I have a server running a control panel (PLESK). Within the control panel we have multiple clients, each client is assigned its own ip so we can monitor bandwidth usage on a per client level. Now each ip has multiple domains hosted off of it. However we did assign a couple of extra ips to that server for use later when we get more clients. Now one of these unused ips is sending out tcp packets that look to me like mail. Again there is nobody assigned to this ip address. I realize that the server might be compromised but I dont want to start pulling down sites unless I am absolutly sure. The amount of bandwidth that the server is using is minimal. (150 MB/24 hours). How can I check to be sure that this is not legitimate traffic?
P.S. I checked the mail logs and wouldnt ya know it, the maillog is 0kb.