More then likely you aren't going to find out how he got in. Unless you want to take the computer off line completely and snoop around using a boot CD or something.
More then likely the cracker simply erased the log file entries that would show him breaking in. The fact that he left traces in the FTP logs and the SSH logs shows that he is either a complete amature, a script kiddie, or thought so little of your security that he figured you wouldn't notice.
Think of it as a learning experiance.... Boot up with a live-linux CD and compare the binaries of key files to see if they've been changed from the normal binaries that come with whatever distro you've been using. Like login... Chroot to the OS on the harddrive and then use "which login" then md5sum to check the checksums of the file.
Also check the bash history files and see if you can see what he was up to. Stuff like that.
You may be able to find out what other computers he may have comprimised on your network and what attacks he was trying. Or at least get a idea of what the hell he was trying to do with your computer.
read here about this stuff
Then maybe you would want to do a security audit of your company or something. Usually its a 1000 times easier to call someone up and trick them into giving you a password then it is to spend months trying to crack a single machine. If he was a scprit kiddie it could of been dumb luck that he stumbled opon your server. But you can never tell.
Then if you realy what to figure out what happenned. Set up this server back to it's original condition and see if the guy tries to comprimise it again. Of course you go thru extra steps to protect your network, but it would be a interesting to run a honeypot.
For all you know the guy could of just been drunk or something the last time he logged in on your server and could of been careless. Who knows what he's been up to once he got a hold of it.