Check the copy of your system logs (and kernel logs) on your remote syslog server (or, if no remote copy is available, your local logs, though these will almost certainly have been tampered with if your intruder has root access):
May 16 19:38:33 server rpc.statd[353]: gethostbyname error for ^Y���^Y���^[���^[ ���bffff760 8049710 8052c20687465676274736f6d616e797265206520726f7220726f66
...previous | up (conts) | next... |