Security Basics mailing list archives
RE: strange data traffic
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 16 Sep 2003 08:39:52 -0700
MRTG shows inbound and outbound volumes separately. You don't specify which you're seeing. I recently saw sustained outbound flows when we had a couple of machines infected with Sobig.F . I've also seen unexpected traffic volumes when warez pirates had installed a Serv-U FTP repository on a compromised machine. MRTG is a great tool for telling you when network traffic volumes deviate from the norm, either too low (something is broken?) or too high (there's traffic going on that shouldn't be). MRTG doesn't tell you *what* the traffic is. You can sit and speculate, and you can ask others (us) to speculate -- or you can stick a sniffer (Ethereal is free!) on the network and *see* the traffic. That's what you need to do. David Gillett
-----Original Message----- From: danielgil () softhome net [mailto:danielgil () softhome net] Sent: September 15, 2003 15:30 To: security-basics () securityfocus com Subject: strange data traffic Hi Iam using MRTG to monitor the internet traffic in my server, during day time the traffic is very intense and by night the traffic slow down significantly. This behavior repeat day after day. But a few days ago the traffic did not slow down as I expected and the MRTG show a very intense traffic activity during night-time. My question is: Can I say that this is hacker activity (perhaps downloading files)?. Could it be a robot (the ones that index html pages)?. My logs doesn't give good hints about this. by the way, there is no large files (available to simple users) to download in the server. any clue ?. Thanks in advance -------------------------------------------------------------- ------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- strange data traffic danielgil (Sep 16)
- RE: strange data traffic David Gillett (Sep 16)
- <Possible follow-ups>
- RE: strange data traffic Fields, James (Sep 17)
- Re: strange data traffic Adam Newhard (Sep 17)