On Sat, 2007-11-24 at 08:51 -0500, Bill Moran wrote: > "Joel V." <[EMAIL PROTECTED]> wrote: > > > > Hello all, > > > > I'm not experiencing this problem, my friend is. He's simply too pissed off > > to write here and I'm afraid he's going to set his office on fire if he > > doesn't solve the problem soon, so without further ado, here's the problem: > > > > He has two fbsd boxes, main server running 6.1 and dns server running 4.3. > > He has 4 public IPs which he can use and the main server is running on > > x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office. > > Today he noticed that net is getting awfully slow. Sometimes there would be > > 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow > > and the webpages running on the main server are not displaying. E-mails are > > not going through. He calls the ISP, who say that his network is showing > > major uploading activity. He switches off networking services one by one in > > the main box but situation does not improve. He disconnects the main server > > and puts a windows xp box instead, which seems to run fine. He puts back the > > freebsd box, disables all networking services again except for SSH and > > connects the network: instant 100% networking slow-down. He tried to change > > the switch, thinking it's faulty. He disconnect every other computer in the > > office from the network: nothing. He put the public IP address on the > > second, internal network NIC: same thing. Now it gets really mysterious: he > > puts the old dns server with the x.x.x.122 IP and instantly it becomes slow > > as death. The logical conclusion would be that someone is flooding that IP? > > Only the windows xp box seemed to work fine and the ISP guy said it was > > upload bandwidth that was excessive... > > > > Netstat -a doesn't show anything interesting, arp -a doesn't show any > > incomplete addresses He tried to build and install a new fresh kernel. > > Nothing. This is the most creepy networking problem I've heard of. Can YOU > > help? Any ideas where to start looking? > > +1 on the tcpdump work. Once you have the packet capture, something like > Wireshark will give you a pretty view of the packets. However, posting > the text output of tcpdump will allow the crew on this mailing list to > give you specific advice (once you've done what Julian suggests, you > can get text output by doing tcpdump -r capture.out) > > Overall, based on your vague symptoms, I'd guess you got cracked and > someone's running a spambot or other bot on that box. They may even > have it rooted. > You may find that out putting bridging (man bridge and sysctl) box inbetween the internet connection and your box and dump there. I would use for temp my laptop with an extra usb_ethernet device.
A mirrorport on a switch + sflow / netflow could show traffic in ntop to get more insight on your traffic. more tools: nmap tcpflow chkrootkit md5sum (too late for tripwire) if you have your bins somewhere else on tar/tape/cd Marten _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
