On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: > The best way to see what is going on is to dump the traffic to a file > and analyse it. Tcpdump and ethereal are great tools for that > purpose.
Great! Reagan Blundell also told me about them offline. > Ethereal will make the job easier and should give you a > clue. If you are affraid the server has been compromised you have to > use another computer to get reliable information. I don't know your > network setup and what you have at disposal. If it is cable/DSL you > could connect your server through a hub, hook up the other computer > to the hub and do the dump (you may have to use a crossover cable > between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 [ttl 1] 19:41:29.786000 217.77.34.162.2090 > 226.210.233.101.1434: udp 376 [ttl 1] 19:41:30.013227 217.77.34.162.2090 > 226.115.252.196.1434: udp 376 [ttl 1] 19:41:30.120437 217.77.34.162.2090 > 234.221.95.51.1434: udp 376 [ttl 1] 19:41:30.449589 217.77.34.162.2090 > 226.53.242.62.1434: udp 376 [ttl 1] 19:41:30.556784 217.77.34.162.2090 > 234.225.213.78.1434: udp 376 [ttl 1] 19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:30.773817 217.77.34.162.2090 > 226.95.50.32.1434: udp 376 [ttl 1] 19:41:30.800550 pooh.kjernsmo.net.39441 > www.easynet.no.domain: 6695+ PTR? 78.79.65.194.in-addr.arpa. (43) (DF) 19:41:30.884041 217.77.34.162.2090 > 234.111.203.166.1434: udp 376 [ttl 1] 19:41:31.212205 217.77.34.162.2090 > 234.209.110.68.1434: udp 376 [ttl 1] 19:41:31.321424 www.easynet.no.domain > pooh.kjernsmo.net.39445: 61615 1/2/0 (106) (DF) 19:41:31.429747 217.77.34.162.2090 > 226.20.247.203.1434: udp 376 [ttl 1] 19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:31.648080 217.77.34.162.2090 > 234.191.213.120.1434: udp 376 [ttl 1] 19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:31.755080 217.77.34.162.2090 > 234.234.114.255.1434: udp 376 [ttl 1] 19:41:31.973809 217.77.34.162.2090 > 226.44.34.125.1434: udp 376 [ttl 1] 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl 1] Mmmmm, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Thanks a lot for the help! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC