From owner-freebsd-questions@FreeBSD.ORG  Wed Jan  5 18:25:40 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D1260106564A
	for <freebsd-questions@freebsd.org>;
	Wed,  5 Jan 2011 18:25:40 +0000 (UTC) (envelope-from gull@gull.us)
Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com
	[209.85.215.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 72CAB8FC15
	for <freebsd-questions@freebsd.org>;
	Wed,  5 Jan 2011 18:25:40 +0000 (UTC)
Received: by eyf6 with SMTP id 6so7063307eyf.13
	for <freebsd-questions@freebsd.org>;
	Wed, 05 Jan 2011 10:25:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.14.11.147 with SMTP id 19mr605787eex.14.1294251939318; Wed, 05
	Jan 2011 10:25:39 -0800 (PST)
Received: by 10.14.29.80 with HTTP; Wed, 5 Jan 2011 10:25:39 -0800 (PST)
X-Originating-IP: [69.91.159.190]
In-Reply-To: <AANLkTi=+=FGeQevAnxii6m2XK7i+617Mt4EkQfd2Ucv0@mail.gmail.com>
References: <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com>
	<AANLkTi=+=FGeQevAnxii6m2XK7i+617Mt4EkQfd2Ucv0@mail.gmail.com>
Date: Wed, 5 Jan 2011 10:25:39 -0800
Message-ID: <AANLkTinOewwzjMigG_Bn0+ZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com>
From: David Brodbeck <gull@gull.us>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: Bot?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2011 18:25:40 -0000

On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox@gmail.com> wrote:
> On 5 January 2011 10:47, Jerry Bell <jerry@nrdx.com> wrote:
>
>> There could be reasons you
>> aren't seeing a spike, such as you're only looking at traffic processed by
>> the MTA, or it simply doesn't show as a material increase on a graph of
>> traffic on the network interface if the server is busy.
>
> Those are good points and to go a little further regarding looking at
> traffic...
>
> To really see what your machine is doing, consider taking a look at
> the network flows. pfflowd, netflowd, ipaudit and a host of others can
> get you flow data with mostly minimal overhead.

Also, keep in mind that depending on how badly the machine has been
compromised, you may not be able to trust the output of utilities
running on the machine itself.  You may have to resort to capturing
its network traffic on another machine for analysis.