One common misconception is when you get hacked you should reinstall the OS.
While its true you shouldn’t continue to run the OS, you definitely don’t want to immediately reinstall, and certainly not on that same drive.
Here is a quite write up I did for someone who said they got hacked on a forum, this isn’t the best case for every scenario, but is a lot better then what several people told him “reinstall the os”
#1. Do not install, reinstall or delete anything from that drive
#2. List the current open files, lsof, current processes, ps aux, current open ports netstat -anpe
#3. Pull the power cord out from the box (if possible or have the data center do it)
#4. Notify all your users that there has been a compromise, notify your provider if necessary.
#5. Make a forensic image of the drive (or have the data center do it) using the unix dd command, set the original drive in a safe place and ensure you maintain a chain of custody on it.
#6. Go through the logs you have from Chkrootkit / Rootkit Hunter / Aide / Samhain / Snort / Integrit / Osiris or tripwire, if the logs are on the drive itself look at them on the image your made.
#7. Review the image of the compromised drive, was the OS/kernel current? Were all the packages up to date? What was in the world writeable directories like /tmp, /var/tmp, /dev/shm, what services were running on the drive, what was the version of php, perl, etc.
#8. Look at the logs files and logrotated files such as wtmp, secure, messages, firewall logs setuid files, user shell histories, yum logs.
#9. Document any hints, hunches, or gut feeling you have on the the box was hacked.
#10. Only after your investigation and developing a plan to keep the box more secure should you install the OS on the new drive (the compromised drive should still be in a safe place) and only the user home data should be restore, and chowned to the user’s username, prior to the server being live on the internet again.
#11. Contact other parties, such as law enforcement if appropriate.