If you use ext2fs on the filesystem in question, then the intruder may have used an ext2-specific extension to keep you from removing the files. Try lsattr on the directory and the files to see if the immutable flag was set, and remove the flags with chattr.
But isn´t it somewhat naive to believe this machine is usable after this? I mean, he wrote about a compromised machine (rootkit). I would not trust this machine at all, and suggest a completely new install.
Heh, that's something entirely different, yes. Basically, if you run a rescue system and mount the filesystem under a different kernel, you can probably save the installation and continue running it, provided you have checksums of all files or a tripwire database. I did that once on a friend's machine, and I didn't like it because it might have been less worksome after all, but it is doable. You just can't run these checks under the same kernel as the one that's installed. It might have been trojaned. Also, you can't trust the output of any of the programs installed on the intruded system, you have to use tools from a sane system. Even if all files are verified ok (according to their checksum), people often forget that all files in the filesystems have to be checked for their membership to a package. If you don't have checksums of the rpm database, then you're basically doomed. It's always better to install the machine from scratch, even if you have cared for everything and if you only have emotional considerations to reinstall.
Christian
Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -