So one of your servers is compromised. You determine this because you notice a weird process running (as root, unfortunately). No helpful information about this process from Googling around.
First things first, let's clean this known dirty server up. Nuke it from orbit, see ya later. How do I deal with a compromised server? is a good guide for dealing with that server.
Now, a process running as root on a box inside the internal network does not give me a lot of confidence that this attack is contained to just this single server, however, I can't immediately find any signatures on other boxes. It is going to be a massive task, likely with substantial data loss or downtime, to fully nuke the entire infrastructure and rebuild.
What steps should you take to feel confident an attack has not spread to other servers on the network?
Bonus: This is a broad question. I can't find any good resources for describing current best practices for dealing with incident response/forensic analysis. Do any resources exist?