Successful SSH Attack - Need help cleaning up

[Daniel]

There was a successful ssh attack on one of our boxes.  We need to allow ssh
access to those outside the organization.  The attacker put a homegrown
rootkit on the server.  The rootkit was stopped, but since then ssh has been
logging to /var/log/messages.  The relavent configuration files I know about
(/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a
server that I works.  /var/log/secure is not getting any messages.  What can
I do to restore ssh to its previous state without reinstalling it?