If at all possible, use statically-linked tools and utilities mounted from a CD-R for this investigation.
You need to understand all traffic going to and from your machine — this can be time-consuming! tcpdump and ethereal are your friends here. Any traffic which you do not recognise should be treated as suspicious — use lsof to determine the process responsible for such traffic.
Darkstar has one network interface, hme0:
tcpdump -i hme0 -n | egrep -v "130.88.99.10.22" | egrep -v "130.88.119.67.53|130.88.120.67.53" # grep out things we already know about 11:18:55.486997 130.88.99.10.47865 > 130.88.124.69.6000: P 420:436(16) \ ack 161 win 8760 (DF) 11:18:55.487853 130.88.124.69.6000 > 130.88.99.10.47865: . ack 436 win 61304 (DF) # why are these people not tunnelling X traffic? tcpdump -i hme0 -n | egrep -v "130.88.99.10.22" | egrep -v "130.88.119.67.53|130.88.120.67.53" | egrep -v "130.88.\d\d\d.\d\d.6000" tcpdump -i hme0 -n | egrep -v "130.88.99.10.22" | egrep -v "130.88.119.67.53|130.88.120.67.53" | grep -v "130.88.[1-9][0-9][0-9].[1-9][0-9].6000" 13:35:49.729925 130.88.119.65.59549 > 130.88.99.10.25: S \ 3404736403:3404736403(0) win 5840 <mss 1460,sackOK,timestamp \ 1011349486[|tcp]> (DF) 13:35:49.729967 130.88.99.10.25 > 130.88.119.65.59549: S \ 1333966013:1333966013(0) ack 3404736404 win 10136 <nop,nop,timestamp \ 267392917 1011349486,nop,[|tcp]> (DF) # email from UMIST email routers tcpdump -i hme0 -n | egrep -v "130.88.99.10.[22|25]" | egrep -v "130.88.119.67.53|130.88.120.67.53" | grep -v "130.88.[1-9][0-9][0-9].[1-9][0-9].6000" 13:40:51.600950 130.88.99.10.2049 > 130.88.99.9.1007: . ack 2922688 win 8760 (DF) 13:40:51.600999 130.88.99.9.1007 > 130.88.99.10.2049: P \ 2922688:2924148(1460) ack 14829 win 8760 (DF) # 2049 is nfsd, so this is NFS traffic to/from eric /usr/local/sbin/tcpdump -i hme0 -n | egrep -v "130.88.99.10.[22|25|123|2049]\ |10.98.96.1|arp\ who|arp\ reply|802.1d\ config|130.88.1[1-2][0-9].67.53\ |130.88.[1-9][0-9][0-9].[1-9][0-9].6000|130.88.1[1-2][0-9].6[5-6].25\ |130.88.120.194.514" 14:12:05.498637 CDP v2, ttl=180s DevID 'TBA03170480(sw-umain)' Addr (1): \ IPv4 130.88.98.2[|cdp] 14:13:05.507362 CDP v2, ttl=180s DevID 'TBA03170480(sw-umain)' Addr (1): \ IPv4 130.88.98.2[|cdp]...which leaves only CDP-related stuff.
...previous | up (conts) | next... |