PDA

View Full Version : I think we're in for another slowdown today at the usual time.



Bimmer Nut Ed
02-15-2005, 10:03 AM
Here's a link to what my eth0 card is doing, and for some reason, starting Sat afternoon, outboud traffic has been running way high on my server. It's continuing now (even after yesterday's reboot) and I can't figure out what exactly is causing it. You can see in the graphs, that Sunday night I moved my DB off to a back end network. The green goes way down, but the outbound stays high.

You can see on the yearly graph when I implemented the separate DB server, the first of the year. But since sunday night, that green traffic is down, but the blue line, outbound traffic stays high.

http://www.bimmer.info/ed/outside.html

I can't believe the way the pattern is, that it could be one person doing FTP, especially since after the reboot it stays high. And it's high all day, with some minor peaks. But anyway, any Linux/UNIX gurus got any ideas? I'm going to go look at the logs for that time on Sat to see what I can find.

http://www.bimmer.info/ed/outside.html

bimmerd00d
02-15-2005, 10:10 AM
looks like someone hacked the server, and is whoring the outbound bandwidth!

http://www.ethereal.com/download.html

Try that packet sniffer and see how much traffic you have on Port 21, or what other port is clogging it up.

DallasBill
02-15-2005, 10:14 AM
I'm not an expert just reading 2 graphs, but something to look at:

Scan for new program installs and folders, since the slowdown, esp. if you have SMTP running. Someone could have hacked your server and is using it to auto-send massive amounts of spam email out. This happens all the time. If you don't need SMTP, shut it down.

granit_silber
02-15-2005, 10:22 AM
Ed,

I am no UNIX pro, but last Nov. the transfer speeds for my broadband connection went from 2.6MBps to 4kbps. After contacting the ISP, I was told someone in the neightborhood was using the bandwidth for an illegal file server.

Someone has hacked your system and whether its spamming, ftp, or using your bandwidth to host a stealth site; someone's definetly on your system.
I've noticed that the slowdown happens during the day, which would make sense if you didn't want your "host" to know about you.

(kinda OT) Just so you know Ed, I appreciate you setting up this forum and letting us play. I also hope your interview went well yesterday.
-ashley

Bimmer Nut Ed
02-15-2005, 11:40 AM
Good info guys. The SMTP thing might be something. I'll do as you suggest d00d. I did check the normal SMPT traffic (I should really sy usage), and it's real low. I do need SMTP but I could also move that to another server. I may try turning it off during this afternoons pinch.

Ashley, I know that might be a possibility too. But the graph I'm shosing you is the activity on my server, not on my router, so someone could be hijacking my wireless router access, but it sould not show up on my servers stats. My server is the one that's doing all that "outbound". And it's immediate, even after a boot, so I could see a script that might be hidden using my SMTP up. Although, now that I think of it, SMPT activity is not what I'm seeing in a TOP command during the problem periods. It's always HTTP. hmmm, the mystery may go on.

bimmerd00d
02-15-2005, 01:54 PM
Wonder if they're relaying something via the HTTP Port. Check to see if it's the same server being relayed, or if it is actually just a lot of legit traffic.