Just to be sure, you aren't running a nightly backup job that sends
your data offsite, are you? ;-) I had a similar experience, as I
ship a fair amount of data off to Amazon S3 every night.
I think you ought to try trending your traffic. Set up something like
MRTG or Cacti to monitor your ethernet interface and see when this
traffic change is occurring. Spikes in activity may help you identify
the process.
As was previously mentioned, NTOP might help here as well. In fact,
if you are only seeing 1 or 2 GB, I imagine that it will handle it
just fine. Fire it up during a spike, and you ought to be able to
look at the activity by 'host'. You should see where you are sending
all of this data fairly quickly.
Best of Luck,
Michael Gorsuch
http://www.styledbits.com
On Tue, May 27, 2008 at 5:15 PM, Gary Baribault <gary@baribault.net> wrote:
I've seen that type of stuff in my logs too .. their looking for known pages
with vulnerabilities, but that shouldn't generate 1Gig of outbound trafic ..
Your sending something out ..
Gary Baribault
Courriel: gary@baribault.net
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
Jonathan Adams wrote:
Well since the last post, I've scanned the drive for large files
(warez) nothing there...
aside from the proxying Im getting alot of weird (botnet I guess) traffic
looks like this:
[Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
[Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
[Tue May 27 14:38:02 2008] [error] [client 217.128.102.142] File does
not exist: /home/[snip]/www/voyageur.php
[Tue May 27 14:55:42 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 15:23:47 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:28:57 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:31:39 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 15:31:47 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:33:16 2008] [error] [client 128.194.135.85] request
failed: error reading the headers
[Tue May 27 16:07:29 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 16:42:58 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
The 64 address is a serial offender, I' ve over 700 hits from it in
the logs
Appears to be in LA California, most likely a hacked server - it has
the normal ports open
"IP: 64.56.75.87 Location:
Los Angeles, CALIFORNIA, United States US (Vrtservers, Inc)"
The china stuff in my logs has just shifted to different IPs since the
last batch of update FW rules, but the traffic is high
123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
http://history.jangseong.g
o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
(compatible; MSIE 6.0;
Windows NT 5.0)"
123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
http://history.jangseong.g
o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
(compatible; MSIE 6.0;
Windows NT 5.0)"
laubervilliers-153-52-7-142.w217-128.abo.wanadoo.fr - -
[27/May/2008:14:38:02 -0
400] "GET http://www.tdm80.com/voyageur.php?voyageur=Lucario HTTP/1.1"
404 1277 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705;
.NET CLR 1.1.4322)"
llf520098.crawl.yahoo.net - - [27/May/2008:14:45:18 -0400] "GET
/robots.txt HTTP /1.0"
200 116 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/
help/us/ysearch/slurp)"
lj513318.crawl.yahoo.net - - [27/May/2008:14:45:19 -0400] "GET
/2008/p/?D=A HTTP /1.0"
200 653 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/
help/us/ysearch/slurp)"
msnbot-65-55-210-104.search.msn.com - - [27/May/2008:14:48:25 -0400]
"GET /robot s.txt
HTTP/1.1" 200 116 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
65.55.210.104 - - [27/May/2008:14:48:25 -0400] "GET
/school_code_and_files/paper
s_pres_etc/?M=D HTTP/1.1" 200 1274 "-" "msnbot/1.1
(+http://search.msn.com/msnbo
t.htm)"
64.56.75.87 - - [27/May/2008:14:55:42 -0400] "POST
http://mp3lux.net/proxy.php H
TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
214.228.83-79.rev.gaoland.net - - [27/May/2008:15:17:24 -0400] "GET
http://java-
belle.antiville.fr/ HTTP/1.1" 200 1802 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; W indows NT
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
74.222.3.9 - - [27/May/2008:15:23:47 -0400] "GET
http://ldvid.info/edit.php HTTP
/1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
74.222.3.9 - - [27/May/2008:15:28:57 -0400] "GET
http://ldvid.info/edit.php HTTP
/1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
64.56.75.87 - - [27/May/2008:15:31:39 -0400] "POST
http://mp3lux.net/proxy.php H
TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
74.222.3.9 - - [27/May/2008:15:31:47 -0400] "GET
http://ldvid.info/edit.php HTTP
/1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
128.194.135.85 - - [27/May/2008:15:33:16 -0400] "GET / HTTP/1.1" 400
367 "-" "-"
64.56.75.87 - - [27/May/2008:16:07:29 -0400] "POST
http://mp3lux.net/proxy.php H
TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
64.56.75.87 - - [27/May/2008:16:42:58 -0400] "POST
http://mp3lux.net/proxy.php H
TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
This is definitely the source of my troubles.
I've blackholed the serial offending IP's but Im sure it will shift
again.
On Tue, May 27, 2008 at 3:49 PM, Lukasz Piatek <lpiatek@mcts.pl> wrote:
Have you checked what kind of traffic is flooding you (I mean did you
perform traffic analyze)?
-----Original Message-----
From: Jonathan Adams [mailto:keirre.adams@gmail.com]
Sent: Tuesday, May 27, 2008 1:59 PM
To: incidents@securityfocus.com
Subject: Weird Traffic
All,
I have a leased server I use to host some websites and for the past
week I have been getting traffic warnings. The server has been
transferring > 1GB of data per day, which is unusually high,
especially since I moved my mail to Google Apps. I have noticed a
ridiculous amount of attempted proxying attemptes in my logs, but I do
not have mod proxy turned on. I suspect my server is on some list. I
firewalled off a large number of subnets from China and my traffic
dropped for a few days, then this morning, 2735MB transferred in 24
hrs.
As of right now, I am planning to blackhole all China traffic, since
thats where most of this is comming from, along with the occasional
traffic from France and other places in Eur. Is this common? If so
are there any other remedies?
--
"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi
__________ Information from ESET NOD32 Antivirus, version of virus
signature
database 3135 (20080527) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus
signature
database 3135 (20080527) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
