One thing I’ve learned is that they have more time than I do. So if I have evidence of someone being in one of my servers, I just consider it compromised and format it. Much quicker to format a linux box and reinstall – 15-20 minutes – rather than spend hours trying to find and weed out a rootkit.
Hey astro, you do the format yet? If not, wanna have some fun? I was just thinking…while you most likely wont find the rootkit we CAN moniter yer box for a night and find the culprits ip (it will most likely also be another compromised box if he has any brains) and we can strart to work our way back to him. We then give him a taste of his own game, I have a “friend” who is pretty good at this type of thing if its something you would like to do, let me know.