Leaving traces that the client hacked through an open port [on hold]

I'm curious to know which tracks an attacker leaves, hacking me through one of my open ports, and how can he get rid of them if he wants to go undetected / stealthmode?