So your machine has got at — or could have been. You have two conflicting tasks:

• preserve as much forensic data as possible so as to determine who the bad guys got in, what damage they did, what software they installed and what they were up to;
• stop the machine doing bad things and get it back into services a.s.a.p.

Ideally, do as little as possible to disturb the bad guys — this way you will be able to get most information. (The last thing you want is for them to shut down operations and clean up, leaving you with no evidence of how they got in or what they were up to.)

Minimum Immediate Network-Related Checks

If, for example, CERT or others are breathing down your neck, try to do the following before removing the network cable from the machine — do not switch it off as you may lose a lot of information (about e.g., running processes, loaded kernel modules, listening daemons): determine and understand every TCP connection, determine and understand every open port and survey all network traffic, in that order.