If you really want to clean up residual waste, you should remove the
compromised host from your network and re-install the OS from scratch. This
might not have any effect if you do not know how the intruder got root. In
this case you must check everything: firewall/file integrity/loghost logfiles
and so on. For more information on what to do following a breakin, see
Sans' Incident Handling
Guide
If you wish to gather more information, the tct (The Coroner's
Toolkit from Dan Farmer and Wietse Venema) package contains utilities which
perform a 'post mortum' of a system. tct allows the user to
collect information about deleted files, running processes and more. See the
included documentation for more information.
FIXME.This paragraph will hopefully provide more information about forensics in a Debian system in the coming future.
FIXME: continue the list, maybe?.
jfs@computer.org