ryan.coleman at cwis.biz
Wed Jan 5 18:30:47 UTC 2011
I agree on this point.
That said, I once thought my employer's server was hacked and I ran local utilities and dug through months of logs only to discover that an install of either phpBB or phpMyAdmin had a slice of bad code that allowed someone to install software remotely and run its own p2p network off of it.
I wasted a few days trying to dig in the wrong place.
On Jan 5, 2011, at 12:25 PM, David Brodbeck wrote:
> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox at gmail.com> wrote:
>> On 5 January 2011 10:47, Jerry Bell <jerry at nrdx.com> wrote:
>>> There could be reasons you
>>> aren't seeing a spike, such as you're only looking at traffic processed by
>>> the MTA, or it simply doesn't show as a material increase on a graph of
>>> traffic on the network interface if the server is busy.
>> Those are good points and to go a little further regarding looking at
>> To really see what your machine is doing, consider taking a look at
>> the network flows. pfflowd, netflowd, ipaudit and a host of others can
>> get you flow data with mostly minimal overhead.
> Also, keep in mind that depending on how badly the machine has been
> compromised, you may not be able to trust the output of utilities
> running on the machine itself. You may have to resort to capturing
> its network traffic on another machine for analysis.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions