[ Machiavelli... @ 27.10.2010. 18:43 ] @
Imam problem, prijatelju ce da iskljuce server. Ima nenormalni output traffic. Vec je dobio upozorenje ovo je pred iskljucenje!


Ovo je deo mail koji su mu poslali


Direction OUT
Internal 213.239.*.*
Threshold Packets 30.000 packets/s
Sum 12.494.000 packets/300s (41.646 packets/s), 15 flows/300s (0 flows/s), 0,515 GByte/300s (14 MBit/s)
External 96.38.136.139, 12.481.000 packets/300s (41.603 packets/s), 2 flows/300s (0 flows/s), 0,500 GByte/300s (13 MBit/s)
External 89.216.218.89, 2.000 packets/300s (6 packets/s), 2 flows/300s (0 flows/s), 0,003 GByte/300s (0 MBit/s)
External 94.189.163.133, 2.000 packets/300s (6 packets/s), 2 flows/300s (0 flows/s), 0,003 GByte/300s (0 MBit/s)
External 93.86.253.223, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,001 GByte/300s (0 MBit/s)
External 109.245.183.64, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,001 GByte/300s (0 MBit/s)
External 89.216.23.52, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,001 GByte/300s (0 MBit/s)
External 213.198.226.249, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,000 GByte/300s (0 MBit/s)
External 92.60.228.44, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,001 GByte/300s (0 MBit/s)
External 178.223.86.15, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,001 GByte/300s (0 MBit/s)
External 188.2.76.83, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,001 GByte/300s (0 MBit/s)
External 91.185.102.168, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,001 GByte/300s (0 MBit/s)
External 109.93.25.38, 1.000 packets/300s (3 packets/s), 1 flows/300s (0 flows/s), 0,000 GByte/300s (0 MBit/s)

Kako da ustanovim ko pravi ovaj ludi traffic? Evo upravo mu zatvaram OUTPUT firewall polisu (stavicu na default DROP) otvoricu samo 22 i 10000( on koristi webadmina).

Kako na debain da vidim ko pravo ovaj traffic? Koji deamon?
[ combuster @ 27.10.2010. 18:57 ] @
IP adresa ukazuje na ovo http://www.charter.com/

Probaj sa:

netstat -apn | grep 96.38.136.139
[ Tyler Durden @ 27.10.2010. 21:11 ] @
Pa, ako je ovo ono što su ti oni poslali onda je očigledno problem u toj adresi 96.38.136.139.
Moguće da ti je na neki način provaljena mašina i neko je sad koristi za DOS na ovaj IP.
Za početak blokiraj odlazni saobraćaj na ovu IP pa onda možeš da lagano analiziraš o čemu se radi, ovako kako ti je napisao combuster, pa tcpdump i sl.
[ Machiavelli... @ 28.10.2010. 05:16 ] @
ma to sam i hteo, Ne samo na tu adresu nego kompletan output samo da ostavim port 22. Onda da pogledam. Ne vidim u logovima za mail nista neobicno (stoga, mala verovatnoca da je postfix).

Vidim ja da je on na onaj IP napravio 12GB output saobracaja (ili koliko vec), ali je pokusavao na sve adrese iz onog log-a sto su mi poslali.

U mail su mu rekli da je server koriscen za napad (ddos valjda).