Topic: Virus ??

[Phil]

I am concerned about my e-smith server, If no PC's on our local network are switched on, there is still a lot of activity between our cable modem and the server. Not much incoming but lots or outgoing data???. I am concerned that the server is behaving badly, is there anything I can check, logs etc...

[Arkman]

Yes. Look in /var/log
Have a look at the log called 'messages', the end of the file contains the newer stuff. Also, look in the maillog. You haven't left an open mail relay have you?

[Phil]

Messages are ok and normal, also mail log ok, and mail stats normal. Telnet and FTP disabled, all other access private??.

Any ideas??

[Luke Drumm]

The usual suspect in 'unknown' cable comms tends to be ARP stuff (ie. the normal behind the scenes working of the network).

There are a few cable companies (a rather large one in Australia being a prime example) who seem to have their router/modem configs set for a large amount of ARP traffic as a standard.

If it's of serious concern to you, I'd suggest installing package such as snort (+ acid). That way you can tell what happening at the packet level.

[Korpo]

I get a similar behavior, cable modem going nuts all hours of the day. The best log I could find was my mod_gzip log, and it turns out I get quite a few hits from machines infected with the Nimda worm. Trying to connect to files that would be there on an insecure NT server, but obviously aren't there now. As far as I know, there's nothing to be done about it.
-Kris

[Nate]

Probably not a problem at all.  I get activity like you are talking about on my cable modem--if it's plugged into the server or my win2000 machine.  Makes no difference.