Hello list, i'm running a little homenetwork and scan my messages only occasionally. Today i found, that my var/log/messages was flodded with the following messages from ipchains: Jan 24 00:00:58 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 213.93.2.117:64834 213.23.38.146:6346 L=48 S=0x00 I=11174 F=0x4000 T=107 SYN(#3) Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 168.95.0.198:38071 213.23.38.146:6346 L=44 S=0x00 I=46941 F=0x4000 T=237 SYN(#3) Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 168.95.0.11:56795 213.23.38.146:6346 L=44 S=0x00 I=9 F=0x4000 T=236 SYN (#3) Jan 24 00:00:59 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 24.176.200.234:4734 213.23.38.146:6346 L=48 S=0x00 I=53948 F=0x4000 T=112 SYN (#3) Jan 24 00:01:00 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 64.234.42.72:61344 213.23.38.146:6346 L=48 S=0x00 I=26187 F=0x4000 T=110 SYN (#3) Jan 24 00:01:00 coalmine kernel: Packet log: input DENY ppp0 PROTO=6 64.79.80.43:2276 213.23.38.146:6346 L=44 S=0xD8 I=56969 F=0x4000 T=109 SYN(#3) This went on for hours. Afterwards there were similar messages, the access port varying, but 6346 and 27374 being the most often used ones. It was not this long anymore, though. I looked up the ports in /etc/services but found no service attached to them. Sometimes it was also followed up by a try to access my box on port 22 or 80 by one of the adresses (denied also). I also ran netstat -apln, the only entries i couldn't explain were: tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 120/ tcp 0 0 0.0.0.0:20011 0.0.0.0:* LISTEN 61/ I'm quite worried about all these because although my firewall denies all these packages, there seems to be a programm running, which broadcasts my dynamic ip-address, when connected to the internet. This makes me feel quite uncomfortable. I also added two new rules now to my firewall script, rejecting outgoing requests to port 6346 and 27374 to be able to trace this matter further. Until now nothing showed up. I have only a basic understanding of all these things, so please can somebody tell me if this is now a compromise or am i paranoid? Is it also possible, that it is not the linux-server but a client which is compromised? Would be a apple box in this case. It's a suse 6.4 box with firewalling/masquerading. The firwall script is my own (at least partially). thx for any help achim