As Tinkster said, there are tools like rkhunter and chkrootkit, but these are not usually the best place to start. LQ Sec can definitely help you to determine if your system has been compromised by guiding you through an investigation of the situation. The investigation process focuses on diagnostics to gain facts and clues regarding the state of the system. Like with hunting for ghosts, we sometimes find rational explanations for seemingly compromise behavior and other times we get real evidence of a compromise. As Tinkster pointed out the first step is to take the machine off line. It is best to do this by either disconnecting the network cable or putting up a firewall (iptables) to only allow SSH connections from a trusted source. Once you have secured the machine you can work with much less possibility of interference. The next step would be to review the CERT intruder detection checklist. It will give you an overview of the investigation process. Don't worry if a lot of it doesn't make sense, we can help with that. Now, to begin, would you please describe what is happening that leads you to suspect that your machine may have been compromised? Please provide as much specific detail as possible, including log entries if you have them.