[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Large, constant incoming traffic

The best way to see what is going on is to dump the traffic to a file and
analyse it. Tcpdump and ethereal are great tools for that purpose.
Ethereal will make the job easier and should give you a clue.
If you are affraid the server has been compromised you have to use another
computer to get reliable information. I don't know your network setup and
what you have at disposal. If it is cable/DSL you could connect your
server through a hub, hook up the other computer to the hub and do the
dump (you may have to use a crossover cable between the modem and the


Robert J.

Kjetil Kjernsmo said:
> Hash: SHA1
> Hi all!
> In turn to you with a bit of desperation now. It feels like I'm under
> some kind of attack. Maybe I've even been compromised. The last few
> days, I've experienced an insane and constant amount of incoming
> traffic. I'm not sure how long it has lasted, but I would think 3-4
> days, and it is constant at 260 kB/s. It varies very little from that
> number, perhaps down to 255 sometimes, and sometimes up to 265, but
> essentially, it changes very little over time, at least over an
> interval of a couple of seconds.
> And I can't for the life of me figure out where it's coming from...
> This is what netstat says:
>  kjetil@pooh:~> netstat -tan
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address       Foreign Address      State
> tcp        0      0*           LISTEN
> tcp        0      0 *           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0*           LISTEN
> tcp        0      0 ESTABLISHED
> tcp        0      0 ESTABLISHED
> tcp        0    272 ESTABLISHED
> is my server, the machine that is in trouble, and
> is the current IP of my workstation. There are
> connections now and then, but nothing unnatural, and nothing that can
> account for that there aren't variations...
> Most of the listening ports are actually firewalled off from the world:
> (The 1654 ports scanned but not shown below are in state: filtered)
> 4/tcp   open  unknown
> 22/tcp  open  ssh
> 25/tcp  open  smtp
> 80/tcp  open  http
> 110/tcp open  pop3
> (port 4 is SFS, which is in Debian, nmap should perhaps be told...?)
> The filtered ports should drop packets.
> In addition to the occasional netstat, I'm looking closely with
> ksysguard. There is a ksysguardd running at the remote machine, which
> is giving me the data. It is all in agreement with what netstat says,
> and the data rate is in agreement to, I have verified it by going
> ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.
> I did a kernel upgrade yesterday, so I have even rebooted the machine,
> and since the reboot, it has according to ifconfig received something
> like 3 GiB of data. In one day... But this makes it likely that there
> isn't a local fault, I think. Also, there is little outgoing traffic.
> I have no idea where all those data are going... There is certainly not
> room for them on the hard drive, unless somebody is in the box and is
> deleting stuff, and who has du and df trojanned, but then df shows the
> same as /proc/partitions.... I can't see anything abnormal, neither on
> the disks, in the logs, in the connections made to the machine, in the
> process table or anything... But then, I don't really know too much
> about looking... :-)
> Since my workstation is the only machine I can see that has a persistent
> connection to the server, I've investigated the possibility that
> something here is causing it. But there is little outgoing traffic
> here, so it seems extremely unlikely.
> I think it looks like something is throwing packets at me, and doesn't
> care what happens to them... However, then I would think the packets
> were thrown at an open port, because I would think that since IPtables
> would drop the packets, it would show up in the statistics as dropped,
> and it isn't.
> Or, is it possible that the statistics is simply wrong: There are no
> data being thrown at me....?
> I've briefly talked with my hosting company, and they've got a good
> Linux guy there, but he was too busy to help me now. If I haven't
> allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I
> really don't want that to happen, especially if it isn't my fault that
> this is happening.
> I run AIDE, and I run chkrootkit occasionally. I've gone through the
> auto-setup of a backport of Snort, but it has never actually told me
> anything, so I suppose it isn't really configured. I'm trying a Nessus
> attack against the poor box now, but it is very slow...
> Thanks for reading this far, and, well, your ideas on what I can do
> would be much appreciated.
> Best,
> Kjetil
> - --
> Kjetil Kjernsmo
> Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
> kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
> Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC
> Version: GnuPG v1.2.4 (GNU/Linux)
> iD8DBQFAo5nslE/Gp2pqC7wRAuFdAKCDQtVr+5DioDWWTZC97zA3PV+2YQCfWuik
> /Yu+IFaTCguMQZagaaiYH4o=
> =qQ/z

Reply to: