You have just been paged for a Linux application host that is showing unusual outbound connections and a spike in CPU usage. The service is still partially available, but you need to determine quickly whether this is a misbehaving process, a persistence mechanism, or an active compromise. You have shell access to the host, standard system logs, and the ability to isolate the instance if needed.
What Linux commands would you use first, and how would you use them to investigate the host safely? Walk through how you would validate what is running, what changed recently, what is listening or connecting over the network, and when you would decide to contain the system.