Check for a rootkit again. Given that you have now booted from clean media and mounted the hacked system's disk as a slave (or mounted a low-level dump), we are no longer looking for suspicious processes, connections or traffic; we focus on the filesystem. This time we have no potentially-wrapped/intercepted system-calls to worry about so can have more confidence in the results:
chkrootkit -r /mnt/hacked rkhunter --rootdir /mnt/hacked
...previous | up (conts) | next... |