I've actually seen a new directory of "...", designed be overlooked with the usual "." and ".." at the top. I've also heard mention of ".^H" or ".<rubout>" but am not sure how a person either creates or uses such a directory. Also, *heavily* scrutinize /tmp! This is ESPECIALLY imperative if anyone hasn't responded to the recent SuSE advisory regarding aaabase (where a few users, such as "nobody" have /tmp as their home directory). In this case, look for "/tmp/.bashrc".
Another reason to put /tmp on it's own filesystem. When you want to really super purge it you can format the puppy, or to be super paranoid run something like wipe on the partition.
Often, the best approach, when a user account has been compromised, is to back it (and /tmp) up to a secure location, re-initialize it and /tmp, and then give the user their data files, one at a time, after carefully examining them.
Any user writeable area too, mailspool, etc. find / -perm +0002 -print
Hope this helps.
Best regards,
Ken Parker
Comment on sendmail: USE POSTFIX! =) -Kurt