Re: Large, constant incoming traffic
The best way to see what is going on is to dump the traffic to a file and
analyse it. Tcpdump and ethereal are great tools for that purpose.
Ethereal will make the job easier and should give you a clue.
If you are affraid the server has been compromised you have to use another
computer to get reliable information. I don't know your network setup and
what you have at disposal. If it is cable/DSL you could connect your
server through a hub, hook up the other computer to the hub and do the
dump (you may have to use a crossover cable between the modem and the
hub).
HTH
Robert J.
Kjetil Kjernsmo said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all!
>
> In turn to you with a bit of desperation now. It feels like I'm under
> some kind of attack. Maybe I've even been compromised. The last few
> days, I've experienced an insane and constant amount of incoming
> traffic. I'm not sure how long it has lasted, but I would think 3-4
> days, and it is constant at 260 kB/s. It varies very little from that
> number, perhaps down to 255 sometimes, and sometimes up to 265, but
> essentially, it changes very little over time, at least over an
> interval of a couple of seconds.
>
> And I can't for the life of me figure out where it's coming from...
> This is what netstat says:
> kjetil@pooh:~> netstat -tan
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:4 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
> tcp 0 0 217.77.32.186:53 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
> tcp 0 0 217.77.32.186:22 80.213.253.77:32782 ESTABLISHED
> tcp 0 0 217.77.32.186:22 80.213.253.77:33738 ESTABLISHED
> tcp 0 272 217.77.32.186:22 80.213.253.77:32778 ESTABLISHED
>
> 217.77.32.186 is my server, the machine that is in trouble, and
> 80.213.253.77 is the current IP of my workstation. There are
> connections now and then, but nothing unnatural, and nothing that can
> account for that there aren't variations...
>
> Most of the listening ports are actually firewalled off from the world:
> (The 1654 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE
> 4/tcp open unknown
> 22/tcp open ssh
> 25/tcp open smtp
> 80/tcp open http
> 110/tcp open pop3
>
> (port 4 is SFS, which is in Debian, nmap should perhaps be told...?)
> The filtered ports should drop packets.
>
> In addition to the occasional netstat, I'm looking closely with
> ksysguard. There is a ksysguardd running at the remote machine, which
> is giving me the data. It is all in agreement with what netstat says,
> and the data rate is in agreement to, I have verified it by going
> ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.
>
> I did a kernel upgrade yesterday, so I have even rebooted the machine,
> and since the reboot, it has according to ifconfig received something
> like 3 GiB of data. In one day... But this makes it likely that there
> isn't a local fault, I think. Also, there is little outgoing traffic.
>
> I have no idea where all those data are going... There is certainly not
> room for them on the hard drive, unless somebody is in the box and is
> deleting stuff, and who has du and df trojanned, but then df shows the
> same as /proc/partitions.... I can't see anything abnormal, neither on
> the disks, in the logs, in the connections made to the machine, in the
> process table or anything... But then, I don't really know too much
> about looking... :-)
>
> Since my workstation is the only machine I can see that has a persistent
> connection to the server, I've investigated the possibility that
> something here is causing it. But there is little outgoing traffic
> here, so it seems extremely unlikely.
>
> I think it looks like something is throwing packets at me, and doesn't
> care what happens to them... However, then I would think the packets
> were thrown at an open port, because I would think that since IPtables
> would drop the packets, it would show up in the statistics as dropped,
> and it isn't.
>
> Or, is it possible that the statistics is simply wrong: There are no
> data being thrown at me....?
>
> I've briefly talked with my hosting company, and they've got a good
> Linux guy there, but he was too busy to help me now. If I haven't
> allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I
> really don't want that to happen, especially if it isn't my fault that
> this is happening.
>
> I run AIDE, and I run chkrootkit occasionally. I've gone through the
> auto-setup of a backport of Snort, but it has never actually told me
> anything, so I suppose it isn't really configured. I'm trying a Nessus
> attack against the poor box now, but it is very slow...
>
> Thanks for reading this far, and, well, your ideas on what I can do
> would be much appreciated.
>
> Best,
>
> Kjetil
> - --
> Kjetil Kjernsmo
> Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
> kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
> Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFAo5nslE/Gp2pqC7wRAuFdAKCDQtVr+5DioDWWTZC97zA3PV+2YQCfWuik
> /Yu+IFaTCguMQZagaaiYH4o=
> =qQ/z
> -----END PGP SIGNATURE-----
>
>
Reply to: