and found that most of the computers were Windows PCs and were likely infected with a virus. So I reported the incedent to the involved ISP's abuse email addresses.
In the end I did not lose any data because the person that hacked me was trying to go undetected plus the fact that the account he was using did not have enough privaligeses to do much damage. Also, the fact that this hacker was sloppy helped
This experience showed me some things I love about linux, a more personal touch when your computer is hacked rather than in-human automation(viruses, spyware, trojans)
