[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: hacked

Are you sure there was nobody who just ftp'd a huge file sent or email to 10 people with a huge attachment.
Could you please check your ftp and email logs?

tcpdump is a good idea. I would also suggest some kind of ipchains or firewall if you are directly connected to the Internet.

----Original Message Follows----
Reply-To: "Discussion of Red Hat Linux 7.3 (Valhalla)" <valhalla-list redhat com>
To: "Discussion of Red Hat Linux 7.3 (Valhalla)" <valhalla-list redhat com>
Subject: hacked
Date: Sun, 6 Jun 2004 13:52:14 +0200
MIME-Version: 1.0
Received: from mc10-f31.hotmail.com ([]) by mc10-s4.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sun, 6 Jun 2004 04:01:47 -0700
Received: from hormel.redhat.com ([]) by mc10-f31.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Sun, 6 Jun 2004 04:01:46 -0700
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com [])by hormel.redhat.com (Postfix) with ESMTPid 58DF97302F; Sun, 6 Jun 2004 07:01:13 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com[])by listman.util.phx.redhat.com (8.12.10/8.12.10) with ESMTP idi56B1ANv006930 for <valhalla-list listman util phx redhat com>;Sun, 6 Jun 2004 07:01:10 -0400
Received: (from mail localhost)by int-mx1.corp.redhat.com (8.11.6/8.11.6) id i56B1AN00838for valhalla-list listman util phx redhat com;Sun, 6 Jun 2004 07:01:10 -0400
Received: from mx1.redhat.com (mx1.redhat.com [])by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id i56B1A000834for <valhalla-list redhat com>; Sun, 6 Jun 2004 07:01:10 -0400
Received: from net-products.nl (domino.net-products.nl [])by mx1.redhat.com (8.12.10/8.12.10) with ESMTP id i56B18i5001177for <valhalla-list redhat com>; Sun, 6 Jun 2004 07:01:09 -0400
X-Message-Info: jl7Vrt/mfsriyZGuqGlHfXyYVVP7xT6V
X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000
Message-ID: <OFBF5C3628 F9E42A27-ONC1256EAB 00405F47 nl>
X-MIMETrack: Serialize by Router on domino/net-products/nl(Release 5.0.12|February 13, 2003) at 06/06/2004 01:52:16 PM
X-RedHat-Spam-Score: 0.285
X-Loop: valhalla-list redhat com
X-BeenThere: valhalla-list redhat com
X-Mailman-Version: 2.1.5
Precedence: junk
List-Id: "Discussion of Red Hat Linux 7.3 (Valhalla)"<valhalla-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/valhalla-list>,<mailto:valhalla-list-request redhat com?subject=unsubscribe>
List-Archive: </archives/valhalla-list>
List-Post: <mailto:valhalla-list redhat com>
List-Help: <mailto:valhalla-list-request redhat com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/valhalla-list>,<mailto:valhalla-list-request redhat com?subject=subscribe>
Errors-To: valhalla-list-bounces redhat com
Return-Path: valhalla-list-bounces redhat com
X-OriginalArrivalTime: 06 Jun 2004 11:01:46.0842 (UTC) FILETIME=[A8EC03A0:01C44BB5]

Hello, Since yesterday I have a huge network traffic increase

Is goes from a 12Gb to 45Gb a month.

Somebody is messing around.

I did the following:
Only access sshd with one ip-adress
changed password root (it was a #$%EEE123) alike password

Tasks server, directly connected to internet:
Its a ftp server voor authenticated users
Its a mail server running on IBM Domino 5.012 with is pretty (I think ...)

When i take a look at /var/messages and /var/secure I see nothing strange

I am running kernel 2.4.20-28.7 on i686

1. How can I see which process is producing the traffic?
2. What else can I do?

_______________________________________________ Valhalla-list mailing list Valhalla-list redhat com https://www.redhat.com/mailman/listinfo/valhalla-list

Getting married? Find great tips, tools and the latest trends at MSN Life Events. http://lifeevents.msn.com/category.aspx?cid=married

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]