Another idea to help with your forensics would be to bring a netstat and lsof
binary over to your machine and run them to see which actors are running and
trying to get out.  That could help you detect what is running on that machine
and google your way from there.

If your kernel has been subverted then userland is irrelevant, a kit can simply hook the system calls those binaries use and return whatever it wants you to know.

--

Kyle