Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> The best way to see what is going on is to dump the traffic to a file
> and analyse it. Tcpdump and ethereal are great tools for that
> purpose.
Great! Reagan Blundell also told me about them offline.
> Ethereal will make the job easier and should give you a
> clue. If you are affraid the server has been compromised you have to
> use another computer to get reliable information. I don't know your
> network setup and what you have at disposal. If it is cable/DSL you
> could connect your server through a hub, hook up the other computer
> to the hub and do the dump (you may have to use a crossover cable
> between the modem and the hub).
Yup. It's in server hosting at a provider, and I don't have physical
access there... So, I have no option but to do it remotely (or perhaps I
could if eth0 was promiscuous, but it isn't?).
Anyway, what I see in tcpdump after filtering out my own ssh traffic,
and some DNS traffic (which might have something to do with it, but
makes a lot of noise), I see (easynet.no is my provider):
19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434: udp 376 [ttl
1]
19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 [ttl
1]
19:41:29.786000 217.77.34.162.2090 > 226.210.233.101.1434: udp 376 [ttl
1]
19:41:30.013227 217.77.34.162.2090 > 226.115.252.196.1434: udp 376 [ttl
1]
19:41:30.120437 217.77.34.162.2090 > 234.221.95.51.1434: udp 376 [ttl
1]
19:41:30.449589 217.77.34.162.2090 > 226.53.242.62.1434: udp 376 [ttl
1]
19:41:30.556784 217.77.34.162.2090 > 234.225.213.78.1434: udp 376 [ttl
1]
19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no
19:41:30.773817 217.77.34.162.2090 > 226.95.50.32.1434: udp 376 [ttl 1]
19:41:30.800550 pooh.kjernsmo.net.39441 > www.easynet.no.domain: 6695+
PTR? 78.79.65.194.in-addr.arpa. (43) (DF)
19:41:30.884041 217.77.34.162.2090 > 234.111.203.166.1434: udp 376 [ttl
1]
19:41:31.212205 217.77.34.162.2090 > 234.209.110.68.1434: udp 376 [ttl
1]
19:41:31.321424 www.easynet.no.domain > pooh.kjernsmo.net.39445: 61615
1/2/0 (106) (DF)
19:41:31.429747 217.77.34.162.2090 > 226.20.247.203.1434: udp 376 [ttl
1]
19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:31.648080 217.77.34.162.2090 > 234.191.213.120.1434: udp 376 [ttl
1]
19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no
19:41:31.755080 217.77.34.162.2090 > 234.234.114.255.1434: udp 376 [ttl
1]
19:41:31.973809 217.77.34.162.2090 > 226.44.34.125.1434: udp 376 [ttl
1]
19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1]
19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl
1]
Mmmmm, I don't know what machine 217.77.34.162 is, but I wouldn't be
surprised if it sits in the same server room as my box... Does this
tell you anything.
Thanks a lot for the help!
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
Reply to: