Any idea what this is???

[pennconservativ]

The MAC matches, but if my host is compromised, shouldn't I be seeing a ton of open connections when I do 'netstat -l'? It's generating about 100 packets/second, so you would think that I would have that many open high-number ports waiting for replies.

[Tiger Shark]

The MAC matches the firewall is what I hear you saying.....

You wouldn't see anything awry in the netstat if there is a user level or kernel level rootkit on the box hiding the activity from you.

Before we make the assumption that there is a rootkit there I would like the opinion of some others here.....

ANYONE?????

[IKnowNot]

I think I posted this once before, its an old trick, but that's an old box ...

Log into the firewall box and type the command

grep :x:0: /etc/passwd

The ONLY line you should see is
“ root:x:0:0:root:/root:/bin/bash “

May or may not tell you if you've been cracked, but if you see more then one ....

[pennconservativ]

Solved. It appears that two machines on my network had Sasser. The reason the connections weren't showing in netstat was because I just wasn't using the right switches. This is my gateway device, and also NATs my private IPs. I needed to issue netstat -M to show masqueraded connections. As soon as I did that, it showed me the internal IPs that were scanning for 445. I patched and cleaned them, and we're back in business. Thanks for your time, everyone.

[Tiger Shark]

Bingo!!!!!

I'll award myself 8 smartie points for not trusting your original analysis, not knowing crap about *nix and asking for further advice from the better qualified on *nix before trying to come to a conclusion......