Lately I've been noticing that something is hammering away trying to get out ports 25 and 110. Since I don't use those and they are closed, I am suspicious. https://pastee.org/k73u8 The destination IP isn't running POP or SMTP either. Unfortunately, Shorewall doesn't have a mechanism to associate a PID to an attempt, maybe because the info just isn't there. I do find that it is possible to turn on UID reporting, so I added (uid) to each INFO in the policy file and restarted Shorewall, but I'm still not getting the UID. #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK net $FW DROP info(uid) net local DROP info(uid) $FW net DROP info(uid) $FW local DROP info(uid) local net DROP info(uid) local $FW DROP info(uid) # # THE FOLLOWING POLICY MUST BE LAST # net all DROP info(uid) all all DROP info(uid) #LAST LINE -- DO NOT REMOVE I need to put these 25 and 110 accesses with a PID to try and identify this trojan. I'm trying # netstat -apn|grep -w DPT=25 but that hasn't caught anything yet, and it's not a real solution long-term. Any suggestions? -- http://www.fastmail.fm - A no graphics, no pop-ups email service ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds