I would suggest the following:
1. backup all your data; make sure that you have older backups available
2. perform a checksum of all executables and compare with a freshly installed machine. (in case a common commands such as su, netstat, ps etc. have been modified)
# sum /sbin/* /usr/sbin/* /bin/*
2b. do a full search of the servers for any scripts that may be lurking... you should know what each does.
3. obtain a copy of lsof (from the archive centre) and run it to ensure that no ports are stealthly open.
4. Check all cron jobs, at jobs to confirm that you know what they do.
5. check that you do not have strange entries in your $HOME/.rhosts and hosts.equiv
6. Keep an eye on traffic going into and out of your servers; verify that there are no MODEMs connected to any workstations/servers.
6. Worst-case scenario, do a clean install and restore your data (after validation) although I must say that most SAs I know are ethically minded and would not (no matter hoe unpleasant the circumstances are) subvert their former employers.
7. Now might be a good time to install tripwire
http://www.tripwire.com/ to keep a track of what has changed on your systems.
Good luck.
nothing wrong with me that a few lines of code cannot fix!
