[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: hacked



No,

tcpdump -i ethX

X stands for the id of your interface not the ip-address.
Type in ifconfig and you will see the IDs of your interfaces. 

Example:

tcpdump -i eth0

Regards,
Michael


----- Original Message ----- 
From: "Harry Hambi" <harry hambi bbc co uk>
To: "Discussion of Red Hat Linux 7.3 (Valhalla)" <valhalla-list redhat com>
Sent: Monday, June 07, 2004 4:46 PM
Subject: RE: hacked


> Hi,
> DO U MEAN tcpdump -i ethx   x= 1p address 0f interface, when I run this
> command I get 
> Bind: no such device
> 
> 
> -----Original Message-----
> From: valhalla-list-bounces redhat com
> [mailto:valhalla-list-bounces redhat com] On Behalf Of John
> Ceballos-contr
> Sent: 07 June 2004 14:39
> To: linux NET-PRODUCTS NL; valhalla-list redhat com
> Subject: Re: hacked
> 
> 
> Have you done a ps- ef on the box to see at least what processes are
> running? Another thing that you can do is do a tcpdump -i ethX where X
> is the number of the network interface that you want to look at. I would
> redirect this to a file and then look at it later. Let this go for a
> couple of minutes. After that, do a control-C to get out of it. Open up
> the file you just created and see what is happening on your NIC. THis
> should another thing that should give you a better view of what is
> happening with your computer. The last thing is go through the rc.d
> files and see if there are any programs that are starting up that you
> don't know about. Well, I hope this helps.
> 
> >>> linux NET-PRODUCTS NL 6/6/2004 7:52:14 AM >>>
> 
> Hello,
> Since yesterday I have a huge network traffic increase
> 
> Is goes from a 12Gb to 45Gb a month.
> 
> Somebody is messing around.
> 
> I did the following:
> Only access sshd with one ip-adress
> changed password root (it was a #$%EEE123) alike password reboot
> 
> Tasks server, directly connected to internet:
> Its a ftp server voor authenticated users
> Its a mail server running on IBM Domino 5.012 with is pretty (I think
> ...) secure
> 
> When i take a look at /var/messages and /var/secure I see nothing
> strange
> 
> I am running kernel 2.4.20-28.7 on i686
> 
> Question:
> 1. How can I see which process is producing the traffic?
> 2. What else can I do?
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Valhalla-list mailing list
> Valhalla-list redhat com 
> https://www.redhat.com/mailman/listinfo/valhalla-list
> 
> 
> _______________________________________________
> Valhalla-list mailing list
> Valhalla-list redhat com
> https://www.redhat.com/mailman/listinfo/valhalla-list
> 
> http://www.bbc.co.uk/ - World Wide Wonderland
> 
> This e-mail (and any attachments) is confidential and may contain
> personal views which are not the views of the BBC unless specifically
> stated.
> If you have received it in error, please delete it from your system. 
> Do not use, copy or disclose the information in any way nor act in
> reliance on it and notify the sender immediately. Please note that the
> BBC monitors e-mails sent or received. 
> Further communication will signify your consent to this.
> 
> 
> _______________________________________________
> Valhalla-list mailing list
> Valhalla-list redhat com
> https://www.redhat.com/mailman/listinfo/valhalla-list
> 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]