I've been handed 3 Linux boxes, 1 front facing with apache on it and another 2 which, as far as I can tell, don't do an awful lot. All running on Redhat.
The question is simple: How can I tell what the server is actually doing? Zero documentation is available from the creator.
Unplug the ethernet cable and see who gets upset.
Seriously though, mystery machines like this create a lot of mental overhead for a team and often provide absolutely no business value. Talk to your boss, if no one knows what it does maybe no one cares what it does.
This is a pretty broad question for the Serverfault format, but here is a good start:
You didn't mention the version, so I've omitted the specifics.
There are a few things you could do to try and ascertain what's running on your system.
You can check which ports your server is listening on to get an idea of what's on there. A good command to use would be:
[root@server ~]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name
tcp 0 0 0.0.0.0:139 0.0.0.0:* LIST EN 1880/smbd
tcp 0 0 0.0.0.0:5666 0.0.0.0:* LIST EN 1911/nrpe
tcp 0 0 0.0.0.0:22 0.0.0.0:* LIST EN 1759/sshd
As you can see from the example output above, it presents you with the protocol version (tcp or udp), the address that's being listened on, the port that's open and the program that's listening.
In the above truncated example (a server machine) you can see tcp ports 139, 5666, and 22 are listening. These resolve to samba, nrpe (Nagios agent) and ssh respectively, and is confirmed when you check the program that's listening on that port.
Additionally, you can check the list of daemons which are configured to start at boot, in order to do that, run:
chkconfig --list | grep "3:on"
Example:
[root@server ~]# chkconfig --list | grep "3:on"
NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
vncserver 0:off 1:off 2:on 3:on 4:on 5:on 6:off
webmin 0:off 1:off 2:on 3:on 4:off 5:on 6:off
x2gocleansessions 0:off 1:off 2:on 3:on 4:on 5:on 6:off
.
.
.
or :
service --status-all
Another method involves checking the /etc directory and looking at the modification dates. After a fresh install all the files in this directory should have roughly the same date/time. And since an install usually installs a lot of things people usually do not use, only the files that have a later modification date reflect the actual purpose of the server. If this is ext4 you also should be able to extract the birth date of directories, so the task could be quite easy.
Yet another method would involve checking the .bash_history files to see what the admins were up to. This file can provide a wealth of knowledge.
Check the firewall rules. With a bit of luck, it's configured for default-deny. That means there's an explicit rule for each allowed service.
This is better then netstat because it can also show ports that are open for e.g for nightly backups.
One answer I've not seen yet: Check the most recently modified files. Logs, database files, other output files etc. may get written to still that may provide clues:
find . -mtime -3
That would find modified files in the current directory and deeper, changed in the last 3 days. Increase the number 3 to an educated guess until you get some output you can investigate.
Not fool-proof, as the boxes may just process some web service calls, returning some data without ever writing anything. But added to the great mix mentioned above, it may just yield some clues.
