suspecious activity

[Aasef Iqbal]

Hi!

One of my servers was hit with spam. One of my clients was spamming
through this machine. It was hard to figure out who it really is,
because the sites being advertised were not on my server and the
return address was either <> or <anonymouse at abc.com>.  Now I have
closed one of these hosting accounts n since last 24 hrs there is no
suspecious activity.

However there are couple of things that make me worried. 

1. last time the spammed email's return-path was <root at myserver.com>
2. if i issue the command #last if would see a user logging in within
last few days. I have banned shell access accept from couple of
hosts.. and most of the list is pretty much ok... except few entries
like ...

clientloginname ftpd30692    somehost.somedomain Fri Dec  3 13:30   
gone - no logout
clientloginname ftpd440      somehost.somedomain Thu Dec  2 20:29 -
20:29  (00:00)
 
there are only very few users with shall, to my idea this
clientloginname should not appear in the #last's list.

Should I be suspecious and take some actions and what do I need to do,
is there any checklist kind of thing so that I can assure if all is
safe now.

How can I check if there is no keylogger kinda thing in there.

Kindly advise.

Asif