Good tips there.

But I forgot to include an IMPORTANT detail here.

This is a production server, we are dealing with a critical server with a big database for an ecommerce application. Every minute that the server is offline costs the company several thousand dollars.

From a business perspective, we cannot simply afford to take it offline, even assuming root compromise or that a rootkit has been installed.

The first approach is to identify the incident, then contain it and then eradicate it. While always keeping it online, unless we detected that a major event has happened, such as credit numbers stolen.

So let's assume we cannot take it offline and we have to find out as fast as possible what has happened and how to contain it.

Let's see what are the steps and methodology we'd follow so that we can add detailed actions, tips, tricks and so on to the process.