Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 1000% increase in traffic

From: Derek Kwan <dkwan () KWAN CA>
Date: Fri, 9 Feb 2001 21:47:30 -0500
Hi Bob,

 Well, have you tale a closer look at your log file to check the 'size'
field by sendmail? (try to do a grep /var/adm/message sendmail | grep size
| less or sth like this, depends on your system) See if you have someone
sending a huge mail. Assume that's the case, maybe you can tell where is
it come from and where it goes. And maybe you can set your sendmail config
file to limit the sendmail size... (however, if someone still wants to
send out huge files, they can still spilt it up)

 DDOS attack.. hummm... is possible, but hard to say. Unless you are on
the system when this happens... You can't really tell where the data is
going now....

 Also take a closer look at your system, make sure it is not rooted and
use it for scanning other computers (or get hit by a worm)

 Another suggestion is install a FW try to filter the traffic. Installing
IDS (e.g. snort) is another good suggestion.

 Just my .02

 \|/ _____ \|/    ***************************************************
 "@'/ , . \`@"    This e-mail is send with 100% recyclable electrons.
 /_| \___/ |__\   ***************************************************
    \___U_/       Derek () KWAN ca


On Fri, 9 Feb 2001, Bob Wright wrote:


Hello guys, thank you for reading this email.. I beleave i might have
an exploited box on my hands, At my place of employment we usally
range about 728b/s as our average for output (128k Connection)  Now
starting at friday at 12am to sat 12pm (about) MRTG (traffic analyser)
showed us averaging about 7744b/s !! on a weekend at that late of
night. And all out to boot. This worries me because of our data (of
coarse) or that we might have a possible client on one of the many
machines for a DDOS. Now i have searched through most my logs, inet
logs and i cant find a thing..... the logs do not LOOK like they were
tamperd with. These are what i think could have happend.

1) Employee sending files home thinking that no one will be able to
detect it. 2) DDOS client on one or several machines 3) We had a
intrusion and the great guy he is decided to send our files to himself
4) <input here>

    I am new to this, im only an intern however they expect me to look
into this? any how i would like to hear what you guys out there who
have experience think, and as always i love any possible links you
might have which discuss general procedure or any site that deals with
network security.

I thank you again for reading my email.

-Robert Wright
Previous By Date Next
Previous By Thread Next

Current thread: