Check the active processes
Using the "ps" command to look for odd or unknown processes is normally the first place to start, if you are unsure what to look for in the process list, using   "netstat -ae | grep irc"    and/or  "netstat -ea | grep 666" and look for ports 6666, 6667, 6668, 6669 being in use, these are common ports used for running IRC bots, they may have the name "irc" listed against them, or may have "httpd" or sometimes other regular services names, but are very likely to have an incorrect or unusual path.

Check crontab
Check your crontab and see if there are unexpected or strange entries, crontab taks are often to check that the exploit has not been found and regenerate it from hidden directories if it has been exposed  and considered to have been deleted, alternatively these may be used in many exploits to restart IRC bots, even when administrators or automated process monitors are used to kill a rogue process. 

Check for hidden files or directories
Check for hidden files or directories you dont expect to see, those starting with "." (dots) and also look for ". " (dot, space) often favored to try and catch searches for hidden directories. Hidden directories are employed for two reasons, initially in an attempt to hide the exploit but also as a method of continuing to infect the exploited machine, even when the user deletes the obvious or discovered active exploit files (see above)

Examples of searches that may help pin down exploits and/or unexpected files and folders:

    find /home -type f | xargs grep -l MultiViews
    find . -type f | xargs grep -l base64_encode    << this may produce false positives, it is valid in some mail/graphics scripts
    find . -type f | xargs grep -l error_reporting
    find / -name "[Bb]itch[xX]"
    find / -name "psy*"
    ls -lR | grep rwxrwxrwx > listing.txt