-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all!
In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~> netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 217.77.32.186:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp 0 0 217.77.32.186:22 80.213.253.77:32782 ESTABLISHED tcp 0 0 217.77.32.186:22 80.213.253.77:33738 ESTABLISHED tcp 0 272 217.77.32.186:22 80.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) The filtered ports should drop packets. In addition to the occasional netstat, I'm looking closely with ksysguard. There is a ksysguardd running at the remote machine, which is giving me the data. It is all in agreement with what netstat says, and the data rate is in agreement to, I have verified it by going ifconfig twice 100 seconds apart and compare the "RX bytes:" entry. I did a kernel upgrade yesterday, so I have even rebooted the machine, and since the reboot, it has according to ifconfig received something like 3 GiB of data. In one day... But this makes it likely that there isn't a local fault, I think. Also, there is little outgoing traffic. I have no idea where all those data are going... There is certainly not room for them on the hard drive, unless somebody is in the box and is deleting stuff, and who has du and df trojanned, but then df shows the same as /proc/partitions.... I can't see anything abnormal, neither on the disks, in the logs, in the connections made to the machine, in the process table or anything... But then, I don't really know too much about looking... :-) Since my workstation is the only machine I can see that has a persistent connection to the server, I've investigated the possibility that something here is causing it. But there is little outgoing traffic here, so it seems extremely unlikely. I think it looks like something is throwing packets at me, and doesn't care what happens to them... However, then I would think the packets were thrown at an open port, because I would think that since IPtables would drop the packets, it would show up in the statistics as dropped, and it isn't. Or, is it possible that the statistics is simply wrong: There are no data being thrown at me....? I've briefly talked with my hosting company, and they've got a good Linux guy there, but he was too busy to help me now. If I haven't allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I really don't want that to happen, especially if it isn't my fault that this is happening. I run AIDE, and I run chkrootkit occasionally. I've gone through the auto-setup of a backport of Snort, but it has never actually told me anything, so I suppose it isn't really configured. I'm trying a Nessus attack against the poor box now, but it is very slow... Thanks for reading this far, and, well, your ideas on what I can do would be much appreciated. Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAo5nslE/Gp2pqC7wRAuFdAKCDQtVr+5DioDWWTZC97zA3PV+2YQCfWuik /Yu+IFaTCguMQZagaaiYH4o= =qQ/z -----END PGP SIGNATURE-----
