Bandwidth spikes, can't trace

Secret Agent · 01-18-2006 04:08 PM

I am having a hard time tracing this server's bandwidth spikes.

I found udp files in /tmp and removed them. That solved the problem. The partition is already secured with /scripts/securetmp as well.

I am just not able to trace anything else. Can someone explain the best procedures to trace bandwidth spikes (low cpu usage constant during spikes)

Please see attachment. I found udp.txt again in /tmp somehow.

This is after I removed the file earlier, changed ssh port, disabled all accounts (about 10 total) any shell access, disabled (already was) direct root access and literally about 15 other security steps including apf, bfd, etc.

This is the /etc/fstab also

Code:

LABEL=/                 /                       ext3    defaults,usrquota        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
LABEL=/backup           /backup                 ext3    defaults        1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/shm                tmpfs   rw,noexec,nosuid,nodev        0 0
/dev/sda2               swap                    swap    defaults        0 0
/dev/cdrom              /mnt/cdrom              udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/fd0                /mnt/floppy             auto    noauto,owner,kudzu 0 0

Secret Agent · 01-20-2006 03:22 PM

Can someone kindly help me here? I found it again, removed it and the bandwidth is still high

**HolyCow** · 01-21-2006 12:23 PM

i seen this happen from a outdated phpBB forum

Theres a exploit that allows them to wrie to the /tmp path... the script you posted was a flood script to attack other users.

My recommendation is just patch and update all installations of phpBB on your server.

LinkBack

Thread Tools