I am a webmaster of a server that receives in excess of 20,000
visitors per day.  A few hours ago, the server was hacked, an exploit
was installed, and my ISP physically unplugged the server from their
network citing Acceptable Use Policy violations.  The hosting company
is in Texas, I am in Indiana.

I want to report this incident to the authorities, but I don't know
the proper procedure.  Do I report this to the FBI?  If so, should I
call the FBI in Indiana (where my business is) or in Texas (where the
server is physically located)?  If not the FBI, then whom do I call? 
Is there some sort of standardized way to report this sort of thing?

My server has been hacked in the past, but nothing was ever done that
actually caused my website to stop functioning.  With my site down,
I'm losing money for ever hour it takes to get everything restored. 
This is the reason for my concern.

Thanks in advance.

Howdy bl00d,

As a former ISP owner, I have been in exactly your shoes, and
I would not feel right to collect your question price to give
you the procedures to follow, and the bad news.

Yes, the FBI is the right party to report this to, and you
should contact your local offices.
http://www.fbi.gov/contact/fo/fo.htm

FBI Indianapolis
Room 679, FOB
575 North Pennsylvania Street
Indianapolis, Indiana 46204-1585
indianapolis.fbi.gov 
(317) 639-3301

That said, here is the reality check.  Unless the actual (and
that means provable) damages have been large (as in tens of
thousands, and perhaps hundreds of thousands) and the case is
easily provable (detailed logs and records that point exactly
to whom the culprit was) nothing will be done.

I know that you feel injured (and you have been) and feel a
sense of violation (which you should) but this is something
that (unfortunately) happens all of the time.

Sorry, denco-ga

I'm afraid denco is right. There's an excellent chance that the FBI
will do nothing. By all means report it to them, but don't expect
much.

The best thing you can do is to keep your site from being hacked in
the future. Figure out how it was hacked this time and fix the
problem. Install all relevent security upgrades, make sure your server
is behind a good firewall, and install good security tools like
tripwire and snort (I'm assumming your server is running some version
of Unix - if it's on Windows, you've got some major problems). Scan
your site with a security scanner, such as nessus, to see if there are
any outstanding holes left.

Long answer short, click here.
http://www.nipc.gov/incident/incident.htm
The National Infrastructure Protection Center has a handy-dandy online
form that you can use to submit information about the attack to the
federal government.  ..That won't really help you right now, but,
*shrug*  I'm sure that the Dept. of Homeland Security will do
something productive with the information.  *cough*

Anyway, here's the old-school, defacto-standard Incident Response
Proceedures document.  It comes from CERT! =)
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Hope this helps.

The FBI normally will not have involvment unless $5000 dollars of
damage occured, and it took place over states lines.

Next time make daily backups so you don't lose money due to lost time
restoring the site.

Even though complete security is non-existant, it is good to have some
network auditing software.

http://www.securityfocus.com/products/category/27 is a archive of many
different auditing type software, you can find some free tools there
to help harden your sites security.

There is an awful lot on proper incident handling procedures.  A good
start is by using the documentation at
http://www.sans.org/incidentforms/.  There is no magic panacea, but
perhaps next time this occurs you will have a set of actions to take
upon knowledge of an incident.