To start with, you'll need to get the system off the network, back it up and check your log files to see if anything has been logged that points to what they've done. Your Apache logs and several of the files in /var/log (secure, messages, syslog) may have information. But if it was someone who knew what they were doing and gained sufficient access, they'll have tried to hide what they did.
It's worth going through the links on that page because going through the process may show that you weren't cracked at all. Or, if you were, you'll have a wide range of tools you can apply to find the problems. The first link in the forensics section (
http://www.cert.org/tech_tips/root_compromise.html) goes through some steps to determine whether you've been cracked. I'd sugest you have a look in the "C. Analyze the intrusion" section and ask more questions here about what you find...