Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: [Pinguzilla] Weird Traffic

Re: [Pinguzilla] Weird Traffic

From: Leon Ward <seclists_at_rm-rf.co.uk>
Date: Thu, 29 May 2008 09:15:25 +0100

What was the result of ntop? protocol breakdowns, top IP SRC/DST etc.
Does syslog point you to anything suspicious?
chkrootkit ?
What do you use to audit your Apache logs? Does that show up anything
interesting (hosting a large file for download maybe).

Without physical access, it's hard to trust the output of tools you
install.

-Leon

On 28 May 2008, at 10:20, Jonathan Adams wrote:

> John,
>
> I am running late for my real job :) but when i come back Ill run
> some more test and post the results.
>
> BTW, 1.5 GB transferred yesterday. there is no way this is valid web
> or ftp traffic... something is proxying through my box...
>
> Im sure of it
>
> On Tue, May 27, 2008 at 11:06 PM, John Duksta <john_at_duksta.org> wrote:
>>
>> Jonathan,
>>
>> I'd be curious to get a copy of the list of networks that you're
>> seeing this
>> traffic from. I work for a large managed security service provider
>> and I
>> could cross reference these networks against data that we're seeing
>> from our
>> corporate customers.
>>
>> Regards,
>> -john
>>
>>
>> On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
>>
>>> All,
>>>
>>> I have a leased server I use to host some websites and for the past
>>> week I have been getting traffic warnings. The server has been
>>> transferring > 1GB of data per day, which is unusually high,
>>> especially since I moved my mail to Google Apps. I have noticed a
>>> ridiculous amount of attempted proxying attemptes in my logs, but
>>> I do
>>> not have mod proxy turned on. I suspect my server is on some
>>> list. I
>>> firewalled off a large number of subnets from China and my traffic
>>> dropped for a few days, then this morning, 2735MB transferred in 24
>>> hrs.
>>>
>>> As of right now, I am planning to blackhole all China traffic, since
>>> thats where most of this is comming from, along with the occasional
>>> traffic from France and other places in Eur. Is this common? If so
>>> are there any other remedies?
>>>
>>> --
>>>
>>> "Strength does not come from physical capacity. It comes from an
>>> indomitable will." -
>>> Mohandas Gandhi
>>>
>>> _______________________________________________
>>> Pinguzilla mailing list
>>> Pinguzilla_at_as220.org
>>> http://www.as220.org/mailman/listinfo/pinguzilla
>>>
>>
>>
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams_at_gmail.com
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi
>
Received on May 29 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]