[ale] Garbage spewer, part II
Chris Fowler
ChrisF at computone.com
Fri Jun 22 08:55:45 EDT 2001
Who is your ISP? Are they NT based or UNIX based? I'm talking about the server based equipment they use.
Iptraf can log to a file. Tunr it on and use it in your defense.Â
You are correct. If you are on a switch, you should only see traffic destined for your machine or maybe broadcasts. That is all.Â
Chris
-----Original Message-----
From: djinn at djinnspace.com [mailto:djinn at djinnspace.com]
To: ale at ale.org
Sent: Thursday, June 21, 2001 11:28 AM
To: ale at ale.org
Subject: [ale] Garbage spewer, part II
Thanks to everyone for the help and advice regarding my sudden
transition into a bandwidth hog.
Here's part II: I spent about 8 hours doing forensics and as far as
I can tell, the machine has not been cracked. No unauthorized ports
listening, no replaced binaries, chkrootkit came up empty.  So I put
the machine back on the network and watched for awhile....behaved like a
good little linux box. THEN I started sending mail again.  Suddenly,
5000ms ping time. Whenever I send out large quantites of mail, I fill
up our alloted bandwidth and can't wedge a packet in to save my life.
The machine in question is on the same subnet as my office firewall, so
during the day we generate a reasonable amount of outbound (mostly http)
traffic, and nothing like this happens. It appears to only hate smtp
packets (honestly, I don't blame it).
I put tcpdump and iptraf on the mail machine, and just looking at the
outbound traffic from that nic, all appears normal--I am only sending
out the types and quantites of packets I expect to see, when I'm sending
mail and when I'm not. I don't quite understand how to read iptraf
information, am working on that now...but didn't see anything
immediately alarming.
Here's the interesting part--if I put the nic in promiscuous mode, I can
see all sorts of traffic bound for machines that I shouldn't be able to
see. For example, our ISP swears that our production machines are on
their own switched subnet and not sharing traffic with anyone. Which
makes me curious as to why I can see packets from a foreign host,
inbound to the production web server, from my test web server sitting
way far away on another subnet. I was under the impression that tcpdump
and iptraf can't get past a switched segment...is this true? Anyone
know? Am I using the right terminology or do I sound like an idiot??
So, if any network gurus out there would like to offer an opinion on
what to do from here, and how I can track down the problem, I would be
much appreciative. I know it's the ISP's problem, but I don't think
they're going to be any help, and now that the scare is over this is
getting interesting. Pointers to good references on this sort of thing
would also be appreciated.
Thanks again
Cheers
jenn
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list