Now that I have the wallets, I shut down the servers until all blocks have confirmed. Until all the generation is complete, the funds are still at risk.
Sounds like a good plan. What type of hack was it?Not sure yet. With the machines off it is hard to tell. As best I could tell, only the main pool server was affected. Only SSH, webmin & nginx were running on that server. My ssh connection suddenly dropped, and my password changed. So I stopped SSH, rechanged the password. In that time the pool user directory was wiped clean. I grabbed the wallets and shutdown the machine.
SSH was running fail2ban, so it's unlikely it was bruteforce. The security updates were up to date as well. Once I'm sure the currency information is secure I'll fire the machines back up and look for the culprit.
Are password and account info ok or is it still to early to tell?
Too early to tell. I did switch the machine physically off. I'll go through the data once the coins are safe. It looked like only the pool home directory had been wiped and the user password reset, although I didn't want to risk any more data being lost. So, the machine was shut down.
