Re: Large, constant incoming traffic
The best way to see what is going on is to dump the traffic to a file and
analyse it. Tcpdump and ethereal are great tools for that purpose.
Ethereal will make the job easier and should give you a clue.
If you are affraid the server has been compromised you have to use another
computer to get reliable information. I don't know your network setup and
what you have at disposal. If it is cable/DSL you could connect your
server through a hub, hook up the other computer to the hub and do the
dump (you may have to use a crossover cable between the modem and the
Kjetil Kjernsmo said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi all!
> In turn to you with a bit of desperation now. It feels like I'm under
> some kind of attack. Maybe I've even been compromised. The last few
> days, I've experienced an insane and constant amount of incoming
> traffic. I'm not sure how long it has lasted, but I would think 3-4
> days, and it is constant at 260 kB/s. It varies very little from that
> number, perhaps down to 255 sometimes, and sometimes up to 265, but
> essentially, it changes very little over time, at least over an
> interval of a couple of seconds.
> And I can't for the life of me figure out where it's coming from...
> This is what netstat says:
> kjetil@pooh:~> netstat -tan
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:4 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
> tcp 0 0 18.104.22.168:53 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
> tcp 0 0 22.214.171.124:22 126.96.36.199:32782 ESTABLISHED
> tcp 0 0 188.8.131.52:22 184.108.40.206:33738 ESTABLISHED
> tcp 0 272 220.127.116.11:22 18.104.22.168:32778 ESTABLISHED
> 22.214.171.124 is my server, the machine that is in trouble, and
> 126.96.36.199 is the current IP of my workstation. There are
> connections now and then, but nothing unnatural, and nothing that can
> account for that there aren't variations...
> Most of the listening ports are actually firewalled off from the world:
> (The 1654 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE
> 4/tcp open unknown
> 22/tcp open ssh
> 25/tcp open smtp
> 80/tcp open http
> 110/tcp open pop3
> (port 4 is SFS, which is in Debian, nmap should perhaps be told...?)
> The filtered ports should drop packets.
> In addition to the occasional netstat, I'm looking closely with
> ksysguard. There is a ksysguardd running at the remote machine, which
> is giving me the data. It is all in agreement with what netstat says,
> and the data rate is in agreement to, I have verified it by going
> ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.
> I did a kernel upgrade yesterday, so I have even rebooted the machine,
> and since the reboot, it has according to ifconfig received something
> like 3 GiB of data. In one day... But this makes it likely that there
> isn't a local fault, I think. Also, there is little outgoing traffic.
> I have no idea where all those data are going... There is certainly not
> room for them on the hard drive, unless somebody is in the box and is
> deleting stuff, and who has du and df trojanned, but then df shows the
> same as /proc/partitions.... I can't see anything abnormal, neither on
> the disks, in the logs, in the connections made to the machine, in the
> process table or anything... But then, I don't really know too much
> about looking... :-)
> Since my workstation is the only machine I can see that has a persistent
> connection to the server, I've investigated the possibility that
> something here is causing it. But there is little outgoing traffic
> here, so it seems extremely unlikely.
> I think it looks like something is throwing packets at me, and doesn't
> care what happens to them... However, then I would think the packets
> were thrown at an open port, because I would think that since IPtables
> would drop the packets, it would show up in the statistics as dropped,
> and it isn't.
> Or, is it possible that the statistics is simply wrong: There are no
> data being thrown at me....?
> I've briefly talked with my hosting company, and they've got a good
> Linux guy there, but he was too busy to help me now. If I haven't
> allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I
> really don't want that to happen, especially if it isn't my fault that
> this is happening.
> I run AIDE, and I run chkrootkit occasionally. I've gone through the
> auto-setup of a backport of Snort, but it has never actually told me
> anything, so I suppose it isn't really configured. I'm trying a Nessus
> attack against the poor box now, but it is very slow...
> Thanks for reading this far, and, well, your ideas on what I can do
> would be much appreciated.
> - --
> Kjetil Kjernsmo
> Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
> email@example.com firstname.lastname@example.org email@example.com
> Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> -----END PGP SIGNATURE-----