I have tracked a weird activity on my external interface lately (few days) I used "snort", and the portscan.log file shows the following activity:
#tail portscan.log Sep 17 00:21:41 <my ip>:1489 -> 207.46.197.113:80 SYN ******S* Sep 17 00:21:42 <my ip>:1501 -> 207.46.197.113:80 SYN ******S* Sep 17 00:21:58 <my ip>:1502 -> 207.46.196.102:80 SYN ******S* Sep 17 00:21:58 <my ip>:1503 -> 207.46.196.102:80 SYN ******S* Sep 17 00:21:58 <my ip>:1504 -> 207.68.184.62:80 SYN ******S* Sep 17 00:22:22 <my ip>:1505 -> 207.46.235.162:80 SYN ******S* Sep 17 00:24:21 <my ip>:1507 -> 24.71.223.43:110 SYN ******S* Sep 17 00:24:24 <my ip>:1511 -> 142.58.120.21:110 SYN ******S* Sep 17 00:25:49 <my ip>:1514 -> 207.46.235.150:80 SYN ******S* Sep 17 00:25:55 <my ip>:1516 -> 209.11.107.14:80 SYN ******S* I checked what processes are running on my machine, and there is nothing that I think might be suspicious. (I run bind9 on my internal interface, which has been configured to have no access to the outside world) PID TTY STAT TIME COMMAND 1 ? S 0:04 init [2] 2 ? SW 0:02 [keventd] 3 ? SWN 0:00 [ksoftirqd_CPU0] 4 ? SW 0:00 [kswapd] 5 ? SW 0:00 [bdflush] 6 ? SW 0:00 [kupdated] 7 ? SW 0:00 [i2oevtd] 9 ? SW 0:00 [kjournald] 73 ? SW 0:00 [kjournald] 74 ? SW 0:00 [kjournald] 75 ? SW 0:00 [kjournald] 102 ? SW 0:00 [eth0] 112 ? S 0:00 /sbin/dhclient-2.2.x -q eth0 187 ? S 0:00 /sbin/syslogd 193 ? S 0:01 /sbin/klogd 199 ? S 0:00 /usr/sbin/named 202 ? S 0:00 /usr/sbin/named 207 ? S 0:03 /usr/sbin/named 208 ? S 0:00 /usr/sbin/named 209 ? S 0:00 /usr/sbin/named 316 ? S 0:00 /usr/sbin/sshd 319 ? S 0:00 /usr/sbin/cron 322 tty1 S 0:00 -bash 323 tty2 S 0:00 -bash 324 tty3 S 0:00 -bash 325 tty4 S 0:00 /sbin/getty 38400 tty4 326 tty5 S 0:00 /sbin/getty 38400 tty5 327 tty6 S 0:00 /sbin/getty 38400 tty6 328 tty8 S 0:00 /sbin/getty 38400 tty8 330 tty1 S 0:00 bash 347 tty2 S 0:00 bash 368 tty1 S 0:02 snort 369 tty3 S 0:00 bash 391 tty2 R 0:00 ps ax also netstat and nmap showed no open connections other than my sshd, which has been patched with the latest patch (english version). Do I have a trojan on my computer? Could someone point me in the right direction on how I can stop this unauthorized traffic? thanx in advance.