After Tomcat installation, before I even changed the default Tomcat Manager password, the attacker used Tomcat Manager to deploy his own software. Probably some DDOS tools and a file manager.
I've already removed the suspected java software, changed all user passwords. Root login via ssh was not permitted.
How do I act now to ensure the server is secure?
What do I need to check?
How to trace any other suspected activity?