LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-29-2010, 09:38 AM   #16
PMP
Member
 
Registered: Apr 2009
Location: ~
Distribution: RHEL, Fedora
Posts: 381

Rep: Reputation: 58

Have you checked the other computer, it might be a pull from that machine from this server.

Or

Write a cron job that pushes the output of ps to a file so that you can track out what process executes on the server at that time.

Last edited by Tinkster; 03-30-2010 at 04:43 AM.
 
Old 03-29-2010, 09:41 AM   #17
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,697

Original Poster
Rep: Reputation: 48
Yeah, I checked the XP machine and didn't find anything. I even wiped it and reloaded the machine just in case I happened to miss anything. The problem still occurs.
 
Old 03-29-2010, 09:43 AM   #18
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,697

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by unSpawn View Post
Wipe 'n restore ops may seem convenient but done w/o prior investigation just shows that it is not efficient.



How would you know exactly?
unSpawn, I did investigate the XP machine prior to wiping it. I didn't see anything on there scheduled to pull anything from that server. I wiped it and installed a base image used by hundreds of computers here to effectively say "if i did miss anything in my investigation, it is gone now". The motherboard and therefore on-board nic were even replaced as well.

Last edited by rjo98; 03-29-2010 at 09:44 AM.
 
Old 03-29-2010, 09:47 AM   #19
PMP
Member
 
Registered: Apr 2009
Location: ~
Distribution: RHEL, Fedora
Posts: 381

Rep: Reputation: 58
My next guess step would be to look in to FTP logs or ssh logs.
 
Old 03-29-2010, 09:50 AM   #20
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,697

Original Poster
Rep: Reputation: 48
I did the following on /var/log and i only get one result, real names substituted. should I be doing the same command in other places to find out?

[root@servername log]# grep -r computername *
Binary file wtmp.1 matches
 
Old 03-29-2010, 09:53 AM   #21
PMP
Member
 
Registered: Apr 2009
Location: ~
Distribution: RHEL, Fedora
Posts: 381

Rep: Reputation: 58
My intention of going in to the logs is to see who tries to communicate with server, as the most probable way of data transfer could be ftp or scp.
 
Old 03-29-2010, 09:55 AM   #22
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
Quote:
Originally Posted by rjo98 View Post
I'm not sure how to identify the processes that could be doing this. I'm going to see if i can get wireshark going today, see if that tells me anything if i let it monitor overnight.
Some good, solid information coming out now; you've really been working on this. Just to complete the set, can you change the name of the workstation? Give another workstation the same name? It sounds as if you've already covered all the other variations on the workstation side.

Regards "I'm not sure how to identify the processes that could be doing this", that's not a problem; we can work through it. Are you on site when the transfers are happening? Meaning is this something we have to automate or will it be done interactively?

From the sound of it, this problem is important but not urgent so we can move steadily on it, no rush ... ?
 
Old 03-29-2010, 10:08 AM   #23
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,697

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by PMP View Post
My intention of going in to the logs is to see who tries to communicate with server, as the most probable way of data transfer could be ftp or scp.
So what I did wouldn't tell me that? I thought it would, but maybe not.
 
Old 03-29-2010, 10:12 AM   #24
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,697

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by catkin View Post
Some good, solid information coming out now; you've really been working on this. Just to complete the set, can you change the name of the workstation? Give another workstation the same name? It sounds as if you've already covered all the other variations on the workstation side.

Regards "I'm not sure how to identify the processes that could be doing this", that's not a problem; we can work through it. Are you on site when the transfers are happening? Meaning is this something we have to automate or will it be done interactively?

From the sound of it, this problem is important but not urgent so we can move steadily on it, no rush ... ?
Yeah, I tried troubleshooting with everything I knew before I posted here. I read a lot of posts on here where someone doesn't even try before posting, I know how that's irritating on some windows forums I help out on.

I think I might give Wireshark a go tonight since I didn't set it up right on Friday, then after looking at that info, will try renaming it to see what happens. I'd love to know what kind of traffic is going and I'm afraid if i rename it now i won't capture that tonight.

The transfers are happening when i'm offsite, and hopefully sleeping, its on a computer the late crew uses. You are right, important but not urgent, its been happening for over a year, which was before I started working here, so they can live with it for a while longer haha.
 
Old 03-29-2010, 12:27 PM   #25
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
Quote:
Originally Posted by rjo98 View Post
I did the following on /var/log and i only get one result, real names substituted. should I be doing the same command in other places to find out?

[root@servername log]# grep -r computername *
Binary file wtmp.1 matches
Interesting. It might be worth using the "last" command to see what grep found. From memory:
Code:
last -f /var/log/wtmp.1
If there's too much output, cut it down with
Code:
last -f /var/log/wtmp.1 | grep <computername>
 
Old 03-29-2010, 12:28 PM   #26
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
Quote:
Originally Posted by PMP View Post
My intention of going in to the logs is to see who tries to communicate with server, as the most probable way of data transfer could be ftp or scp.
We don't know if it is data (=file) transfer yet; we only know it is network traffic.
 
Old 03-29-2010, 12:39 PM   #27
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,697

Original Poster
Rep: Reputation: 48
When i did the last command, i get the following

Code:
UsersName  pts/0        ComputerName. Sun Feb 28 21:31 - 21:38  (00:07)

but that username isn't who uses that workstation, its someone who uses another xp workstation, but they also have an ssh account on the server as well. I'm not sure what that file is for or what it shows.

and also, i just noticed the date, its from over a month ago.

Last edited by rjo98; 03-29-2010 at 12:43 PM.
 
Old 03-29-2010, 02:33 PM   #28
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,697

Original Poster
Rep: Reputation: 48
Also, because its showing the ComputerName in there of that workstation, does that mean it was the actual computer name at that time, or just whatever the IP is resolving to now? I'm wondering if that other user really made an SSH connection from this problem workstation, or if he did it from an IP that's changed because of DHCP but is now resolving to the IP of that problem machine by coincidence?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to search pdf files? Doug Zhang Linux - Software 7 01-12-2010 11:00 AM
Search tools (Affinity, Tracker Search Tool, etc.) not working - don't find any files Adamantus Linux - Newbie 1 03-30-2009 12:21 AM
can you specify which files to grep search? sneakyimp Linux - Software 4 10-12-2005 09:28 PM
Search for Files vs. ls albean Linux - Newbie 2 11-14-2004 03:35 PM
Search in configuration files fiomba Linux - Software 9 10-31-2004 05:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration