When a system is compromised/defaced you're never sure if everything was cleaned and IMHO the best solution is always to reinstall it, but you need to do some forensics to understand what happened and preventing it from happening again.
Here's a list of important things to check:
- take a look at every logfiles you can, especially the webserver and the system ones. In the webserver logfiles, check for posts
- run rootkit checkers. They're not infalible but can lead you in the right direction. chkrootkit and especially rkhunter are the tools for the job
- run nmap from outside of your server and check if there is something listening on any port that shouldn't be
- if you've a rrdtool trending application (like Cacti, Munin or Ganglia) take a look the graphics and search for a possible time frame of the atack.
- check the version of your webserver and see if there are known security issues about it.
Also, always keep this is mind:
- shut down the services you don't need
- test backups on a regular basis
- follow the least privilege principle
- have your services updated, especially regarding security updates
- don't use default credentials
Hope this helps.