Donald Voss wrote: > Not to be a jerk .. but could it have been a file sharing app or two or > three .. I can safely rule that out - the data that went _into_ the box must have been stored somewhere and there is definitely not enough space to store the equivalent of those bandwidth spikes. And since the outgoing traffic did not change at all, I don't suspect the box has been rooted or used as a file server by its legitimate owners. > a rooted box .. = warez ftp ? You never know until you look close. We have > had students here do the file sharing thing .. then of course everyone sorts > the hits by speed .. then queues up a few hindered .. so our pipe has been > filled from outside connections .. can anyone say packeteer .. I just ran chkrootkit on the box and although this tool is of course not too sophisticated, it generally gave me a good hint on all boxes on my network that have been rooted in the past. No results. --ck -- php development | hosting | housing | professional game server hosting http://www.de-punkt.de [ chris@de-punkt.de ] http://www.stormix.de +49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 10:43:00 PDT