I can try to help if you are actually “in problem”. So next time it happen let me know, I can give you some hints. Maybe it will be hard to synchronize (I’m in canada), but I’ll keep this discussion opened.
Steps to do to begin, when you have the problem:
1- Do this command: netstat -na | grep ESTA
2- Take the ports on “strange” connections (the number after the : before the ESTA)
3- Do this command: lsof -i:PORTNUMBER where PORTNUMBER is the port from #2
4- You will see a process name and a PID number, keep them in note.
5- You can do: ps -ef | grep PID #to see the running process
6- You can do: lsof -p PID #to see all open files, sockets
7- You can do: cat /proc/PID/cmdline #like #5, you can see a bit more sometimes
From there you can have a lot of info, or none (if you have rootkits/obfuscated miners)