Originally Posted by topdog
There must be backdoors left on the system to allow the hacker back in, am sure most of the binaries you use for checking such have been modified by the attacker. If you can run the binaries from removable media then you may be able to cleanup the machine. (The binaries in question would be things like lsmod, ps, w, who netstat, lsof)
Yep - I realize that I'm in a "bad-standing" and therefore I will shutdown the server now and prepare a clean install later.
The worst is that I'm the only one to blame