ANSWER:

First of all if your system is compromised you can’t trust your logs. Rootkits are there to make you think everything is running normally. The only way to detect if there is illegitimate traffic residing from your server, is to sniff it once it has left your machine (this can be done with a repeater port on a switch).

So unfortunately this might mean:

by Lucas Kauffman from http://serverfault.com/questions/380597