Incidents
Re: Weird Traffic May 28 2008 09:18AM
Jonathan Adams (keirre adams gmail com)
Im on freeBSD, netstat doesnt like the -p without a parameter [protocol]

im familiar with pstree and lsof.. there's still no smoking guns

On Tue, May 27, 2008 at 5:31 PM, Michael Loftis <mloftis (at) wgops (dot) com [email concealed]> wrote:
> if on linux -- the latter requires psmisc (or your dists equivalent)
> installed....
> netstat -anlp
> pstree -cuap
>
> lsof is another very useful utility.
>
> nmap can only look for open listening and *responding* ports. netstat -anlp
> will show you whats open in the kernel, assuming you've not been rooted.
>
> --On May 27, 2008 2:48:00 PM -0400 Jonathan Adams <keirre.adams (at) gmail (dot) com [email concealed]>
> wrote:
>
>> I've not found the source of the majority of the data, but I have
>> found a huge amount of weird requests in my apache log, and I'm fairly
>> certain its http traffic... I may cron of a protocol analysis tool
>> tonite to see if I can find more. I've run nmap scans, but stupidly
>> have not used the udp scan as someone else posted... nothing amiss in
>> the process list...
>>
>> Theres no changes to my httpd.conf, and I dont see a big hit in my
>> disk space... dunno... it is a mystery. I'll do some more analysis
>> and if I find anything Ill post it to the list
>>
>> On 5/27/08, Pope <elpope (at) gmail (dot) com [email concealed]> wrote:
>>>
>>> Hey Jonathan,
>>>
>>> It might sound obvious, but exactly WHAT KIND OF TRAFFIC is being moved?
>>>
>>> I mean, if it's just HTTP traffic, and you've transferred 2.7 GB in one
>>> day, you should start thinking about what you are hosting. Sounds to me
>>> like someone planted a file server in there without you noticing; could
>>> be?
>>>
>>> Find the content being transferred (warez, movies, porn... you can bet)
>>> and remove it. End of the problem.
>>>
>>> Regards
>>>
>>>
>>> On Tue, May 27, 2008 at 1:59 PM, Jonathan Adams <keirre.adams (at) gmail (dot) com [email concealed]>
>>> wrote:
>>> > All,
>>> >
>>> > I have a leased server I use to host some websites and for the past
>>> > week I have been getting traffic warnings. The server has been
>>> > transferring > 1GB of data per day, which is unusually high,
>>> > especially since I moved my mail to Google Apps. I have noticed a
>>> > ridiculous amount of attempted proxying attemptes in my logs, but I do
>>> > not have mod proxy turned on. I suspect my server is on some list. I
>>> > firewalled off a large number of subnets from China and my traffic
>>> > dropped for a few days, then this morning, 2735MB transferred in 24
>>> > hrs.
>>> >
>>> > As of right now, I am planning to blackhole all China traffic, since
>>> > thats where most of this is comming from, along with the occasional
>>> > traffic from France and other places in Eur. Is this common? If so
>>> > are there any other remedies?
>>> >
>>> > --
>>> >
>>> > "Strength does not come from physical capacity. It comes from an
>>> > indomitable will." -
>>> > Mohandas Gandhi
>>> >
>>>
>>>
>>>
>>> --
>>> Pope
>>> elpope # gmail · com
>>>
>>> "You have been down there, Neo. You know that road. You know exactly
>>> where it ends. And I know that's not where you want to be." [Trinity @
>>> Matrix]
>
>
>
> --
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
>

--
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams (at) gmail (dot) com [email concealed]
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus