freesoft.org was hacked in late 2000. Though I'm still not sure exactly how the hacker got in, here's what I surmise. First, I designed the site's entire security scheme around SSH, disabling normal TELNET access, requiring the use of RSA certificates, and prohibiting normal users from su'ing. Only later did I find out that the version of SSH I was running had a known security hole, publicized on the CERT website, which allowed an exploiter root access to the machine. Lesson one: make sure your trusted software is, well, trusted.
Yet this is only the beginning. Any security weakness in SSH was compounded by the fact that nobody was actively maintaining the machine. By this I mean regularly checking its logs, monitoring its activity, and, most importantly in this case, reading published adversaries on sites like CERT and Security Focus, downloading and installing updated versions of important software packages as they became available. freesoft.org was, and is, largely a one-man show, and so long as the webserver stays running, I just don't bother with the minutia of administration. So by the time of the break-in, both the operating system (Redhat Linux 5.2) and the installed version of SSH were about two years old.
Furthermore, running a program like Tripwire probably would have detected the intruder quickly, since he set about changing system binaries like ps and netstat to disguise his presence. No, Tripwire isn't perfect, and can be defeated, but this hacker wasn't that clever. He didn't change the MD5 hashes in the RPM database to match his changed binaries, so finding which programs he had altered wasn't that difficult... after I'd been alerted to his presence. Which didn't happen right away, since... I wasn't running Tripwire or anything like it.
So how did I detect the hacker? I started getting complaints from people that their systems were being hacked into from... mine! I poked around the system, realized it had been hacked, put some of the binaries back in place, researched the SSH problem, and finally upgraded the operating system to Redhat 7.0, at that time the most current Redhat release. I haven't seen the hacker since. The machine is more reliable now, too, though I'm not sure if it's crashes were due to something the hacker did or something else.
\end{soapbox}