Ryan Coleman ryan.coleman at
Wed Jan 5 18:30:47 UTC 2011

I agree on this point.

That said, I once thought my employer's server was hacked and I ran local utilities and dug through months of logs only to discover that an install of either phpBB or phpMyAdmin had a slice of bad code that allowed someone to install software remotely and run its own p2p network off of it.

I wasted a few days trying to dig in the wrong place.

On Jan 5, 2011, at 12:25 PM, David Brodbeck wrote:

> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox at> wrote:
>> On 5 January 2011 10:47, Jerry Bell <jerry at> wrote:
>>> There could be reasons you
>>> aren't seeing a spike, such as you're only looking at traffic processed by
>>> the MTA, or it simply doesn't show as a material increase on a graph of
>>> traffic on the network interface if the server is busy.
>> Those are good points and to go a little further regarding looking at
>> traffic...
>> To really see what your machine is doing, consider taking a look at
>> the network flows. pfflowd, netflowd, ipaudit and a host of others can
>> get you flow data with mostly minimal overhead.
> Also, keep in mind that depending on how badly the machine has been
> compromised, you may not be able to trust the output of utilities
> running on the machine itself.  You may have to resort to capturing
> its network traffic on another machine for analysis.
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list