I agree on this point. That said, I once thought my employer's server was hacked and I ran local utilities and dug through months of logs only to discover that an install of either phpBB or phpMyAdmin had a slice of bad code that allowed someone to install software remotely and run its own p2p network off of it.
I wasted a few days trying to dig in the wrong place. On Jan 5, 2011, at 12:25 PM, David Brodbeck wrote: > On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <[email protected]> wrote: >> On 5 January 2011 10:47, Jerry Bell <[email protected]> wrote: >> >>> There could be reasons you >>> aren't seeing a spike, such as you're only looking at traffic processed by >>> the MTA, or it simply doesn't show as a material increase on a graph of >>> traffic on the network interface if the server is busy. >> >> Those are good points and to go a little further regarding looking at >> traffic... >> >> To really see what your machine is doing, consider taking a look at >> the network flows. pfflowd, netflowd, ipaudit and a host of others can >> get you flow data with mostly minimal overhead. > > Also, keep in mind that depending on how badly the machine has been > compromised, you may not be able to trust the output of utilities > running on the machine itself. You may have to resort to capturing > its network traffic on another machine for analysis. > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
