On Sat, 2007-11-24 at 08:51 -0500, Bill Moran wrote:
> "Joel V." wrote:
> >
> > Hello all,
> >
> > I'm not experiencing this problem, my friend is. He's simply too pissed off
> > to write here and I'm afraid he's going to set his office on fire if he
> > doesn't solve the problem soon, so without further ado, here's the problem:
> >
> > He has two fbsd boxes, main server running 6.1 and dns server running 4.3.
> > He has 4 public IPs which he can use and the main server is running on
> > x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office.
> > Today he noticed that net is getting awfully slow. Sometimes there would be
> > 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow
> > and the webpages running on the main server are not displaying. E-mails are
> > not going through. He calls the ISP, who say that his network is showing
> > major uploading activity. He switches off networking services one by one in
> > the main box but situation does not improve. He disconnects the main server
> > and puts a windows xp box instead, which seems to run fine. He puts back the
> > freebsd box, disables all networking services again except for SSH and
> > connects the network: instant 100% networking slow-down. He tried to change
> > the switch, thinking it's faulty. He disconnect every other computer in the
> > office from the network: nothing. He put the public IP address on the
> > second, internal network NIC: same thing. Now it gets really mysterious: he
> > puts the old dns server with the x.x.x.122 IP and instantly it becomes slow
> > as death. The logical conclusion would be that someone is flooding that IP?
> > Only the windows xp box seemed to work fine and the ISP guy said it was
> > upload bandwidth that was excessive...
> >
> > Netstat -a doesn't show anything interesting, arp -a doesn't show any
> > incomplete addresses He tried to build and install a new fresh kernel.
> > Nothing. This is the most creepy networking problem I've heard of. Can YOU
> > help? Any ideas where to start looking?

>
> +1 on the tcpdump work. Once you have the packet capture, something like
> Wireshark will give you a pretty view of the packets. However, posting
> the text output of tcpdump will allow the crew on this mailing list to
> give you specific advice (once you've done what Julian suggests, you
> can get text output by doing tcpdump -r capture.out)
>
> Overall, based on your vague symptoms, I'd guess you got cracked and
> someone's running a spambot or other bot on that box. They may even
> have it rooted.
>

You may find that out putting bridging (man bridge and sysctl) box
inbetween the internet connection and your box and dump there. I would
use for temp my laptop with an extra usb_ethernet device.

A mirrorport on a switch + sflow / netflow could show traffic in ntop to
get more insight on your traffic.

more tools:
nmap
tcpflow
chkrootkit
md5sum (too late for tripwire) if you have your bins somewhere else on
tar/tape/cd

Marten


_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/lis...reebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"