Bash logging and observation of a hacker

The story begins with that the password of a shell user took wrong hands for some reason on one of our server. Moreover the shell user had sudo access on the server. Self-respecting server operator first step is immediately saving the data and reinstall the server, excluded the chance that hackers come back to the server through a backdoor. The second step is increasing the security level on server, and the users increase their own security.