Security Basics mailing list archives

RE: strange data traffic

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 16 Sep 2003 08:39:52 -0700

  MRTG shows inbound and outbound volumes separately.  You
don't specify which you're seeing.
  I recently saw sustained outbound flows when we had a couple
of machines infected with Sobig.F .  I've also seen unexpected 
traffic volumes when warez pirates had installed a Serv-U FTP
repository on a compromised machine.

  MRTG is a great tool for telling you when network traffic 
volumes deviate from the norm, either too low (something is 
broken?) or too high (there's traffic going on that shouldn't
be).
  MRTG doesn't tell you *what* the traffic is.  You can sit
and speculate, and you can ask others (us) to speculate -- or
you can stick a sniffer (Ethereal is free!) on the network and
*see* the traffic.

  That's what you need to do.

David Gillett

-----Original Message-----
From: danielgil () softhome net [mailto:danielgil () softhome net]
Sent: September 15, 2003 15:30
To: security-basics () securityfocus com
Subject: strange data traffic

Hi 

Iam using MRTG to monitor the internet traffic in my server, 
during day time 
the traffic is very intense and by night the traffic slow down 
significantly. This behavior repeat day after day.
But a few days ago the traffic did not slow down as I 
expected and the MRTG 
show a very intense traffic activity during night-time. 

My question is: 

Can I say that this is hacker activity (perhaps downloading files)?.
Could it be a robot (the ones that index html pages)?. 

My logs doesn't give good hints about this. 

by the way, there is no large files (available to simple 
users) to download 
in the server. 

any clue ?. 

Thanks in advance

--------------------------------------------------------------
-------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

strange data traffic danielgil (Sep 16)
- RE: strange data traffic David Gillett (Sep 16)
- <Possible follow-ups>
- RE: strange data traffic Fields, James (Sep 17)
  - Re: strange data traffic Adam Newhard (Sep 17)