Start by verifying that 'netstat' (part of the 'net-tolls' RPM) hasn't been replaced by a rootkit:
rpm -V net-tools
If '/bin/netstat' comes up, it's bad. Download a clean package (or pull off your install CD's), and re-install it.
Once you've confirmed it's clean, issue the command:
netstat -nutlp
This will list processes listening (either UDP or TCP), and what their process-id's are (PID). An example of the output from one of my machines:
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 26363/sendmail
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 26376/ishttpd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 795/httpd
tcp 0 0 192.231.136.2:53 0.0.0.0:* LISTEN 27128/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 27128/named
This is just 5 of the listening ports.
They state the protocol, the send/receive queues, the listening IP and port (the next two aren't a concern in this command), and the last field is the PID/process name.
lets look at the process listening on 8080 as an example.
It's called 'ishttpd', and is at PID 26376.
If we look in /proc/26376/, an 'ls -l' shows the following:
total 0
-r--r--r-- 1 root root 0 Dec 16 13:45 cmdline
lrwxrwxrwx 1 root root 0 Dec 16 13:45 cwd -> /etc/iscan
-r-------- 1 root root 0 Dec 16 13:45 environ
lrwxrwxrwx 1 root root 0 Dec 16 13:45 exe -> /opt/trend/ISHTTP/IScan.HTTP/ishttpd
dr-x------ 2 root root 0 Dec 16 13:45 fd
-r--r--r-- 1 root root 0 Dec 16 13:45 maps
-rw------- 1 root root 0 Dec 16 13:45 mem
-r--r--r-- 1 root root 0 Dec 16 13:45 mounts
lrwxrwxrwx 1 root root 0 Dec 16 13:45 root -> /
-r--r--r-- 1 root root 0 Dec 16 13:45 stat
-r--r--r-- 1 root root 0 Dec 16 13:45 statm
-r--r--r-- 1 root root 0 Dec 16 13:45 status
This shows us various pieces of good information. For starters, it shows the exact path to the executed binary (exe: /opt/trend/ISHTTP/IScan.HTTP/ishttpd), and the directory it was launched from (cwd: /etc/iscan). The contents of 'cmdline' is the command line that launched it.
With these details, you can start tracking down where a paper-trail might be. Rootkits usually leave a log of their progress in the directory they are launched from.
With the PID, you can try using the 'kill' command to be rid of it. You may want to verify that it is also not been replaced by using 'rpm -V util-linux'.
Once you've got the path name, and the binary name, you can do 2 things. One: find out where it was launched from (cd /etc;grep -r "
" *), two: remove the offending binary (using 'lsattr' to make sure it isn't immutable (+i) and 'rm' to make sure you can get rid of it).
As for logs to trace them, well, try using the 'last' command. I highly doubt it will show anything as the files it relies upon (/var/run/utmp) will have most probably been destroyed after you were exploited.
One long-haired git at your service...
