Ubuntu server hacked. Recovering

I was cyber-attacked by someone from China and they managed to install Yam (crypto mining) on my Ubuntu 14.04 server.

I managed to close their ssh access through the public IP. and I have remedied the damage they did. Except for two things that have me confused still.

1- I can not edit /etc/rc.local from root. they have a script in there to adduser 'setup' with root permissions. I cant edit the script although it is owned by root and has the permission. I get permission denied. I can edit other files so the filesystem is not read only.

2- Every time I log in via ssh, I get the welcome message, then "You have mail" followed by a huge number of permission denied errors like this:

    You have mail. 
    find: `/var/log/speech-dispatcher': Permission denied 
    find: `/var/log/samba/cores': Permission denied
    -bash: /var/log/Xorg.1.log.old: Permission denied
    -bash: /var/log/apache2/error.log.43.gz: Permission denied
    -bash: /var/log/apache2/error.log.14.gz: Permission denied
    -bash: /var/log/apache2/access.log.44.gz: Permission denied
    -bash: /var/log/apache2/error.log.13.gz: Permission denied
    -bash: /var/log/apache2/crm65.com-access_log: Permission denied
    -bash: /var/log/apache2/access.log.9.gz: Permission denied
    -bash: /var/log/apache2/error.log.36.gz: Permission denied
    -bash: /var/log/apache2/error.log.16.gz: Permission denied
    -bash: /var/log/apache2/error.log.11.gz: Permission denied
    -bash: /var/log/apache2/testcrm-error.log: Permission denied
    -bash: /var/log/apache2/error.log.46.gz: Permission denied
    -bash: /var/log/apache2/error.log.18.gz: Permission denied
    -bash: /var/log/apache2/access.log.45.gz: Permission denied
    -bash: /var/log/apache2/access.log.34.gz: Permission denied
    -bash: /var/log/apache2/vtigercrm-access.log: Permission denied
.
.

it basically goes through the whole /var/log directory.

I am not sure what is happening there.

ANY help is appreciated!