I run a business grade Sophos Firewall with OpenMediaVault behind it. Recently I have noticed ATP (Advanced Threat Protection) alerts from my firewall identifying a threat from my OMV server calling back home to an outside IP. I've seen this when running TransmissionBT because some IP addresses are flagged, however I have had it removed for a few couple weeks now. I ran multiple bootable AV suites to look for infected files or rootkits, none are found on the OMV drive. The attempt comes up once a week, so if it's something malicious it may be trying to stay low in terms of detection. I run ClamAV, though it does not scan the system files. Currently I'm running MySQL, Nginx, Rsnapshot, SMB & Seafile. It may be a false positive, but one of the IP addresses comes up in Russia and when your server is calling Russia you should question the possibility for a botnet :).
Last two ATP alerts are for:
109.172.65.44 (In Russia)
195.154.178.218 (In France)
Any advice for determining what is trying to communicate out, or additional tools to run? Thanks!