libprocesshider.so installed and added to /etc/ld.so.preload

Today I received an alert from AlibabaCloud that libprocesshider.so is installed on my bastion server. They told me that it is a backdoor rootkit. I researched for a bit and found out that libprocesshider.so is usually used to hide backdoor processes and it's a common practice to add the module to /etc/ld.so.preload, and it was indeed added on my server. --- Questions: - Can I trace all hidden processes that was ran with libprocesshider module? - How can I track the damages it caused on my servers? I looked into journalctl, /var/log/secure and history, but couldn't find any trace of attack. - The session that installed libprocesshider.so is still alive. I think the session was hijacked/stolen from a legit remote user. As the person is currently not connected to the bastion server. Should I kill the session ASAP, or can I trace some information from it? - Is there a chance that libprocesshider.so was automatically installed by a non-malware application? --- Please feel free to ask if you need more info.