I'm sure someone here can shed some light on this. I have a smll home network, behind a 2wire home portal (has its own firewall). Im port forwarding standard web ports and a couple odds and ends to a debian (sarge 3.1) box thats running as a virt server. ports 19 20 21 25 110 80 81 444 10000. I was spot checking the box for active connections using iptraffic and noticed a incoming connection on port 53300 from an external source. How was this connection bypassing the hardware firewall? rkhunter and chkrootkit revealed nothing, so I just added the ip to iptables as a drop. ifstat was showing a 4k incoming /12k outgoing connection. i was in a hurry and forgot to run ethereal to capture some of the traffic to see what its was, thats one I wont forget next time.
Its just a project box so no real worries if its been compromised, but I dont want to reconnect the box to the network until Im a little more clear as to what was going on with the machine.
If anyone can give me any advise as to anything specfic to check before I put the machine back online it would be greatly appreciated.