Topic: Monitoring traffic

[bjarni]

I'm running an old 5.1.2

In the last days I have had a lot of outgoing traffic (so my ISP says), which I don't know anything about. Normally I got more ingoing traffic, but now the outgoing is 5-10 times bigger than the ingoing.

I would like to know where this traffic is going, and maybe see if I am being hacked

Is there a way to monitor the ongoing traffic?

Are there any usefull logfiles, that I should look in?

I know that I should update, and I'm going to install a new server in the next days, but I would like to know where all this traffic is going.

/bjarni

[Boris]

netstat and iptraf (you need to install this one) may give you  a clue.

[mbachmann]

/var/log directory contains a lot of logs, var/log/squid/ might interest you.

[raem]

You should upgrade to v6.x immediately, your server  is insecure for sure !

Do a relay check see
www.abuse.net/relay.html

Also do a virus scan on any (ALL) workstations connected to the server, you may have a virus infection that is sending out lots of messages.

search for & install the iptraf rpm appropriate for the version of Red Hat on the v5.1.2 box
 
eg for RH 7.3
iptraf-2.5.0-3.i386.rpm

(note it is installed in v6.x)

PS and don't report back until you have upgraded your box (smile) !!

Regs
Ray

[bjarni]

Thanks for the answers.

I have now upgraded to 6.0.1. But I am still making a lot of outgoing traffic according to my ISP.

I have had a look in IPTRAF, but - as I see it - it only gives me the actual traffic right now.

I would like a tool, which can tell me how much traffic has been made between each local PC and the internet over time (a day, a week, a month). This way I will have a chance to locate which of my computers, that are making all this traffic. And where this traffic is going.

[raem]

> I have now upgraded to 6.0.1.

What was the result of the relay test, if you upgraded a bad config you could still be vulnerable.

> Re iptraf

You need to turn Logging ON in the Configure menu when you start iptraf, then save the output to a file for later review.

Depending on what the traffic is, try also looking at /var/log/smtpfront-qmail/current
and
/var/log/smtpfront-qmail/*
for details of outgoing messages
eg

2004-05-24 17:51:33.094495500 tcpserver: pid 3036 from 192.168.X.XX
2004-05-24 17:51:33.096386500 tcpserver: ok 3036 0:192.168.X.X:25 pc-000XX.XXXXXX.XXX:192.168.X.XX::1647
2004-05-24 17:51:36.529768500 smtpfront-qmail[3036]: MAIL FROM: <user@yourdomain.com>
2004-05-24 17:51:36.530615500 smtpfront-qmail[3036]: RCPT TO: <address@somewhere.com>
2004-05-24 17:51:38.809311500 smtpfront-qmail[3036]: Accepted message qp 3037 bytes 2814
2004-05-24 17:51:38.810864500 smtpfront-qmail[3036]: bytes in: 2836 bytes out: 208

[bjarni]

>What was the result of the relay test, if you upgraded a bad config you could still be vulnerable.

I couldn't get the relay test to work. It couldn't connect to my server, even though I am able to ping it from here (I am at work right now).

I didn't upgade my old server. I installed a new one, so I think that the extra outgoing traffic must come from one of my local computers (spyware or something like that).

I got a report from my ISP telling how much in- and out-going traffic I have had each day. I would very much like to make my own simmilar report to be able to compare with that ISP-report.

/bjarni

[none]

From the way you're describing it, You need a "Tool" to find out if you're hacked or not. In reality you need to know what your logs are telling you. I suspect a few computers on your network have spam programs that are generating alot of traffic. Why on earth your ISP would be telling you this is beyond me.

I've had my own server for years and never heard from my isp yet.

You want to look in /var/log/squid/access log and look at the traffic. Is it going to one site? How many workstations are on your network and where are they going?

[Spacko]

Bjarni,

Just a simple thing, but do you know if your ISP's traffic counters are accurate? I had a similar issue with Bigpond when I was with them and they thought I was using 10-30% more traffic than was being logged by my server (checked with SNMP from the local interfaces).

Have a look at the HOWTO-IOG I put together after that episode to provide a nice pretty interface for my baby SME box to verify whether the ISP's counters are correct. See http://no.longer.valid/phpwiki/index.php/IOG%20How%20To for more info.

Regards,

Sean Kelly

[bjarni]

Thanks.

I think that I will try to install IOG. It looks like something I could use.

By the way. I had a look at IPtraf. I have a lot of NON-IP traffic between my SME-server and Internet and some ICMP-traffic.

What does NON-IP and ICMP mean? Where does/can it come from?

/bjarni