In short you'll want to read the Intruder Detection Checklist (CERT):
http://web.archive.org/web/200801092...checklist.html first.
Save all process, network, user data: '( ps axfwwwwe; lsof -Pwn; netstat -anpe; last; lastb; lastlog; w; who; history ) > /dev/shm/file' and copy the file off site. Copy all logs (usually from /var: see /etc/syslog.conf or equivalent and 'sudo lsof -Pwn +D/var|awk '{print $NF}'|sort -u') and all user shell history files to a different machine and run Logwatch (with the "--detail High --archives --numeric --hostlimit [hostname] --range All" switches and don't forget to set "--logdir") on the logs. Make a list of tasks from the Intruder Detection Checklist and perform them.
If the report plus output of the checklist yields leads you don't know how to handle feel free to post shell history and log excerpts.