As an incident responder, one of you first port of calls should be to look for any signs of a rootkit. A good rootkit finder for Linux systems is ‘rootkit hunter’.

Rootkit Hunter tests for such things as hidden ports and processes.

In an ideal situation you would want to acquire a disk image and boot from the image with ‘rootkit hunter’ running its tests on the copied host.

Download ‘rootkit hunter’ http://rkhunter.sourceforge.net/

fyi I should mention an excellent memory forensics utility called Volatility which can analyze memory dumps (you will need a separate memory acquisition tool), and show you the state of the machine at acquisition time.