Ouch. I actually backup my system myself remotely (just the files...can also do a fresh install afterall). Thanks a lot guys. Ran the toolkits, found nothing. I'm trying to get them to tell me what port the traffic was coming from (I can't see anything weird with netstat or nmap, which makes me wonder how this is happening). The best part is the server is on a 10mbit, but they allow it to go well above 10mbit. They say it's so the server doesn't ping out, but it went over 15mbit. That's a bit much more.
Anyways I'll probably end up doing a fresh install and upping the security and doing continuously monitoring of the system. Thanks for all the ideas/help guys. Appreciate it (also a great topic to always know). -Russ Kay -----Original Message----- From: Angelo Bertolli [mailto:[EMAIL PROTECTED] Sent: Saturday, November 05, 2005 3:17 PM To: Russ Kay Cc: [email protected] Subject: Re: [UM-LINUX] What to do when your server is compromised Russ Kay wrote: > Well, I just got a phone call stating that my server has gone over its > monthly bandwidth limit by 2TB. Taking into affect the amount of > bandwidth I used, there are 2.3TB of unaccounted activity. I did a few > checks to see what is going on (mainly to see if there are root kits > or sniffers). I checked the log and saw a lot of ssh activity (all > denials though). I am currently maxing out my pipe and need to stop > this. So my question is what should one actually do to see how his/her > box is compromised? What should I check, in which order should I check? > Well first find out if you really are going over the limit or not, and if the traffic is legitimate. I knoew when I was using Rackspace, I got hit up for bandwidth of their backup system.
