Re: Large, constant incoming traffic

[Kjetil Kjernsmo <kjetil@kjernsmo.net>]

On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> The best way to see what is going on is to dump the traffic to a file
> and analyse it. Tcpdump and ethereal are great tools for that
> purpose.

Great! Reagan Blundell also told me about them offline. 

> Ethereal will make the job easier and should give you a 
> clue. If you are affraid the server has been compromised you have to
> use another computer to get reliable information. I don't know your
> network setup and what you have at disposal. If it is cable/DSL you
> could connect your server through a hub, hook up the other computer
> to the hub and do the dump (you may have to use a crossover cable
> between the modem and the hub).

Yup. It's in server hosting at a provider, and I don't have physical 
access there... So, I have no option but to do it remotely (or perhaps I 
could if eth0 was promiscuous, but it isn't?).

Anyway, what I see in tcpdump after filtering out my own ssh traffic, 
and some DNS traffic (which might have something to do with it, but 
makes a lot of noise), I see (easynet.no is my provider):

19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434:  udp 376 [ttl 
1]
19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376 [ttl 
1]
19:41:29.786000 217.77.34.162.2090 > 226.210.233.101.1434:  udp 376 [ttl 
1]
19:41:30.013227 217.77.34.162.2090 > 226.115.252.196.1434:  udp 376 [ttl 
1]
19:41:30.120437 217.77.34.162.2090 > 234.221.95.51.1434:  udp 376 [ttl 
1]
19:41:30.449589 217.77.34.162.2090 > 226.53.242.62.1434:  udp 376 [ttl 
1]
19:41:30.556784 217.77.34.162.2090 > 234.225.213.78.1434:  udp 376 [ttl 
1]
19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no
19:41:30.773817 217.77.34.162.2090 > 226.95.50.32.1434:  udp 376 [ttl 1]
19:41:30.800550 pooh.kjernsmo.net.39441 > www.easynet.no.domain:  6695+ 
PTR? 78.79.65.194.in-addr.arpa. (43) (DF)
19:41:30.884041 217.77.34.162.2090 > 234.111.203.166.1434:  udp 376 [ttl 
1]
19:41:31.212205 217.77.34.162.2090 > 234.209.110.68.1434:  udp 376 [ttl 
1]
19:41:31.321424 www.easynet.no.domain > pooh.kjernsmo.net.39445:  61615 
1/2/0 (106) (DF)
19:41:31.429747 217.77.34.162.2090 > 226.20.247.203.1434:  udp 376 [ttl 
1]
19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:31.648080 217.77.34.162.2090 > 234.191.213.120.1434:  udp 376 [ttl 
1]
19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no
19:41:31.755080 217.77.34.162.2090 > 234.234.114.255.1434:  udp 376 [ttl 
1]
19:41:31.973809 217.77.34.162.2090 > 226.44.34.125.1434:  udp 376 [ttl 
1]
19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
1]

Mmmmm, I don't know what machine 217.77.34.162 is, but I wouldn't be 
surprised if it sits in the same server room as my box... Does this 
tell you anything.


Thanks a lot for the help!

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC