What is the best course of action when you discover that a non-administrator Linux account has gotten owned, and a single foreign process is running, making all sorts of networking connections?
For example, how would one take a complete snapshot of the process for future analysis?
Take into consideration that the executable itself might have been deleted, so, even the binary itself you'd have to find through an inode with something like debugfs, but there's also the question of preserving other evidence.