 | | | hacked | hacked 2004-06-07 - By Michael Heinrich
Back
No,
tcpdump -i ethX
X stands for the id of your interface not the ip-address.
Type in ifconfig and you will see the IDs of your interfaces.
Example:
tcpdump -i eth0
Regards,
Michael
-- -- Original Message -- --
From: "Harry Hambi" <harry.hambi@(protected)>
To: "Discussion of Red Hat Linux 7.3 (Valhalla)" <valhalla-list@(protected)>
Sent: Monday, June 07, 2004 4:46 PM
Subject: RE: hacked
> Hi,
> DO U MEAN tcpdump -i ethx x= 1p address 0f interface, when I run this
> command I get
> Bind: no such device
>
>
> -- --Original Message-- --
> From: valhalla-list-bounces@(protected)
> [mailto:valhalla-list-bounces@(protected)] On Behalf Of John
> Ceballos-contr
> Sent: 07 June 2004 14:39
> To: linux@(protected); valhalla-list@(protected)
> Subject: Re: hacked
>
>
> Have you done a ps- ef on the box to see at least what processes are
> running? Another thing that you can do is do a tcpdump -i ethX where X
> is the number of the network interface that you want to look at. I would
> redirect this to a file and then look at it later. Let this go for a
> couple of minutes. After that, do a control-C to get out of it. Open up
> the file you just created and see what is happening on your NIC. THis
> should another thing that should give you a better view of what is
> happening with your computer. The last thing is go through the rc.d
> files and see if there are any programs that are starting up that you
> don't know about. Well, I hope this helps.
>
> >>> linux@(protected) 6/6/2004 7:52:14 AM >>>
>
> Hello,
> Since yesterday I have a huge network traffic increase
>
> Is goes from a 12Gb to 45Gb a month.
>
> Somebody is messing around.
>
> I did the following:
> Only access sshd with one ip-adress
> changed password root (it was a #$%EEE123) alike password reboot
>
> Tasks server, directly connected to internet:
> Its a ftp server voor authenticated users
> Its a mail server running on IBM Domino 5.012 with is pretty (I think
> ...) secure
>
> When i take a look at /var/messages and /var/secure I see nothing
> strange
>
> I am running kernel 2.4.20-28.7 on i686
>
> Question:
> 1. How can I see which process is producing the traffic?
> 2. What else can I do?
>
>
>
>
>
>
> __ ____ ____ ____ ____ ____ ____ ____ ____ ____
> Valhalla-list mailing list
> Valhalla-list@(protected)
> https://www.redhat.com/mailman/listinfo/valhalla-list
>
>
> __ ____ ____ ____ ____ ____ ____ ____ ____ ____
> Valhalla-list mailing list
> Valhalla-list@(protected)
> https://www.redhat.com/mailman/listinfo/valhalla-list
>
> http://www.bbc.co.uk/ - World Wide Wonderland
>
> This e-mail (and any attachments) is confidential and may contain
> personal views which are not the views of the BBC unless specifically
> stated.
> If you have received it in error, please delete it from your system.
> Do not use, copy or disclose the information in any way nor act in
> reliance on it and notify the sender immediately. Please note that the
> BBC monitors e-mails sent or received.
> Further communication will signify your consent to this.
>
>
> __ ____ ____ ____ ____ ____ ____ ____ ____ ____
> Valhalla-list mailing list
> Valhalla-list@(protected)
> https://www.redhat.com/mailman/listinfo/valhalla-list
>
__ ____ ____ ____ ____ ____ ____ ____ ____ ____
Valhalla-list mailing list
Valhalla-list@(protected)
https://www.redhat.com/mailman/listinfo/valhalla-list
|
|
|