Large, constant incoming traffic
-----BEGIN PGP SIGNED MESSAGE-----
In turn to you with a bit of desperation now. It feels like I'm under
some kind of attack. Maybe I've even been compromised. The last few
days, I've experienced an insane and constant amount of incoming
traffic. I'm not sure how long it has lasted, but I would think 3-4
days, and it is constant at 260 kB/s. It varies very little from that
number, perhaps down to 255 sometimes, and sometimes up to 265, but
essentially, it changes very little over time, at least over an
interval of a couple of seconds.
And I can't for the life of me figure out where it's coming from...
This is what netstat says:
kjetil@pooh:~> netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 18.104.22.168:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 22.214.171.124:22 126.96.36.199:32782 ESTABLISHED
tcp 0 0 188.8.131.52:22 184.108.40.206:33738 ESTABLISHED
tcp 0 272 220.127.116.11:22 18.104.22.168:32778 ESTABLISHED
22.214.171.124 is my server, the machine that is in trouble, and
126.96.36.199 is the current IP of my workstation. There are
connections now and then, but nothing unnatural, and nothing that can
account for that there aren't variations...
Most of the listening ports are actually firewalled off from the world:
(The 1654 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
4/tcp open unknown
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
(port 4 is SFS, which is in Debian, nmap should perhaps be told...?)
The filtered ports should drop packets.
In addition to the occasional netstat, I'm looking closely with
ksysguard. There is a ksysguardd running at the remote machine, which
is giving me the data. It is all in agreement with what netstat says,
and the data rate is in agreement to, I have verified it by going
ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.
I did a kernel upgrade yesterday, so I have even rebooted the machine,
and since the reboot, it has according to ifconfig received something
like 3 GiB of data. In one day... But this makes it likely that there
isn't a local fault, I think. Also, there is little outgoing traffic.
I have no idea where all those data are going... There is certainly not
room for them on the hard drive, unless somebody is in the box and is
deleting stuff, and who has du and df trojanned, but then df shows the
same as /proc/partitions.... I can't see anything abnormal, neither on
the disks, in the logs, in the connections made to the machine, in the
process table or anything... But then, I don't really know too much
about looking... :-)
Since my workstation is the only machine I can see that has a persistent
connection to the server, I've investigated the possibility that
something here is causing it. But there is little outgoing traffic
here, so it seems extremely unlikely.
I think it looks like something is throwing packets at me, and doesn't
care what happens to them... However, then I would think the packets
were thrown at an open port, because I would think that since IPtables
would drop the packets, it would show up in the statistics as dropped,
and it isn't.
Or, is it possible that the statistics is simply wrong: There are no
data being thrown at me....?
I've briefly talked with my hosting company, and they've got a good
Linux guy there, but he was too busy to help me now. If I haven't
allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I
really don't want that to happen, especially if it isn't my fault that
this is happening.
I run AIDE, and I run chkrootkit occasionally. I've gone through the
auto-setup of a backport of Snort, but it has never actually told me
anything, so I suppose it isn't really configured. I'm trying a Nessus
attack against the poor box now, but it is very slow...
Thanks for reading this far, and, well, your ideas on what I can do
would be much appreciated.
firstname.lastname@example.org email@example.com firstname.lastname@example.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----