There is, figuratively, a list of 1 million things I could/should have done to prevent this, and I skimmed right past all of them. My sys admin friend said I probably didnt get attacked earlier because if it were him, this was SO wide open, he would have thought it was a trap
So far I think the damage was limited, luckily this server is on a separate sub-lan than my others at home, but the real danger is I have Firefox setup to sync all my stuff, and it did on my personal admin account, so they may or may not have got to that. Its somewhat encrypted, but doesn't make me feel better. All passwords to important stuff are changed, now I just sit back and hope my money is still in my accounts every morning!
I knew some of you all would get this, I try to tell my wife what happened and she gives me that blank stare...