How they hacked is a loaded question, they either got access to the server via an unprotected ftp, they used an exploit, they brute forced their way in, etc..

First and foremost look at your server logs, use tools such as last and w or who -uH to see who logged in..

Then run some searches such as:

find / -perm -4000 -print

To find any items set to setuid

Then run:

find / -mtime -5 -print

This will find all files modified less than 5 days ago,

do

find / -mtime +5 -print

for files more than 5 days old

Check the commands history by running

history --This is mostly likely been cleared though..

Check what your open to, use tools like Nmap to scan your server and find holes, then close em, Nessus will help too, better yet, download Auditor (With MetaSploit) and try hacking your own box.

Linux forensics can be complicated, the best I can suggest if you are untrained in *Nix security is to grab

[thesleuthkit.org...]

The coroners tool kit, go read things like:

[staff.washington.edu...]

Do a google search for Linux Forensics...

Hope it helps

THanks for the reply. I am hoping to get more idea or any one with similar problem.

thanks