From owner-freebsd-questions@FreeBSD.ORG Wed Jan 5 18:30:47 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55578106564A for ; Wed, 5 Jan 2011 18:30:47 +0000 (UTC) (envelope-from ryan.coleman@cwis.biz) Received: from server.cwis.biz (70-89-202-5-invergrove-mn.hfc.comcastbusiness.net [70.89.202.5]) by mx1.freebsd.org (Postfix) with ESMTP id 292838FC0C for ; Wed, 5 Jan 2011 18:30:46 +0000 (UTC) Received: from server.cwis.biz (localhost [127.0.0.1]) by server.cwis.biz (Postfix) with ESMTP id DEA0D262C1C6; Wed, 5 Jan 2011 12:31:18 -0600 (CST) X-Virus-Scanned: amavisd-new at cwis.biz Received: from server.cwis.biz ([127.0.0.1]) by server.cwis.biz (server.cwis.biz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id svppaPmSkeZD; Wed, 5 Jan 2011 12:31:17 -0600 (CST) Received: from [192.168.1.172] (c-76-113-215-212.hsd1.mn.comcast.net [76.113.215.212]) by server.cwis.biz (Postfix) with ESMTPSA id EEBBC262C1C5; Wed, 5 Jan 2011 12:31:16 -0600 (CST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Ryan Coleman In-Reply-To: Date: Wed, 5 Jan 2011 12:30:17 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com> To: David Brodbeck X-Mailer: Apple Mail (2.1082) Cc: freebsd-questions@freebsd.org Subject: Re: Bot? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 18:30:47 -0000 I agree on this point. That said, I once thought my employer's server was hacked and I ran = local utilities and dug through months of logs only to discover that an = install of either phpBB or phpMyAdmin had a slice of bad code that = allowed someone to install software remotely and run its own p2p network = off of it. I wasted a few days trying to dig in the wrong place. On Jan 5, 2011, at 12:25 PM, David Brodbeck wrote: > On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox = wrote: >> On 5 January 2011 10:47, Jerry Bell wrote: >>=20 >>> There could be reasons you >>> aren't seeing a spike, such as you're only looking at traffic = processed by >>> the MTA, or it simply doesn't show as a material increase on a graph = of >>> traffic on the network interface if the server is busy. >>=20 >> Those are good points and to go a little further regarding looking at >> traffic... >>=20 >> To really see what your machine is doing, consider taking a look at >> the network flows. pfflowd, netflowd, ipaudit and a host of others = can >> get you flow data with mostly minimal overhead. >=20 > Also, keep in mind that depending on how badly the machine has been > compromised, you may not be able to trust the output of utilities > running on the machine itself. You may have to resort to capturing > its network traffic on another machine for analysis. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"