sorry for the delay...been away.

yes, i was saying not to delete it for two reasons both relating to maintaining the state of the system. 1) the timestamp as noted and 2) the contents of the file. seeing that you've already identified the contents if you are satisfied with knowing what it is instead of how it works then document the timestamp and delete...but if you find other changes to the system and wonder what part of the attack it was (pre-root, post-root, to-get-root) you'll be minus one element of evidence (there may be several features that can be traced back to this cgi).

your measures for restoration are fine...but they do they take into account how this attack occured? have you been able to locate the problem? without trustworthy logs, this will be difficult. if you could sandbox everything, set it back up exactly the way it was...then you could find out the next go around. if it's a new exploit, then it'll become more public and frequently used...if it's an old exploit, then i would focus on patching proceedures.