I know it's a nasty shock if you are not prepared (who's motto is that again?) but (for future reference) it would be good if people try hard to subdue the reflex to reboot *until* some stats have been taken. For instance it would be good to have listings of users, open files, processes and network connections. If unsure consult the "Intruder Detection Checklist" (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html before actually *doing* something.
OK, that said you *still* have to go back in and see what caused the IRC conn. because else you're not taking away the cause. While it could be a logged on user it (more often) will be some automated bot. These bots usually get inserted because of some hole in public network facing software. Think forum, bulletin board, shopping cart or similar software (and often it's patched bu the user didn't update the version).
You'll want to check out any system logs, application logs, login records, scour temp dirs for files that shouldn't be there and such. The checklist can help and while you're at it use your distro's package manager to verify package contents and run Chkrootkit and Rootkit Hunter (new beta version 1.3.0 out, hurrah!).
Any questions just ask.
