> On Tue, 2001-12-04 at 04:45, Matthew Cline wrote:
> > I have my firewall setup to stop and log attempts to connect to external
X
> > servers, and this caught three attempts (all in the same second) to
connect
> > to destination port 6000, from a source port of 25 (SMTP). I don't
think
> > that my qmail server would attempt to make such a connection. Have I
been
> > rooted?
> >
>
> Source ports do not map the destination ports - they are selected at
> random from any available. There is no reason think you've been hacked,
> on this evidence.
It's true, but they are selected from "non private" ports, port 1024 or
higher. Reading her message we can suppose that the source is her mail
server, maybe someone is trying to bypass the firewall...
Matthew, the best thing to do is look for another signal of intrusion
on your machine, comparem md5 sum's with clean binaries, checkin all process
running and so on.
Regards,
Fábio
PS: Sorry for my bad english
