I agree on this point. That said, I once thought my employer's server was hacked and I ran local utilities and dug through months of logs only to discover that an install of either phpBB or phpMyAdmin had a slice of bad code that allowed someone to install software remotely and run its own p2p network off of it.
I wasted a few days trying to dig in the wrong place. On Jan 5, 2011, at 12:25 PM, David Brodbeck wrote: > On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wil...@gmail.com> wrote: >> On 5 January 2011 10:47, Jerry Bell <je...@nrdx.com> wrote: >> >>> There could be reasons you >>> aren't seeing a spike, such as you're only looking at traffic processed by >>> the MTA, or it simply doesn't show as a material increase on a graph of >>> traffic on the network interface if the server is busy. >> >> Those are good points and to go a little further regarding looking at >> traffic... >> >> To really see what your machine is doing, consider taking a look at >> the network flows. pfflowd, netflowd, ipaudit and a host of others can >> get you flow data with mostly minimal overhead. > > Also, keep in mind that depending on how badly the machine has been > compromised, you may not be able to trust the output of utilities > running on the machine itself. You may have to resort to capturing > its network traffic on another machine for analysis. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"