looking at my router logs i've noticed for the past while a range of source ports from 60000 to about 65000 from my source external ip to destination external ip always on port 80. I have 3 boxes on this network and this only seems to happen when i connect the one laptop. I even reinstalled the distro downloaded from trusted source but the router is still logging this.. netstat -ntulp shows nothing operating in this range. chkrootkit shows nothing.. Was thinking maybe someone was spoofing the external address but it's been happening on network startup for a month now.. Any ideas on how to find out what this is?

you're seeing outbound web connections from your machine on high ephemeral port numbers? That would be totally normal by my understanding of it. Possbily just yum checking for updates or something? What makes you think that this is explicitly bad? Where does spoofing come into it?

You mentioned that these are the router logs. It sounds to me like these are the ports that your router is using to perform NAT(*). When you access a web page, which is defaults to port 80, your router will establish a connection on a different outbound port number and relay the information between the destination and your LAN host. This way, your router can maintain multiple simultaneous connections to the same or several web sites and properly route the traffic back to the destination.

(*) If on your LAN you are using a private address range, e.g. 192.168.x.x, these addresses are not valid on the global networks and there are thousands, if not millions, of devices all using this address range at the same time. Your router will translate this address to your public IP at some port. It makes sense to pick a high number for the port because these ports are not used to standard services.

Basically I got the "bad" assumption because i've been using this distro for two years now and i've never seen a log like this before.Its only been happening in the last month. none with my ip in both the source and destination. I thought it might be the update manager and i checked it by using the other two systems.. when they came online, nothing like that was logged. But about a week ago i logged into my one system via ssh and noticed the logs were cleared... I was thinking spoof in the way of sniffing internet traffic.. ie the router sees the right ext address and everything outgoing is for the sniffing.. I dont know if this is even possible mind you. It was just my assumption.
Okay so the issue sort of fixed it's self. get this. After i posted the first msg. The next day i look at my router logs and.. issue solved.. i've checked and checked.. havent seen the same port activity. I'm just saying thats weird is all. Coincidence? also it should be noted i own the crappiest router on the market... maybe that has something to do with it.
To finish this up. I've looked and cant find a decent tutorial to install nessus on mandriva. Can you post a link?

Are you saying that you are having logs disappear on one (or more) of your machines behind the router?
If so, I think you are thinking along the correct lines when you suggest nessus, however, if this is what happened, you are a little beyond that.

I don't think you are at the 'sound the alarm' point yet, but caution is advised here. I would suggest taking minimal action on the system, but keep watch on things. In the mean time, take a look at the CERT check list. Here is a link: The CERT Intruder Detection Checklist. While a little dated, it will help bring you up to speed on the things that you should be on the look out for. If you did have unexpected modification of a system behind your router, then you will need to start taking the steps in the check list. We can and will certainly help you with that process.