Re: DoS "Probing" on one of our hosts

[Christopher Kunz <chrislist () de-punkt de>]

Donald Voss wrote:

> Not to be a jerk .. but could it have been a file sharing app or two or
> three ..

I can safely rule that out - the data that went _into_ the box must have 
been stored somewhere and there is definitely not enough space to store 
the equivalent of those bandwidth spikes.
And since the outgoing traffic did not change at all, I don't suspect 
the box has been rooted or used as a file server by its legitimate owners.

> a rooted box .. = warez ftp ? You never know until you look close. We have
> had students here do the file sharing thing .. then of course everyone sorts
> the hits by speed .. then queues up a few hindered .. so our pipe has been
> filled from outside connections .. can anyone say packeteer ..

I just ran chkrootkit on the box and although this tool is of course not 
too sophisticated, it generally gave me a good hint on all boxes on my 
network that have been rooted in the past. No results.

--ck

--
php development | hosting |  housing | professional game server hosting
http://www.de-punkt.de   [ chris () de-punkt de ]    http://www.stormix.de
+49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de
Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------