Originally Posted by Arevos

It shouldn't be your problem to find out who did it. This presumably isn't a paying job, and unless your school wants to pay you for your time, it simply isn't worth trying to find out who compromised the machine, except to satisfy your curiousity.

If you're curious, I'd look at the logs (usually in /var/log), check the running processes (ps ax), check the bash history for root (/root/.bash_history), and anything else you can think of. But don't feel you have to. If what you say is true, and you are telling the entire story, then your school is trying to blackmail you into doing sysadmin work.

That's worth repeating. If you had nothing to do with the machine being compromised, then there is nothing the school can do to you.