I think we're going to need some more details about what is going on. By the way, in the case of suspected compromises, this forum tends to work rather differently than others you may have seen. Here we put a high emphasis on gathering facts about the machine in question rather than speculating about what might be going on. So, with that in mind, here are some things to think about.....
- What is this machine used for and why do you think this traffic was suspect?
- What distro is running on it, and how well patched/maintained is it?
- Are there any existing intrusion detection systems in place?
- Have you examined your log files for anything out of the ordinary?
Some potentially helpful information can be obtained from:
With these, you are looking for anythign suspicious, and feel free to post outputs.
In addition, if you feel the machine has been compromised, I'd strongly suggest pulling the network cable, but do NOT reboot/turn off the machine. If you don't have physical access, you might use iptables to cut off all access except SSH from a trusted IP
Also, have a look at the CERT Checklist
for a good process to develop more facts about the machine.