<a href="http://etechsupport.net/forum/showthread.php?t=434">A good guide to what to do when your server is attacked</a>.
top -d2 netstat -nap | grep SYN | wc -l netstat -nap | less
If there are many httpd processes showing up after step 1, you might be under attack. If you get high numbers for the second one, you are almost definitely under attack. Use the third one to see the IP addresses, and then ban them from the server:
iptables -A INPUT -s ip.address -j DROP
Also try the following for fixing stuff:
cd /dev/shm ls
And delete anything that's not supposed to be there.
locate bindz locate botnet.txt locate dc locate ex0.pl locate kaiten locate r0nin locate udp.pl locate ... lsof | grep ., locate mybot