Linux server sending data to public ip
I'm running Redhat Enterprise Linux AS 4 Update 4
My network engineer told me recently that one of my server is sending data to a public ip (he found it out with wireshark)
Can anyone guide me on this.
How do i find out what is being sent and my which service?
How do i stop this, is it a virus?
Any help/ guidance is appreciated.
You could try using tcpdump (it's a sniffer for unix, just like wireshark).
By the way, before it, you could firstly try to disable all the network services, then this box should stop sending data, otherwise yes it could be a virus/bot/whatever.
There are many ways to debug it, try these options. If you cannot solve it, then come back here and we'll help you.
But please, let us know what you did, in the case you got it solved.
This is an excellent tcpdump tutorial that might help you:
did he say what data ? could it simply be doing DNS lookups ? kinda vague..
Packet Capture.. as suggested.
Thank you - Appreciate your prompt reply
Will try the same and get back on the findings.
Could you post some data please? The last person who posted a thread like this had made a mistake, and assumed that some upnp/avahi/mdns/bonjour packets were being sent to an external address (to be fair, that is how it looks, until you know not to be deceived by appearances).
It is a quite important factor, as the various 'there is a network service here' packets are generally harmless, but may be a bit irritating if they are for a service that you don't use.
OTOH, the other explanation goes along the lines 'you've been hacked and...' or 'you've got something seriously misconfigured and...' (or something like 'you've forgotten DNS lookups...' as mentioned earlier) and some of those are pull the cable out and try to work out what went wrong before it gets any worse.
The ip was showing data going to amsterdam - europe. The server is configured for metalink - oracle and the ip address and data passing is legitimate.
Thank you everyone..appreciate your help/guidance
|All times are GMT -5. The time now is 08:35 AM.|