Well, I'm no expert, but... since you apparently had already been hacked prior to the reinstall (evidenced by the rm -rf /), I would wager that your reload from the image you have here is already rooted. Of course it could also be that the cracker is watching the system and actively rooting it, so that when you re-installed whatever method was previously used to crack the system was used again in short order. So, in either case I think a little research is in order to determine how to keep this particular bad guy out.
-----Original Message----- From: Jonathan Hutchins
... I reformatted the filesystem and restored an image I had here via rsync. By the next morning when someone was available to put it back on-line the restore had completed.
We got the system up and running again, and I restored configuration changes while the client restored HTML. By lunchtime everything was back in good shape.
I haven't done much with it since, but as I was getting ready to reboot after a kernel update this morning, I did a 'ps ax' and saw somethng called "rootedoor" running. (http://vil.mcafeesecurity.com/vil/content/v_128116.htm for info on rootedoor.) I went ahead with the reboot and it vanished, leaving no aparant trace. I immediately started checking for suspicious and modified files.