Someone is using my server...

[parallon]

hello all. I have just been notified by my ISP that there is a 300kbs being routed through my server and going to Texas and Denmark. Is there a way to tell where this information is coming from and who is requesting it? Also, it is possible to find out what ports are allowing this transfer? My ISP said that it has been going on for about a week now with a total in the tens of Gigabytes. Any info would greatly appreciated.

Thanks in advance,

Parallon

"I used to think that the more that you knew, the farther you would go, then I realized that the more that you know, the more they use you."

-Me

 

I would recommend immediately (if not sooner!) removing the system from the net access until you determine what trojan has been installed and remove it, then run a good quality antivirus program to sweep your system. It may not, however, find anything, as this sounds like a hijack, not a virus.

Some excellent tools, in addition to a good antivirus sweep, would be to install and run CWSHREDDER, then SPYBOT Search and Destroy, and AdAware. Install and Run all three in the order listed. These find and clean out hijack programs. If this is the only system you have to access the net with, then download the software, take the system off line, install and run the software and clean it up. Once this is done go back on line and get the latest updates for all three and do it again. Chances are the older versions will find and remove the problem, but then you want to run the latest versions to be sure.

Create a directory on your HD called antihijcak with three subdirectories, and put these files into the three different subdirectories before you install them on your system. (The makes them available to re-install if needed later).

CwShredder is free from Merijn.org at

http://www.spywareinfo.com,

while AdAware is found at

http://www.lavasoft.de,

and SpyBot S&D can be obtained at

http://www.security.kolla.de.

(You can, and should, down load the Search & Destroy update from this home site before you go to get the basic program, which will gotten be from a satillite location.)

All three are powerful tools for finding ang removing hijack programs and recovering your system. AdAware and SpyBot are also free for home use, and if you find them useful, they would appreciate donations also.

After running all three of these prograns, clean out all the cookies on your system, under all accounts. If you do not know how to do this say so and tell us what os you are using so we can pont you in the right direction.

After cleaning out the system, be sure to bring it totally up to date with all the security patches available for the OS and all applications installed.

HTH

David

 

[jfp23]

Before you pull it off of the network. Your firewall, or Router should have logs as to what ports are being hit, and what IP they are coming from. This will help you in determining what open ports you have on your firewall so that you can close them.

 

[lb63640]

Don't forget your good utility friend NETSTAT -A at the command prompt to see if you can actually catch someone connecting unexpectedly to a specific port.

 

[parallon]

I found a few utilities that show the inbound and outbound activities. We were able to block off the IP ranges, but I am not sure if that is the best way. All this traffic is coming form Denmark and Germany with some of the IP addresses in 82.0.0.0 to 82.244.x.x so is it safe to kill the whole range of 82.0.0.0 to 82.255.255.255?

Thanks,

Parallon

"I used to think that the more that you knew, the farther you would go, then I realized that the more that you know, the more they use you."

-Me

 

[minxca]

with netstat you can see what port they are using. Is your server connected directly to internet or you have firewall?