Hi,
once in this situation I put me compromised machine in an isolated 
subnet, firewalled to only allow the functionality it was set up for. If 
you are under pressure, this is a way to save time without feeling to 
much uncomfortable. But this requires no data of private nature on this 
machine.
Hmm cyrus account you said? Ok, think a mail server contains private 
data. Moreover it's likely someone used a password there used elsewhere. 
I would alert my users and force them to change passwords.

You can secure thinks by putting it into a subnet, no WAN access is 
allowed for.
Since this box might be compromised, it should be isolated in a separate 
network.
No sniffing can get something useful and any other attempt will bang 
against a firewall.
You can set up a mail server, feeding it with LMTP. Moreover this is 
your outgoing MTA.


Now you can restrict this network accept incomming LMTP transports and 
answer incomming IMAP-requests. You can disallow traffic started from 
your imap server. So this machine can't do any harm any more.

But still HE had some time to do something nasty, like fishing for 
passwords. And therefore keep an eye on all of your machines.

For your enjoyment: If you like to know him better ... put him in a 
chroot-jail and watch him trying.
A shell logging each command can be informative.

cheers AHA