-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all!
In turn to you with a bit of desperation now. It feels like I'm under
some kind of attack. Maybe I've even been compromised. The last few
days, I've experienced an insane and constant amount of incoming
traffic. I'm not sure how long it has lasted, but I would think 3-4
days, and it is constant at 260 kB/s. It varies very little from that
number, perhaps down to 255 sometimes, and sometimes up to 265, but
essentially, it changes very little over time, at least over an
interval of a couple of seconds.
And I can't for the life of me figure out where it's coming from...
This is what netstat says:
kjetil@pooh:~> netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 217.77.32.186:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 217.77.32.186:22 80.213.253.77:32782 ESTABLISHED
tcp 0 0 217.77.32.186:22 80.213.253.77:33738 ESTABLISHED
tcp 0 272 217.77.32.186:22 80.213.253.77:32778 ESTABLISHED
217.77.32.186 is my server, the machine that is in trouble, and
80.213.253.77 is the current IP of my workstation. There are
connections now and then, but nothing unnatural, and nothing that can
account for that there aren't variations...
Most of the listening ports are actually firewalled off from the world:
(The 1654 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
4/tcp open unknown
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3