Weird Traffic

All,

  I have a leased server I use to host some websites and for the past
week I have been getting traffic warnings. The server has been
transferring > 1GB of data per day, which is unusually high,
especially since I moved my mail to Google Apps. I have noticed a
ridiculous amount of attempted proxying attemptes in my logs, but I do
not have mod proxy turned on. I suspect my server is on some list.  I
firewalled off a large number of subnets from China and my traffic
dropped for a few days, then this morning, 2735MB transferred in 24
hrs.

  As of right now, I am planning to blackhole all China traffic, since
thats where most of this is comming from, along with the occasional
traffic from France and other places in Eur. Is this common?  If so
are there any other remedies?

--

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

On my personal web server, I have been seeing badly configured spiders
from China "indexing" my site. These spiderds seem to choke on certain
URLs and cause them to keep appending data to the URL. I seem to notice
them afterwards after I see 2000+ hits on my site in a single day.

I have tried to stop them, but they don't seem to understand "403".

I've seen two IPs doing this:

202.108.23.172
220.181.38.82

                                ~Ben

--
Ben Jackson, GCIA - Sr. Security Engineer - Commonwealth of
Massachusetts
ben.jackson@... - +1-617-626-4575 (v) - +1-617-626-4459 (f)
"Security software is no replacement for secure software"

-----Original Message-----
From: incidents-return-9427-ben.jackson=state.ma.us@...
[mailto:incidents-return-9427-ben.jackson=state.ma.us@...]
On Behalf Of Jonathan Adams
Sent: Tuesday, May 27, 2008 7:59 AM
To: incidents@...
Subject: Weird Traffic

All,

  I have a leased server I use to host some websites and for the past
week I have been getting traffic warnings. The server has been
transferring > 1GB of data per day, which is unusually high, especially
since I moved my mail to Google Apps. I have noticed a ridiculous amount
of attempted proxying attemptes in my logs, but I do not have mod proxy
turned on. I suspect my server is on some list.  I firewalled off a
large number of subnets from China and my traffic dropped for a few
days, then this morning, 2735MB transferred in 24 hrs.

  As of right now, I am planning to blackhole all China traffic, since
thats where most of this is comming from, along with the occasional
traffic from France and other places in Eur. Is this common?  If so are
there any other remedies?

--

"Strength does not come from physical capacity. It comes from an
indomitable will." - Mohandas Gandhi

--On May 27, 2008 7:59:29 AM -0400 Jonathan Adams <keirre.adams@...>
wrote:

No it's not common.  And it's unlikely that denied proxy attempts would
generate so many gigs of outgoing traffic, unless you're sending back a
really large chunk of HTML for your ErrorDocument.  I'd look elsewhere for
the source on your server.  Try using tcpdump, weeding out *your* ssh
traffic (since you'd see the packets transferring your packets....) and the
web traffic, see what's left.  You could also use/try something like ntop
although I've found ntop to not be very stable in high traffic in the past.

If it is web traffic it's really doubtfully the request denied traffic.

I've not found the source of the majority of the data, but I have
found a huge amount of weird requests in my apache log, and I'm fairly
certain its http traffic...  I may cron of a protocol analysis tool
tonite to see if I can find more. I've run nmap scans, but stupidly
have not used the udp scan as someone else posted... nothing amiss in
the process list...

Theres no changes to my httpd.conf, and I dont see a big hit in my
disk space... dunno... it is a mystery.  I'll do some more analysis
and if I find anything Ill post it to the list

On 5/27/08, Pope <elpope@...> wrote:

Well since the last post, I've scanned the drive for large files
(warez) nothing there...

aside from the proxying Im getting alot of weird (botnet I guess) traffic

looks like this:
[Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
[Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
not exist: /home/[snip]/www/sibbs3/admin/board/prx.php
[Tue May 27 14:38:02 2008] [error] [client 217.128.102.142] File does
not exist: /home/[snip]/www/voyageur.php
[Tue May 27 14:55:42 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 15:23:47 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:28:57 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:31:39 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 15:31:47 2008] [error] [client 74.222.3.9] File does not
exist: /home/[snip]/www/edit.php
[Tue May 27 15:33:16 2008] [error] [client 128.194.135.85] request
failed: error reading the headers
[Tue May 27 16:07:29 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php
[Tue May 27 16:42:58 2008] [error] [client 64.56.75.87] File does not
exist: /home/[snip]/www/proxy.php


The 64 address is a serial offender, I' ve over 700 hits from it in the logs
Appears to be in LA California, most likely a hacked server - it has
the normal ports open
"IP: 64.56.75.87 Location:
Los Angeles, CALIFORNIA, United States US (Vrtservers, Inc)"


The china stuff in my logs has just shifted to different IPs since the
last batch of update FW rules, but the traffic is high

123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
http://history.jangseong.g
 o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
(compatible;                                               MSIE 6.0;
Windows NT 5.0)"
123.233.174.136 - - [27/May/2008:14:30:33 -0400] "GET
http://history.jangseong.g
 o.kr/sibbs3/admin/board/prx.php HTTP/1.0" 404 1277 "-" "Mozilla/4.0
(compatible;                                               MSIE 6.0;
Windows NT 5.0)"
laubervilliers-153-52-7-142.w217-128.abo.wanadoo.fr - -
[27/May/2008:14:38:02 -0
400] "GET http://www.tdm80.com/voyageur.php?voyageur=Lucario HTTP/1.1"
404 1277                                               "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705;
.NET                                               CLR 1.1.4322)"
llf520098.crawl.yahoo.net - - [27/May/2008:14:45:18 -0400] "GET
/robots.txt HTTP                                              /1.0"
200 116 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/
help/us/ysearch/slurp)"
lj513318.crawl.yahoo.net - - [27/May/2008:14:45:19 -0400] "GET
/2008/p/?D=A HTTP                                              /1.0"
200 653 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp;
http://help.yahoo.com/
help/us/ysearch/slurp)"
msnbot-65-55-210-104.search.msn.com - - [27/May/2008:14:48:25 -0400]
"GET /robot                                              s.txt
HTTP/1.1" 200 116 "-" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
65.55.210.104 - - [27/May/2008:14:48:25 -0400] "GET
/school_code_and_files/paper
   s_pres_etc/?M=D HTTP/1.1" 200 1274 "-" "msnbot/1.1
(+http://search.msn.com/msnbo
    t.htm)"
64.56.75.87 - - [27/May/2008:14:55:42 -0400] "POST
http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
214.228.83-79.rev.gaoland.net - - [27/May/2008:15:17:24 -0400] "GET
http://java-
belle.antiville.fr/ HTTP/1.1" 200 1802 "-" "Mozilla/4.0 (compatible;
MSIE 6.0; W                                              indows NT
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
74.222.3.9 - - [27/May/2008:15:23:47 -0400] "GET
http://ldvid.info/edit.php HTTP
      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
74.222.3.9 - - [27/May/2008:15:28:57 -0400] "GET
http://ldvid.info/edit.php HTTP
      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
64.56.75.87 - - [27/May/2008:15:31:39 -0400] "POST
http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
74.222.3.9 - - [27/May/2008:15:31:47 -0400] "GET
http://ldvid.info/edit.php HTTP
      /1.0" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
98; Win 9x 4.90)"
128.194.135.85 - - [27/May/2008:15:33:16 -0400] "GET / HTTP/1.1" 400 367 "-" "-"
64.56.75.87 - - [27/May/2008:16:07:29 -0400] "POST
http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"
64.56.75.87 - - [27/May/2008:16:42:58 -0400] "POST
http://mp3lux.net/proxy.php H
    TTP/1.1" 404 1277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"

This is definitely the source of my troubles.

I've blackholed the serial offending IP's but Im sure it will shift again.


On Tue, May 27, 2008 at 3:49 PM, Lukasz Piatek <lpiatek@...> wrote:


--
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams@...
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

I've seen that type of stuff in my logs too .. their looking for known
pages with vulnerabilities, but that shouldn't generate 1Gig of outbound
trafic .. Your sending something out ..

Gary Baribault
Courriel: gary@...
GPG Key: 0x4346F013
GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013



Jonathan Adams wrote: the logs 367 "-" "-" signature
> > database 3135 (20080527) __________
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> >
> > __________ Information from ESET NOD32 Antivirus, version of virus
signature

Just to be sure, you aren't running a nightly backup job that sends
your data offsite, are you?  ;-)  I had a similar experience, as I
ship a fair amount of data off to Amazon S3 every night.

I think you ought to try trending your traffic.  Set up something like
MRTG or Cacti to monitor your ethernet interface and see when this
traffic change is occurring.  Spikes in activity may help you identify
the process.

As was previously mentioned, NTOP might help here as well.  In fact,
if you are only seeing 1 or 2 GB, I imagine that it will handle it
just fine.  Fire it up during a spike, and you ought to be able to
look at the activity by 'host'.  You should see where you are sending
all of this data fairly quickly.

Best of Luck,

Michael Gorsuch
http://www.styledbits.com

On Tue, May 27, 2008 at 5:15 PM, Gary Baribault <gary@...> wrote:

Without physical access to the server for NTOP flows session, go for
tshark (tcpdump with ring buffers) for a day and see what's up.  You can
pull the PCAP file down to your lcoal and run ethereal or NTOP or other
analysis tool from there.

Jonathan Adams wrote:

Hi Jonathan,

to get a quick overview of your http traffic for the last 24h, just
run something like this:

tmp=0; for i in `cat /var/log/apache2/access.log | awk -F'"' '{ print
$3 }' | awk '{ print $2 }' | grep -E '[0-9]+'` ; do tmp=`expr $tmp +
$i`; done ; echo $tmp

on the apache access logfiles containing the requests for the last 24h...


br,
richard


On Tue, May 27, 2008 at 10:31 PM, Jonathan Adams <keirre.adams@...> wrote:


--
The major quality problem of open mailing lists is that everybody can
take part. (/me)

ATTENTION!
PLEASE ENCRYPT MESSAGES AND ATTACHMENTS IF THEY CONTAIN PRIVATE INFORMATION!

Im on freeBSD, netstat doesnt like the -p without a parameter [protocol]

im familiar with pstree and lsof.. there's still no smoking guns

On Tue, May 27, 2008 at 5:31 PM, Michael Loftis <mloftis@...> wrote:


--
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams@...
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

John,

  I am running late for my real job :) but when i come back Ill run
some more test and post the results.

BTW, 1.5 GB transferred yesterday. there is no way this is valid web
or ftp traffic...  something is proxying through my box...

Im sure of it

On Tue, May 27, 2008 at 11:06 PM, John Duksta <john@...> wrote:


--
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams@...
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

Well... I got the results of an 11hr TCPDUMP run.. and it shows...
NOTHING.. a couple of probes, lots of network traffic (router
messages, ARP requests, Windows NETBIOS noise from my ISP's lan) only
got a few probes today... apparently the FW rules shut down most of
the traffic for now.

What is weird is this: my ipfw has this

07700 deny log ip from 82.0.0.0/8 to any
07800 deny log ip from any to 82.0.0.0/8



yet the TCP dump shows this:

<pdml>
<packet>
<proto name="geninfo" longname="General information" pos="0" size="66">
<field name="num" longname="Number" showvalue="117" value="117"
pos="0" size="66"/>
<field name="linklayer" longname="Link Layer" showvalue="1" value="1"
showmap="Ethernet" pos="0" size="66"/>
<field name="len" longname="Packet Length" showvalue="66" value="66"
pos="0" size="66"/>
<field name="caplen" longname="Captured Length" showvalue="66"
value="66" pos="0" size="66"/>
<field name="timestamp" longname="Captured Time"
showvalue="09:44:09.621223" value="1211982249.621223" pos="0"
size="66"/>
</proto>
<proto name="ethernet" longname="Ethernet 802.3" pos="0" size="14">
<field name="dst" longname="MAC Destination" size="6" pos="0"
value="000D6103491A" showvalue="000D61-03491A" showdtl="000D61-03491A
(Unicast address, vendor code not available)" showmap="code not
available" />
<field name="src" longname="MAC Source" size="6" pos="6"
value="00D00247B3FC" showvalue="00D002-47B3FC" showdtl="00D002-47B3FC
(Unicast address, vendor code not available)" showmap="code not
available" />
<field name="type" longname="Ethertype - Length" size="2" pos="12"
value="0800" showvalue="2048" showdtl="0x0800 (Ethertype)" />
</proto>
<proto name="ip" longname="IPv4 (Internet Protocol version 4)"
pos="14" size="20">
<field name="ver" longname="Version" size="1" pos="14" value="45"
mask="f0" showvalue="4" />
<field name="hlen" longname="Header length" size="1" pos="14"
value="45" mask="0f" showvalue="5" showdtl="20 (field value = 5)" />
<field name="tos" longname="Type of service" size="1" pos="15"
value="00" showvalue="0x00" />
<field name="tlen" longname="Total length" size="2" pos="16"
value="0034" showvalue="52" />
<field name="identification" longname="Identification" size="2"
pos="18" value="3612" showvalue="13842" />
<field name="ffo" longname="Flags and Fragment offset" size="2" pos="20" >
<field name="unused" longname="Unused" size="2" pos="20" value="4000"
mask="8000" showvalue="0b0..............." />
<field name="df" longname="Don't fragment" size="2" pos="20"
value="4000" mask="4000" showvalue="0b.1.............." />
<field name="mf" longname="More fragments" size="2" pos="20"
value="4000" mask="2000" showvalue="0b..0............." />
<field name="foffset" longname="Fragment offset" size="2" pos="20"
value="4000" mask="1fff" showvalue="0" showdtl="0 (field value = 0)"
/>
</field>
<field name="ttl" longname="Time to live" size="1" pos="22" value="38"
showvalue="56" />
<field name="nextp" longname="Next protocol" size="1" pos="23"
value="06" showvalue="6" />
<field name="hchecksum" longname="Header Checksum" size="2" pos="24"
value="452F" showvalue="0x452F" />
<field name="src" longname="Source address" size="4" pos="26"
value="52FC3B9C" showvalue="82.252.59.156" />
<field name="dst" longname="Destination address" size="4" pos="30"
value="4224F6C6" showvalue="66.36.246.198" />
</proto>
<proto name="tcp" longname="TCP (Transmission Control Protocol)"
pos="34" size="32">
<field name="sport" longname="Source port" size="2" pos="34"
value="0D7D" showvalue="3453" />
<field name="dport" longname="Destination port" size="2" pos="36"
value="0050" showvalue="80" />
<field name="seq" longname="Sequence number" size="4" pos="38"
value="B20A5764" showvalue="2987022180" />
<field name="ack" longname="Acknowledgement Number" size="4" pos="42"
value="00000000" showvalue="0" />
<field name="hlen" longname="Header length" size="2" pos="46"
value="8002" mask="f000" showvalue="8" showdtl="32 (field value = 8)"
/>
<field name="res" longname="Reserved (must be zero)" size="2" pos="46"
value="8002" mask="0fc0" showvalue="0x0000" />
<field name="flags" longname="Flags" size="2" pos="46" value="8002"
mask="003f" showvalue="0x0002" >
<field name="urg" longname="Urgent pointer" size="2" pos="46"
value="8002" mask="0020" showvalue="0b..........0....." />
<field name="ackf" longname="Ack valid" size="2" pos="46" value="8002"
mask="0010" showvalue="0b...........0...." />
<field name="push" longname="Push requested" size="2" pos="46"
value="8002" mask="0008" showvalue="0b............0..." />
<field name="rst" longname="Reset requested" size="2" pos="46"
value="8002" mask="0004" showvalue="0b.............0.." />
<field name="syn" longname="Syn requested" size="2" pos="46"
value="8002" mask="0002" showvalue="0b..............1." />
<field name="fin" longname="Fin requested" size="2" pos="46"
value="8002" mask="0001" showvalue="0b...............0" />
</field>
<field name="win" longname="Window size" size="2" pos="48"
value="FFFF" showvalue="65535" />
<field name="crc" longname="Checksum" size="2" pos="50" value="9085"
showvalue="0x9085" />
<field name="urg" longname="Urgent Pointer" size="2" pos="52"
value="0000" showvalue="0x0000" />
<field name="options" longname="TCP Options" size="12" pos="54" >
<field name="mss" longname="Maximum Segment Size" size="4" pos="54" >
<field name="type" longname="Type" size="1" pos="54" value="02" showvalue="2" />
<field name="length" longname="Option length" size="1" pos="55"
value="04" showvalue="4" />
<field name="maxssize" longname="Maximum Segment Size" size="2"
pos="56" value="0584" showvalue="1412" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="58" >
<field name="type" longname="Type" size="1" pos="58" value="01" showvalue="1" />
</field>
<field name="winscale" longname="TCP Windows Scale Option" size="3" pos="59" >
<field name="type" longname="Type" size="1" pos="59" value="03" showvalue="3" />
<field name="length" longname="Option Length" size="1" pos="60"
value="03" showvalue="3" />
<field name="shift.cnt" longname="Shift Count" size="1" pos="61"
value="04" showvalue="4" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="62" >
<field name="type" longname="Type" size="1" pos="62" value="01" showvalue="1" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="63" >
<field name="type" longname="Type" size="1" pos="63" value="01" showvalue="1" />
</field>
<field name="sackpermitted" longname="Sack-Permitted Option" size="2" pos="64" >
<field name="type" longname="Type" size="1" pos="64" value="04" showvalue="4" />
<field name="length" longname="Option Length" size="1" pos="65"
value="02" showvalue="2" />
</field>
</field>
</proto>
</packet></pdml>



On Wed, May 28, 2008 at 5:20 AM, Jonathan Adams <keirre.adams@...> wrote:


--
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams@...
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

What was the result of ntop? protocol breakdowns, top IP SRC/DST etc.
Does syslog point you to anything suspicious?
chkrootkit ?
What do you use to audit your Apache logs? Does that show up anything  
interesting (hosting a large file for download maybe).

Without physical access, it's hard to trust the output of tools you  
install.

-Leon


On 28 May 2008, at 10:20, Jonathan Adams wrote:

Definitely an outbound connection

 value="52FC3B9C" showvalue="82.252.59.156" /> <field name="dst" longname="Destination address" size="4" pos="30"

On most firewall I know, applying a rule does not interrupt an active session.
I'd first reset all sessions, and then recheck firewall rules are correctly applied.
Next, change firewall/filtering tecnology.



Ivan Brunello
 

-----Messaggio originale-----
Da: Jonathan Adams [mailto:keirre.adams@...]
Inviato: mercoledì 28 maggio 2008 23.16
A: John Duksta
Cc: incidents@...
Oggetto: Re: [Pinguzilla] Weird Traffic

Well... I got the results of an 11hr TCPDUMP run.. and it shows...
NOTHING.. a couple of probes, lots of network traffic (router messages, ARP requests, Windows NETBIOS noise from my ISP's lan) only got a few probes today... apparently the FW rules shut down most of the traffic for now.

What is weird is this: my ipfw has this

07700 deny log ip from 82.0.0.0/8 to any 07800 deny log ip from any to 82.0.0.0/8



yet the TCP dump shows this:

<pdml>
<packet>
<proto name="geninfo" longname="General information" pos="0" size="66"> <field name="num" longname="Number" showvalue="117" value="117"
pos="0" size="66"/>
<field name="linklayer" longname="Link Layer" showvalue="1" value="1"
showmap="Ethernet" pos="0" size="66"/>
<field name="len" longname="Packet Length" showvalue="66" value="66"
pos="0" size="66"/>
<field name="caplen" longname="Captured Length" showvalue="66"
value="66" pos="0" size="66"/>
<field name="timestamp" longname="Captured Time"
showvalue="09:44:09.621223" value="1211982249.621223" pos="0"
size="66"/>
</proto>
<proto name="ethernet" longname="Ethernet 802.3" pos="0" size="14"> <field name="dst" longname="MAC Destination" size="6" pos="0"
value="000D6103491A" showvalue="000D61-03491A" showdtl="000D61-03491A (Unicast address, vendor code not available)" showmap="code not available" /> <field name="src" longname="MAC Source" size="6" pos="6"
value="00D00247B3FC" showvalue="00D002-47B3FC" showdtl="00D002-47B3FC (Unicast address, vendor code not available)" showmap="code not available" /> <field name="type" longname="Ethertype - Length" size="2" pos="12"
value="0800" showvalue="2048" showdtl="0x0800 (Ethertype)" /> </proto> <proto name="ip" longname="IPv4 (Internet Protocol version 4)"
pos="14" size="20">
<field name="ver" longname="Version" size="1" pos="14" value="45"
mask="f0" showvalue="4" />
<field name="hlen" longname="Header length" size="1" pos="14"
value="45" mask="0f" showvalue="5" showdtl="20 (field value = 5)" /> <field name="tos" longname="Type of service" size="1" pos="15"
value="00" showvalue="0x00" />
<field name="tlen" longname="Total length" size="2" pos="16"
value="0034" showvalue="52" />
<field name="identification" longname="Identification" size="2"
pos="18" value="3612" showvalue="13842" /> <field name="ffo" longname="Flags and Fragment offset" size="2" pos="20" > <field name="unused" longname="Unused" size="2" pos="20" value="4000"
mask="8000" showvalue="0b0..............." /> <field name="df" longname="Don't fragment" size="2" pos="20"
value="4000" mask="4000" showvalue="0b.1.............." /> <field name="mf" longname="More fragments" size="2" pos="20"
value="4000" mask="2000" showvalue="0b..0............." /> <field name="foffset" longname="Fragment offset" size="2" pos="20"
value="4000" mask="1fff" showvalue="0" showdtl="0 (field value = 0)"
/>
</field>
<field name="ttl" longname="Time to live" size="1" pos="22" value="38"
showvalue="56" />
<field name="nextp" longname="Next protocol" size="1" pos="23"
value="06" showvalue="6" />
<field name="hchecksum" longname="Header Checksum" size="2" pos="24"
value="452F" showvalue="0x452F" />
<field name="src" longname="Source address" size="4" pos="26"
value="52FC3B9C" showvalue="82.252.59.156" /> <field name="dst" longname="Destination address" size="4" pos="30"
value="4224F6C6" showvalue="66.36.246.198" /> </proto> <proto name="tcp" longname="TCP (Transmission Control Protocol)"
pos="34" size="32">
<field name="sport" longname="Source port" size="2" pos="34"
value="0D7D" showvalue="3453" />
<field name="dport" longname="Destination port" size="2" pos="36"
value="0050" showvalue="80" />
<field name="seq" longname="Sequence number" size="4" pos="38"
value="B20A5764" showvalue="2987022180" /> <field name="ack" longname="Acknowledgement Number" size="4" pos="42"
value="00000000" showvalue="0" />
<field name="hlen" longname="Header length" size="2" pos="46"
value="8002" mask="f000" showvalue="8" showdtl="32 (field value = 8)"
/>
<field name="res" longname="Reserved (must be zero)" size="2" pos="46"
value="8002" mask="0fc0" showvalue="0x0000" /> <field name="flags" longname="Flags" size="2" pos="46" value="8002"
mask="003f" showvalue="0x0002" >
<field name="urg" longname="Urgent pointer" size="2" pos="46"
value="8002" mask="0020" showvalue="0b..........0....." /> <field name="ackf" longname="Ack valid" size="2" pos="46" value="8002"
mask="0010" showvalue="0b...........0...." /> <field name="push" longname="Push requested" size="2" pos="46"
value="8002" mask="0008" showvalue="0b............0..." /> <field name="rst" longname="Reset requested" size="2" pos="46"
value="8002" mask="0004" showvalue="0b.............0.." /> <field name="syn" longname="Syn requested" size="2" pos="46"
value="8002" mask="0002" showvalue="0b..............1." /> <field name="fin" longname="Fin requested" size="2" pos="46"
value="8002" mask="0001" showvalue="0b...............0" /> </field> <field name="win" longname="Window size" size="2" pos="48"
value="FFFF" showvalue="65535" />
<field name="crc" longname="Checksum" size="2" pos="50" value="9085"
showvalue="0x9085" />
<field name="urg" longname="Urgent Pointer" size="2" pos="52"
value="0000" showvalue="0x0000" />
<field name="options" longname="TCP Options" size="12" pos="54" > <field name="mss" longname="Maximum Segment Size" size="4" pos="54" > <field name="type" longname="Type" size="1" pos="54" value="02" showvalue="2" /> <field name="length" longname="Option length" size="1" pos="55"
value="04" showvalue="4" />
<field name="maxssize" longname="Maximum Segment Size" size="2"
pos="56" value="0584" showvalue="1412" /> </field> <field name="noperation" longname="No Operation" size="1" pos="58" > <field name="type" longname="Type" size="1" pos="58" value="01" showvalue="1" /> </field> <field name="winscale" longname="TCP Windows Scale Option" size="3" pos="59" > <field name="type" longname="Type" size="1" pos="59" value="03" showvalue="3" /> <field name="length" longname="Option Length" size="1" pos="60"
value="03" showvalue="3" />
<field name="shift.cnt" longname="Shift Count" size="1" pos="61"
value="04" showvalue="4" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="62" > <field name="type" longname="Type" size="1" pos="62" value="01" showvalue="1" /> </field> <field name="noperation" longname="No Operation" size="1" pos="63" > <field name="type" longname="Type" size="1" pos="63" value="01" showvalue="1" /> </field> <field name="sackpermitted" longname="Sack-Permitted Option" size="2" pos="64" > <field name="type" longname="Type" size="1" pos="64" value="04" showvalue="4" /> <field name="length" longname="Option Length" size="1" pos="65"
value="02" showvalue="2" />
</field>
</field>
</proto>
</packet></pdml>



On Wed, May 28, 2008 at 5:20 AM, Jonathan Adams <keirre.adams@...> wrote:


--
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams@...
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

Leon,

  thx. Ill run the ntop when I get back home again. On the plus side,
the traffic is down today (I didnt get the automated threshold alert),
this happened the last time I added in FW rules, and by the next day I
had twice as much traffic as before I applied the new rules 1.3GB to
2.57 GB.

  There is nothing in the syslog except the usual stuff

  I did a find on the filesystem for files 5MB and over, came back
with nothing except a couple of log files and other expected stuff.

  I still believe that some of the proxy requests are getting through,
the great majority of the real traffic in my tcpdump was HTTP... but I
think the data may be useless because that data was captured on a day
when I wasn't getting flooded. Will have to wait to see if/when the
problem returns and run another tcpdump session. Problem is compounded
by the fact that the server doesnt have X, so I'll need to copy off
the tcpdump output somewhere to analyze it - wasn't a problem
yesterday because it was only a couple of dozen MB.

  I do need to run a rootkit detection tool on the box, it couldn't
hurt, Ill do that anyway, in the meantime I'll wait and see if the
traffic comes back up.


--J

On 5/29/08, Leon Ward <seclists@...> wrote: