Date: Wed, 5 Jan 2011 12:30:17 -0600 From: Ryan Coleman <ryan.coleman@cwis.biz> To: David Brodbeck <gull@gull.us> Cc: freebsd-questions@freebsd.org Subject: Re: Bot? Message-ID: <BF867D93-74B0-43AA-A9B5-0F6D6106DD7A@cwis.biz> In-Reply-To: <AANLkTinOewwzjMigG_Bn0%2BZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com> References: <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com> <AANLkTi=%2B=FGeQevAnxii6m2XK7i%2B617Mt4EkQfd2Ucv0@mail.gmail.com> <AANLkTinOewwzjMigG_Bn0%2BZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I agree on this point. That said, I once thought my employer's server was hacked and I ran = local utilities and dug through months of logs only to discover that an = install of either phpBB or phpMyAdmin had a slice of bad code that = allowed someone to install software remotely and run its own p2p network = off of it. I wasted a few days trying to dig in the wrong place. On Jan 5, 2011, at 12:25 PM, David Brodbeck wrote: > On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox@gmail.com> = wrote: >> On 5 January 2011 10:47, Jerry Bell <jerry@nrdx.com> wrote: >>=20 >>> There could be reasons you >>> aren't seeing a spike, such as you're only looking at traffic = processed by >>> the MTA, or it simply doesn't show as a material increase on a graph = of >>> traffic on the network interface if the server is busy. >>=20 >> Those are good points and to go a little further regarding looking at >> traffic... >>=20 >> To really see what your machine is doing, consider taking a look at >> the network flows. pfflowd, netflowd, ipaudit and a host of others = can >> get you flow data with mostly minimal overhead. >=20 > Also, keep in mind that depending on how badly the machine has been > compromised, you may not be able to trust the output of utilities > running on the machine itself. You may have to resort to capturing > its network traffic on another machine for analysis. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BF867D93-74B0-43AA-A9B5-0F6D6106DD7A>