If at all possible, use statically-linked tools and utilities mounted from a CD-R for this investigation.
List all TCP connections to/from the machine using netstat (see below). For all that you don't recognise, use fuser and/or lsof, to determine which processes are responsible.
On Linux it is possible to select TCP connections:
netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 80 localhost.localdo:38436 localhost.localdoma:ssh ESTABLISHED
tcp 0 80 localhost.localdo:38862 localhost.localdoma:ssh ESTABLISHED
tcp 0 0 localhost.localdom:6012 localhost.localdo:40404 ESTABLISHED
tcp 0 0 mctalby.mc.ma:httpproxy CPE-67-48-233-44.n:2243 ESTABLISHED
tcp 0 0 mctalby.mc.ma:httpproxy 61.175.228.137:44104 ESTABLISHED
tcp 0 0 mctalby.mc.man.ac:55914 darkstar.umist.ac.u:ssh ESTABLISHED
tcp 0 0 mctalby.mc.man.ac:48994 bohrg2.man.ac.uk:484 ESTABLISHED
.
.
On Solaris, simply scroll down until the TCP header:
netstat -a | less
TCP
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
*.* *.* 0 0 0 0 IDLE
*.sunrpc *.* 0 0 0 0 LISTEN
*.* *.* 0 0 0 0 IDLE
*.892 *.* 0 0 0 0 BOUND
*.32771 *.* 0 0 0 0 LISTEN
*.32772 *.* 0 0 0 0 LISTEN
cosmos.umist.ac.uk.6051 bm2.csu.umist.ac.uk.1623 17443 0 8760 0 ESTABLISHED
cosmos.umist.ac.uk.6051 bm2.csu.umist.ac.uk.1624 17520 0 8760 0 ESTABLISHED
*.* *.* 0 0 8576 0 IDLE
*.* *.* 0 0 8576 0 IDLE
cosmos.umist.ac.uk.42376 130.88.211.29.ldap 8977 0 8760 0 ESTABLISHED
cosmos.umist.ac.uk.54164 sylo2.mc.man.ac.uk.22 33120 0 8760 0 ESTABLISHED
cosmos.umist.ac.uk.22 printer3.ma.man.ac.uk.3961 64511 0 8760 0 ESTABLISHED
.
.
| ...previous | up (conts) | next... |