begin quoting Ralph Shumaker as of Wed, Jan 23, 2008 at 11:52:39AM -0800: > I just turned on my monitor and saw that there have been multiple > repeating short bursts of internet activity. The only thing I know of > that is even running is pidgin, but there's no activity there. > > I did a tcpdump to screen and did not recognize much besides my own > address. Then I started doing a dump to file. But not knowing what was > happening, I then did ifdown eth0.
I assume you have sshd running? > (I just now did ifup eth0, and the activity seems to have passed for the > moment.) > > Neither dump is all that long (a few seconds each). Here is both of them: > > (turns out to have been 90K, even tho it is only about 60 seconds of > activity) > > Here's a link: > http://pastebin.com/m49220df1 Check your logs. I bet they're full of brute-force attempts at logging in to your system. A useful thing to do when something strange is happening is ls -lt /var/log/* | head Then use 'tail' on the top few log files (you may need to be wheel or root). You may want to run 'tail -f' on one or two logs to watch what's going on, especially if you're getting bemused by tcpdump output. I think I've seen applications that will monitor several log files at the same time, and there are also packages that will dump log information to an (otherwise unused) virtual console. -- Port knocking looks more interesting every day Anything to limit log file clutter in some way. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
