This has got potential to be a really good thread.

Let's imagine the following scenario.

One of your Red Hat servers has been compromised. The hacker has got root access. You want to know how did he get in.

What are the steps and methodology that you apply as soon as you are sitted in the console in order to get the big picture as fast as possible? Have you got this scripted?

EDIT: Let's assume this has to be a live analysis, we cannot afford to take it offline as it's a production server and every minute the server is down is worth several thousand dollars in cost.

My steps. Feel free to add yours.

[redhat@linux FC4]# w
[redhat@linux FC4]# who
[redhat@linux FC4]# ps -aux
[redhat@linux FC4]# lsof -i
[redhat@linux FC4]# netstat -an
[redhat@linux FC4]# dmesg