Notes:
The intruder used the rootshell to gain access to the subject computer. Because the rootshell is runs as a standalone daemon, it avoids host-based logging.
Patched compromised system to protect it from other intruders. Patches for wuftpd, named and nfs-utils (which includes rpc.stat)