As an InfoSec consultant, I would tend to agree that containing the incident now is probably the most prudent approach.

However, with that being said - this individual obviously could use some hands-on education on the process. More specifically, this person should at the minimum understand the chain of events that led to the "root'ing of the server, including patch revisions, buffer-overflow and/or weak system setup and learn from it before staging another Internet accessible server.

Penguin: I'd recommend taking the system offline (disconnect the ethernet cable at minimum) and begin a basic forensic analysis to understand what went wrong with your server config. Then, the most appropriate approach would be to blast the box and reinstall everything, ensuring you're patched and hardened according to the CIS standard for xxx (where xxx= your operating system). Ensure any public facing services (FTP, HTTP, etc) are secured and the hosting applications appropriately updated too.

Good luck!

Here are some references:

http://www.sans.org/top20/

http://www.sans.org/score/