If you suspect a Linux server running a critical backend service has been compromised, what are the first three things you investigate?