Are you running an internal server that has a view from the outside world? (either port forwarding or DMZ'd)? If so, clean out any CGI scripts you don't use.

If this was a few years ago, I'd guess that you have a Novell server that was exploited through one of the CGI attacks and is being used to look for other servers.