Re: Large, constant incoming traffic

[Michael Borko]

Kjetil Kjernsmo wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all!

In turn to you with a bit of desperation now. It feels like I'm under 
some kind of attack. Maybe I've even been compromised. The last few 
days, I've experienced an insane and constant amount of incoming 
traffic. I'm not sure how long it has lasted, but I would think 3-4 
days, and it is constant at 260 kB/s. It varies very little from that 
number, perhaps down to 255 sometimes, and sometimes up to 265, but 
essentially, it changes very little over time, at least over an 
interval of a couple of seconds. 

And I can't for the life of me figure out where it's coming from... 
This is what netstat says:
 [EMAIL PROTECTED]:~> netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address       Foreign Address      State
tcp        0      0 0.0.0.0:32771       0.0.0.0:*           LISTEN
tcp        0      0 0.0.0.0:4           0.0.0.0:*           LISTEN
tcp        0      0 0.0.0.0:32772       0.0.0.0:*           LISTEN
tcp        0      0 0.0.0.0:110         0.0.0.0:*           LISTEN
tcp        0      0 127.0.0.1:783       0.0.0.0:*           LISTEN
tcp        0      0 0.0.0.0:111         0.0.0.0:*           LISTEN
tcp        0      0 0.0.0.0:80          0.0.0.0:*           LISTEN
tcp        0      0 217.77.32.186:53    0.0.0.0:*           LISTEN
tcp        0      0 127.0.0.1:53        0.0.0.0:*           LISTEN
tcp        0      0 0.0.0.0:22          0.0.0.0:*           LISTEN
tcp        0      0 0.0.0.0:5432        0.0.0.0:*           LISTEN
tcp        0      0 0.0.0.0:25          0.0.0.0:*           LISTEN
tcp        0      0 127.0.0.1:953       0.0.0.0:*           LISTEN
tcp        0      0 217.77.32.186:22    80.213.253.77:32782 ESTABLISHED
tcp        0      0 217.77.32.186:22    80.213.253.77:33738 ESTABLISHED
tcp        0    272 217.77.32.186:22    80.213.253.77:32778 ESTABLISHED

217.77.32.186 is my server, the machine that is in trouble, and 
80.213.253.77 is the current IP of my workstation. There are 
connections now and then, but nothing unnatural, and nothing that can 
account for that there aren't variations... 

Most of the listening ports are actually firewalled off from the world:
(The 1654 ports scanned but not shown below are in state: filtered)
PORT    STATE SERVICE
4/tcp   open  unknown
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
hi kjetil!

please start up tcpdump and/or ethereal and check what kind of packages 
there are going ... and the best would be, to do so on a "probe" in the 
network. if u need help about this, ask!

regards,
mike
--
  _     TGM / it-service
 (o-    A-1200 Wien, Wexstr. 19-23
 //\    tel. +43-1-33126-316            fax. +43-1-33126-154
 v_/    email: [EMAIL PROTECTED]        trap: [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]