Security Incidents mailing list archives

Re: 1000% increase in traffic

From: Bryan Andersen <bryan () visi com>
Date: Fri, 9 Feb 2001 21:18:44 -0600

First we don't have much to work with.  Any paterns to the
data?  Is it all to one host?  Many hosts?  How many
different ports?  Does it look like specific subnets were
scanned?  Are all the return addresses sent in your subnet?
(IE. is there spoofing going on?)  Considering you don't
see stuf in your logs, then look for whay they don't have
info.  Is there a range of addresses that are excluded from
logging?

As for finding an exploited box, look for incomming traffic.
It could be disguised as something else, like a http transfer
to a client.

Bob Wright wrote:


Hello guys, thank you for reading this email.. I beleave i might have an exploited box on my hands, At my place of 
employment we usally range about 728b/s as our average for output (128k Connection)  Now starting at friday at 12am 
to sat 12pm (about) MRTG (traffic analyser) showed us averaging about 7744b/s !! on a weekend at that late of night. 
And all out to boot. This worries me because of our data (of coarse) or that we might have a possible client on one 
of the many machines for a DDOS. Now i have searched through most my logs, inet logs and i cant find a thing..... the 
logs do not LOOK like they were tamperd with. These are what i think could have happend.

1) Employee sending files home thinking that no one will be able to detect it.
2) DDOS client on one or several machines
3) We had a intrusion and the great guy he is decided to send our files to himself
4) <input here>

    I am new to this, im only an intern however they expect me to look into this? any how i would like to hear what 
you guys out there who have experience think, and as always i love any possible links you might have which discuss 
general procedure or any site that deals with network security.

I thank you again for reading my email.

-Robert Wright


--
|  Bryan Andersen   |   bryan () visi com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

Current thread:

1000% increase in traffic Bob Wright (Feb 10)
- Re: 1000% increase in traffic Jason Storm (Feb 10)
- Re: 1000% increase in traffic Derek Kwan (Feb 10)
- Re: 1000% increase in traffic Bryan Andersen (Feb 10)
- Re: 1000% increase in traffic Valdis Kletnieks (Feb 10)
- Re: 1000% increase in traffic John Kristoff (Feb 10)
- Re: 1000% increase in traffic Anders Thulin (Feb 26)