/var/log/* deleted

["Stephen J. Turnbull" <turnbull@example.com>]

Are you sure you want to go to the effort?  Unless there's other data
in those logs you need, you're not likely to learn anything useful.
They probably laundered the connection through one or more cracked
sites, and it originated in a University public-use computer lab.
Better to spend your time reading "The Firewalls Book" (Cheswick &
Bellovin is one I recommend) and hardening your installation against a
repeat.

that said...

First, I would suggest unmounting the partition and using something
like dd to copy the whole partition somewhere safe.  Like a CD-R.

Then you can try midnight commander; it's supposed to be able to
undelete ext2 fs files.  if that doesn't work, you could go at the
raw device with Python or Perl, extracting things that look like logs
of connections.

If you're unlucky, they'll have zero'd the relevant disk sectors.  It
may still be possible to recover some of the information, but it will
cost mucho dinero.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."