web application – has my server been hacked?

I manage a Debian GNU/Linux web server (Debian 10 Buster with its bundled 4.19 kernel). I put in place simple iptables logging rules a long time ago, among other things. Here they are:

# iptables -A OUTPUT -d (mySmtpSmarthost)/32 -p tcp -m tcp --dport 25 -j ACCEPT
# iptables -A OUTPUT -d (mySmtpSmarthost)/32 -p tcp -m tcp --dport 465 -j ACCEPT
# iptables -A OUTPUT -d (mySmtpSmarthost)/32 -p tcp -m tcp --dport 587 -j ACCEPT
# iptables -A OUTPUT -p tcp -m tcp --dport 25 -j LOG
# iptables -A OUTPUT -p tcp -m tcp --dport 465 -j LOG
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j LOG
# iptables -A OUTPUT -p tcp -m tcp --dport 25 -j DROP
# iptables -A OUTPUT -p tcp -m tcp --dport 465 -j DROP
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j DROP

The goal here is to catch anything suspect, mainly rogue PHP scripts that connect directly to some hacked (smtp?) server out there. There is a Exim mail server on localhost which hands off messages to external smarthost, so that the WordPress wp_mail() function works, with the help of a SMTP plugin that configures it to use localhost as SMTP server.

In other words I’m saying: “dear rogue script, either you use the configured smarthost (so that I can bust you there) or you are already busted here”.

That obviously assumes the server hasn’t been hacked to the root… and here comes my question.

Yesterday I found this in the logs:

Nov 21 12:23:55 web kernel: (35501.571711) IN= OUT=eth0 SRC=my.server.public.ip DST=109.89.132.126 
  LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=81 DPT=587 WINDOW=0 RES=0x00 ACK RST URGP=0
                                                     ^^^^^^ This!

while

# netstat -nltp | grep :81
#

so I deduce that something managed to bind port 81 on the locally configured public IP address and tried to send a message to 109.89.132.126 on port 587.

Is that at all possible without having root privileges? Port 81 is lower than 1024, i.e. it’s a privileged port on Linux, and I’ve never issued any custom setcap command on this server.