Running tcpdump to a file worked out. This morning I was able to find the
source machine by looking at that packet capture file. Someone gained
legitimate access to the box via ssh using the oracle user. My stupid
incompetent DBA's never set the password to something that wouldn't be
obvious, like
On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote:
>Whatever this thing is, its tricky. It only runs a few times a day, so it
>is tough to find the culprit source with ethereal unless I run ethereal
>all day. In packet capture mode.
Depending on how much disk space you have spare on your fi
Hmm... Interesting.
What if I try to redirect the output of tcpdump to a file. I am doing this
on a f5 BigIP which sort of runs a "FreeBSD-ish" kernel.
I've tried:
tcpdump -i exp1 port ssh | grep -v '63.123' | grep -v 'lb01'
>/var/ssh.capture
But it never rights to the file. The above will capt
machine behind one of my gateways (BigIP) was trying
to download a file called brute3.tar.gz via HTTP from 64.40.108.77. The
download was unsuccessful.
Whatever this thing is, its tricky. It only runs a few times a day, so it
is tough to find the culprit source with ethereal unless I run ethereal
all
4 matches
Mail list logo
