Seeing as I am a newbie I'd trust myself installing the newer version clean rather than upgrading over the existing one.
Well, you certainly misunderstood me, but in the end the effect is the same, luckily.
There are NO, repeat NO valid reasons to try and "restore" a (possibly) compromised box by upgrading over the existing framework. A (possibly) compromised box must ALWAYS be returned to a pristine state (wipe bootsector, repartition, reformat) before installing an OS from scratch. Even tho the chances are low you're up against a cracker with "good" skills and tools, the risk you take by upgrading can be easily avoided.
One other thing is that upgrades will leave certain things intact you NEED destroyed, like authentication. Whenever you encounter a rogue sniffer on a box, you can be sure passes will be collected by the cracker. This is one of the reasons Jludwig said you should investigate adjacent boxen/networks for tampering. Once through the perimeter firewall, a lot of networks leave a lot open, and most admins do not expect (perceived) users to be malicious (an clear misperception).
In addition to posting in the security forum and reading the docs in your security post I've asked our network consultant to review our firewall policy and see what other measures can be taken to prevent this again.
Well, the firewall is NOT one of the major issues you should be concerned with. Your FIRST and primary concern is hardening the box: removing all software, daemons, accounts, tools and compilers unnecessary for the purpose of the box. Limiting/restricting user and system user access to resources. Etc, etc. Finally move the box to a DMZ. And the perimeter firewall cfg comes LAST...
Thanks again so much for your help.
NP. That's why LQ is here. To help.