Incidents
Re: [Pinguzilla] Weird Traffic May 28 2008 09:20AM
Jonathan Adams (keirre adams gmail com) (1 replies)
Re: [Pinguzilla] Weird Traffic May 29 2008 08:15AM
Leon Ward (seclists rm-rf co uk) (1 replies)
What was the result of ntop? protocol breakdowns, top IP SRC/DST etc.
Does syslog point you to anything suspicious?
chkrootkit ?
What do you use to audit your Apache logs? Does that show up anything
interesting (hosting a large file for download maybe).

Without physical access, it's hard to trust the output of tools you
install.

-Leon

On 28 May 2008, at 10:20, Jonathan Adams wrote:

> John,
>
> I am running late for my real job :) but when i come back Ill run
> some more test and post the results.
>
> BTW, 1.5 GB transferred yesterday. there is no way this is valid web
> or ftp traffic... something is proxying through my box...
>
> Im sure of it
>
> On Tue, May 27, 2008 at 11:06 PM, John Duksta <john (at) duksta (dot) org [email concealed]> wrote:
>>
>> Jonathan,
>>
>> I'd be curious to get a copy of the list of networks that you're
>> seeing this
>> traffic from. I work for a large managed security service provider
>> and I
>> could cross reference these networks against data that we're seeing
>> from our
>> corporate customers.
>>
>> Regards,
>> -john
>>
>>
>> On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
>>
>>> All,
>>>
>>> I have a leased server I use to host some websites and for the past
>>> week I have been getting traffic warnings. The server has been
>>> transferring > 1GB of data per day, which is unusually high,
>>> especially since I moved my mail to Google Apps. I have noticed a
>>> ridiculous amount of attempted proxying attemptes in my logs, but
>>> I do
>>> not have mod proxy turned on. I suspect my server is on some
>>> list. I
>>> firewalled off a large number of subnets from China and my traffic
>>> dropped for a few days, then this morning, 2735MB transferred in 24
>>> hrs.
>>>
>>> As of right now, I am planning to blackhole all China traffic, since
>>> thats where most of this is comming from, along with the occasional
>>> traffic from France and other places in Eur. Is this common? If so
>>> are there any other remedies?
>>>
>>> --
>>>
>>> "Strength does not come from physical capacity. It comes from an
>>> indomitable will." -
>>> Mohandas Gandhi
>>>
>>> _______________________________________________
>>> Pinguzilla mailing list
>>> Pinguzilla (at) as220 (dot) org [email concealed]
>>> http://www.as220.org/mailman/listinfo/pinguzilla
>>>
>>
>>
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams (at) gmail (dot) com [email concealed]
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi
>

[ reply ]
Re: [Pinguzilla] Weird Traffic May 29 2008 11:52AM
Jonathan Adams (keirre adams gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus