[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Large, constant incoming traffic

Hash: SHA1

Hi all!

In turn to you with a bit of desperation now. It feels like I'm under 
some kind of attack. Maybe I've even been compromised. The last few 
days, I've experienced an insane and constant amount of incoming 
traffic. I'm not sure how long it has lasted, but I would think 3-4 
days, and it is constant at 260 kB/s. It varies very little from that 
number, perhaps down to 255 sometimes, and sometimes up to 265, but 
essentially, it changes very little over time, at least over an 
interval of a couple of seconds. 

And I can't for the life of me figure out where it's coming from... 
This is what netstat says:
 kjetil@pooh:~> netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address       Foreign Address      State
tcp        0      0*           LISTEN
tcp        0      0 *           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0*           LISTEN
tcp        0      0 ESTABLISHED
tcp        0      0 ESTABLISHED
tcp        0    272 ESTABLISHED is my server, the machine that is in trouble, and is the current IP of my workstation. There are 
connections now and then, but nothing unnatural, and nothing that can 
account for that there aren't variations... 

Most of the listening ports are actually firewalled off from the world:
(The 1654 ports scanned but not shown below are in state: filtered)
4/tcp   open  unknown
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3

(port 4 is SFS, which is in Debian, nmap should perhaps be told...?) 
The filtered ports should drop packets. 

In addition to the occasional netstat, I'm looking closely with 
ksysguard. There is a ksysguardd running at the remote machine, which 
is giving me the data. It is all in agreement with what netstat says, 
and the data rate is in agreement to, I have verified it by going 
ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.

I did a kernel upgrade yesterday, so I have even rebooted the machine, 
and since the reboot, it has according to ifconfig received something 
like 3 GiB of data. In one day... But this makes it likely that there 
isn't a local fault, I think. Also, there is little outgoing traffic.

I have no idea where all those data are going... There is certainly not 
room for them on the hard drive, unless somebody is in the box and is 
deleting stuff, and who has du and df trojanned, but then df shows the 
same as /proc/partitions.... I can't see anything abnormal, neither on 
the disks, in the logs, in the connections made to the machine, in the 
process table or anything... But then, I don't really know too much 
about looking... :-) 

Since my workstation is the only machine I can see that has a persistent 
connection to the server, I've investigated the possibility that 
something here is causing it. But there is little outgoing traffic 
here, so it seems extremely unlikely. 

I think it looks like something is throwing packets at me, and doesn't 
care what happens to them... However, then I would think the packets 
were thrown at an open port, because I would think that since IPtables 
would drop the packets, it would show up in the statistics as dropped, 
and it isn't.

Or, is it possible that the statistics is simply wrong: There are no 
data being thrown at me....? 

I've briefly talked with my hosting company, and they've got a good 
Linux guy there, but he was too busy to help me now. If I haven't 
allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I 
really don't want that to happen, especially if it isn't my fault that 
this is happening. 

I run AIDE, and I run chkrootkit occasionally. I've gone through the 
auto-setup of a backport of Snort, but it has never actually told me 
anything, so I suppose it isn't really configured. I'm trying a Nessus 
attack against the poor box now, but it is very slow... 

Thanks for reading this far, and, well, your ideas on what I can do 
would be much appreciated. 


- -- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC
Version: GnuPG v1.2.4 (GNU/Linux)


Reply to: