Hmmm maybe I've stumbled on the real source? I started poking in my hardware router firewall logs... and I'm seeing these kinds of entries over and over.... ------------------------- [LAN access from remote] from 213.226.63.155:46921 to 192.168.1.5:18987 Saturday, Dec 11,2010 09:35:58 [LAN access from remote] from 46.29.107.22:34676 to 192.168.1.5:18987 Saturday, Dec 11,2010 09:35:47 [LAN access from remote] from 220.247.1.204:62607 to 192.168.1.5:18987 Saturday, Dec 11,2010 09:35:27 [LAN access from remote] from 87.68.51.97:49548 to 192.168.1.5:80 Saturday, Dec 11,2010 09:33:23 [LAN access from remote] from 87.68.51.97:49546 to 192.168.1.5:18987 Saturday, Dec 11,2010 09:33:22 [LAN access from remote] from 87.68.51.97:49545 to 192.168.1.5:18987 Saturday, Dec 11,2010 09:33:21 [LAN access from remote] from 66.65.11.185:44620 to 192.168.1.5:18987 Saturday, Dec 11,2010 09:32:50 (it's one hour out because I've never bothered to update for DST) Poking around some more, I discovered that UPnP was turned on in the router... and port 18987 was... opened or available. This is a new router I've recently added to my network, and UPnP was on by default - I did not explicitly turn it on. I've switched UPnP off now, and network activity has dropped to zero again. i think any previous changes while I was tinkering with my apache server was coincidental. I did some digging and came across this: http://www.upnp-hacks.org/igd.html Interestingly (or worryingly?) the router log now shows.... -------------------------- [LAN access from remote] from 66.249.72.106:58661 to 192.168.1.5:80 Saturday, Dec 11,2010 09:42:07 [LAN access from remote] from 85.190.0.3:51549 to 192.168.1.5:80 Saturday, Dec 11,2010 09:39:36 [LAN access from remote] from 85.190.0.3:55221 to 192.168.1.5:80 Saturday, Dec 11,2010 09:39:36 [LAN access from remote] from 85.190.0.3:44693 to 192.168.1.5:80 Saturday, Dec 11,2010 09:39:36 [LAN access from remote] from 85.190.0.3:43506 to 192.168.1.5:80 Saturday, Dec 11,2010 09:39:16 So they've switched from hammering port 18987 which was open via the UPnP service, to port 80.... but I'm not seeing anywhere near the level of constant activity on my machine anymore. So... guessing here... someone discovered my router, poked it, and found out UPnP was enabled... and took advantage of this. Question is... what? Could they have compromised my openSUSE system behind the firewall? How does someone find out if this has happened? Is it time to figure out how rkhunter works? C. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org