Good day all, I apologize in advance for the length of this post. I am at my wits end, as I am using a web mail client, rather than my Linux machines. If you do have a bit of time to read this and have some input, it would be greatly appreciated. Question, I am experiencing a continued compromise problem, every attempt that I have made seems to be for naught. I am running a 200Mhz Pentium with SuSE 6.3 firewal program version 1.4.8, as a masq/router box, and a couple of oher Linux machines as a small home network. I have taken the time to upgrade the kernel to the latest version, applied the kernel security patch by Solar Designer, turn of all unnecessary services. I this point I do not run X on the box or have make or gcc installed for obvious reasons. I run my system wide permissions as 'paranoid'. I also perform a nmap scan and a SAINT audit to make sure that no holes exist. I run rpm -Va to verify all the packages. ** This is all performed without the box hooked to the external wire.** The only incoming traffic I allow is the return packets from the internal network machines and name server (DNS) from my local ISP, all other ports are closed, so I think :/ A few days after each 'clean reinstall' I start to notice a fair amount of outbound traffic. The first incident, I found that port 6000 (X) was open.. I was sure that nmap and SAINT had given me a clean bill of health. Sure enough a dbl-chk with SAINT showed X Windows as a vulnerability, also netbois was insecure. No signs of file modifications or additional files on the system. Second incident was the same type of scenario, except I upgraded SAINT to the 2.0 version and ran an audit, It indicated "evidence of penetration" and stated that three trojan problems where found, a trinoo master and two clients 'stacheldraht' were installed. I found an empty file in the rot directory labeled '.fishingboat'. The third incident is with the stripped down box, (no X, make binutils and such. (not like that will stop someone using a precompiled program, I just don't want to help them while they are at it) I installed portsentry and logwatch, I also have installed seccheck for daily reports. Again checking the external integrity, making sure that _no_ ports were open, hooking the machine up, 1 day later I see abnormal ICMP (ping traffic) from my masq box. I have no logwatch reports, it looks as though portsenrty entries have been wiped, no sign of portsentry initialization in /var/log/messages. I did run ps aux | less and found portsenrty running, hmm no initialization reports. I have a Debian box monitoring network with 'snort' and several times it reported a "Source Port Attack" which I ignore as a possible anomoly. The source was my primary name servers addy. I also found in one syslog a report of a neighor table overflow and then saw a few minute later, one of the internal machines e.g. 192.168.1.x attempting a connection to the internal loopback (which I always disable) 127.0.0.1 :512. Bottom line is how can some one access my firewall/masq machine when there are no open ports, the only traffic allow back into the network is the masq'd packets and DNS? Is this some type of spoofing , can I eliminate this problem, is there a way that IP Chains can filter the packet and identify a spoofed adress. Any help would be appreciated, again thanks Cheers, John @ DataEFX