The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub).
HTH Robert J. Kjetil Kjernsmo said: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all! > > In turn to you with a bit of desperation now. It feels like I'm under > some kind of attack. Maybe I've even been compromised. The last few > days, I've experienced an insane and constant amount of incoming > traffic. I'm not sure how long it has lasted, but I would think 3-4 > days, and it is constant at 260 kB/s. It varies very little from that > number, perhaps down to 255 sometimes, and sometimes up to 265, but > essentially, it changes very little over time, at least over an > interval of a couple of seconds. > > And I can't for the life of me figure out where it's coming from... > This is what netstat says: > [EMAIL PROTECTED]:~> netstat -tan > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:4 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN > tcp 0 0 217.77.32.186:53 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN > tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN > tcp 0 0 217.77.32.186:22 80.213.253.77:32782 ESTABLISHED > tcp 0 0 217.77.32.186:22 80.213.253.77:33738 ESTABLISHED > tcp 0 272 217.77.32.186:22 80.213.253.77:32778 ESTABLISHED > > 217.77.32.186 is my server, the machine that is in trouble, and > 80.213.253.77 is the current IP of my workstation. There are > connections now and then, but nothing unnatural, and nothing that can > account for that there aren't variations... > > Most of the listening ports are actually firewalled off from the world: > (The 1654 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 4/tcp open unknown > 22/tcp open ssh > 25/tcp open smtp > 80/tcp open http > 110/tcp open pop3 > > (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) > The filtered ports should drop packets. > > In addition to the occasional netstat, I'm looking closely with > ksysguard. There is a ksysguardd running at the remote machine, which > is giving me the data. It is all in agreement with what netstat says, > and the data rate is in agreement to, I have verified it by going > ifconfig twice 100 seconds apart and compare the "RX bytes:" entry. > > I did a kernel upgrade yesterday, so I have even rebooted the machine, > and since the reboot, it has according to ifconfig received something > like 3 GiB of data. In one day... But this makes it likely that there > isn't a local fault, I think. Also, there is little outgoing traffic. > > I have no idea where all those data are going... There is certainly not > room for them on the hard drive, unless somebody is in the box and is > deleting stuff, and who has du and df trojanned, but then df shows the > same as /proc/partitions.... I can't see anything abnormal, neither on > the disks, in the logs, in the connections made to the machine, in the > process table or anything... But then, I don't really know too much > about looking... :-) > > Since my workstation is the only machine I can see that has a persistent > connection to the server, I've investigated the possibility that > something here is causing it. But there is little outgoing traffic > here, so it seems extremely unlikely. > > I think it looks like something is throwing packets at me, and doesn't > care what happens to them... However, then I would think the packets > were thrown at an open port, because I would think that since IPtables > would drop the packets, it would show up in the statistics as dropped, > and it isn't. > > Or, is it possible that the statistics is simply wrong: There are no > data being thrown at me....? > > I've briefly talked with my hosting company, and they've got a good > Linux guy there, but he was too busy to help me now. If I haven't > allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I > really don't want that to happen, especially if it isn't my fault that > this is happening. > > I run AIDE, and I run chkrootkit occasionally. I've gone through the > auto-setup of a backport of Snort, but it has never actually told me > anything, so I suppose it isn't really configured. I'm trying a Nessus > attack against the poor box now, but it is very slow... > > Thanks for reading this far, and, well, your ideas on what I can do > would be much appreciated. > > Best, > > Kjetil > - -- > Kjetil Kjernsmo > Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer > [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] > Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFAo5nslE/Gp2pqC7wRAuFdAKCDQtVr+5DioDWWTZC97zA3PV+2YQCfWuik > /Yu+IFaTCguMQZagaaiYH4o= > =qQ/z > -----END PGP SIGNATURE----- > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
