Server hacked and I now question some ethernet activity

My 10.6 snow leopard server was hacked and apparently was sending out emails according to my ISP.

I turned off the mySQL server and then shut down two hacker IP addresses using the Firewall. These actions settled the server back down.

The next day I restarted the mySQL server and did not notice any issue with processor usage.

I found the NTP hack issue and turned off the automatic time function. So the network time process is OFF.

Now, in the aftermath, I am left with some curious Ethernet IP activity I don't believe is NORMAL??

I have a virtual web server with 27 web sites and an address that ends in .29.

I have a second IP address on the server ending in .25.

Curiously, this second IP results in a massive amount of traffic NOW being denied. Sometimes the dynamic rules hit 800+ and is all related to this IP.

Traffic looks like this "STATE UDP IPaddress25 port 50318 <-> to DNS port 53"

as in "(9s) STATE udp 50.78.225.25 50318 <-> 75.75.75.75 53"

It seems like this Ethernet port is cycling through Port numbers 49000 and above, which are UDP private ports and has the traffic gone to a DNS IP.

The Firewall action is DENY and it cycles up with a high amount of activity and then dies back down.

Since I am not using safari, etc. this doesn't seem reasonable to me and I have the feeling something has been dumped onto the server.

ANY THOUGHTS WOULD BE APPRECIATED.

THANKS,

Ed