A little help please?

Well, I’m not happy… My co-located server has been attacked. Nothing serious really, but the fact that two separate exploits have managed to get in isn’t nice :/
The first one happened on 13/01/2009 at around 3pm, a file called back.txt1 was created in /tmp which contains a fairly simple tool which connects back to a remote server and provides a shell… Leaving absolutely no trace of what has been done, so someone has had interactivity on my server.
The second attack which looks more or less automated and something related to a botnet I’d imagine was instigated on 19/01/2009 at around 9am, it created a file in /tmp called x and used that small shell script to download mocks, fortunately the developer of the shell script had screwed up and instead of removing /tmp/x it removes /tmp/x.sh and therefore left the file behind that revealed the location of the mocks proxy…
I’d appreciate a little help in finding out where the attack for back.txt1 came but nothing appears in the apache log files…
I’m wondering if back.txt1 is actually a part of an autorooting bot or related which would make me feel a little at ease. Any help is appreciated.
Update: Thanks for everyone’s help on this, it’s nice to know that with a little bit of a shout out to all the hackers that read my blog things can be resolved fairly quickly, it is a tribute to you all. I’m still discussing an SELinux problem which is most likely related to a Xen problem with slicehost.com rather than with my own server.