Security Incidents mailing list archives
Re: 1000% increase in traffic
From: Derek Kwan <dkwan () KWAN CA>
Date: Fri, 9 Feb 2001 21:47:30 -0500
Hi Bob, Well, have you tale a closer look at your log file to check the 'size' field by sendmail? (try to do a grep /var/adm/message sendmail | grep size | less or sth like this, depends on your system) See if you have someone sending a huge mail. Assume that's the case, maybe you can tell where is it come from and where it goes. And maybe you can set your sendmail config file to limit the sendmail size... (however, if someone still wants to send out huge files, they can still spilt it up) DDOS attack.. hummm... is possible, but hard to say. Unless you are on the system when this happens... You can't really tell where the data is going now.... Also take a closer look at your system, make sure it is not rooted and use it for scanning other computers (or get hit by a worm) Another suggestion is install a FW try to filter the traffic. Installing IDS (e.g. snort) is another good suggestion. Just my .02 \|/ _____ \|/ *************************************************** "@'/ , . \`@" This e-mail is send with 100% recyclable electrons. /_| \___/ |__\ *************************************************** \___U_/ Derek () KWAN ca On Fri, 9 Feb 2001, Bob Wright wrote:
Hello guys, thank you for reading this email.. I beleave i might have an exploited box on my hands, At my place of employment we usally range about 728b/s as our average for output (128k Connection) Now starting at friday at 12am to sat 12pm (about) MRTG (traffic analyser) showed us averaging about 7744b/s !! on a weekend at that late of night. And all out to boot. This worries me because of our data (of coarse) or that we might have a possible client on one of the many machines for a DDOS. Now i have searched through most my logs, inet logs and i cant find a thing..... the logs do not LOOK like they were tamperd with. These are what i think could have happend. 1) Employee sending files home thinking that no one will be able to detect it. 2) DDOS client on one or several machines 3) We had a intrusion and the great guy he is decided to send our files to himself 4) <input here> I am new to this, im only an intern however they expect me to look into this? any how i would like to hear what you guys out there who have experience think, and as always i love any possible links you might have which discuss general procedure or any site that deals with network security. I thank you again for reading my email. -Robert Wright
Current thread:
- 1000% increase in traffic Bob Wright (Feb 10)
- Re: 1000% increase in traffic Jason Storm (Feb 10)
- Re: 1000% increase in traffic Derek Kwan (Feb 10)
- Re: 1000% increase in traffic Bryan Andersen (Feb 10)
- Re: 1000% increase in traffic Valdis Kletnieks (Feb 10)
- Re: 1000% increase in traffic John Kristoff (Feb 10)
- Re: 1000% increase in traffic Anders Thulin (Feb 26)