-   Linux - Security (
-   -   Linux server sending data to public ip (

sp149 05-07-2009 12:16 PM

Linux server sending data to public ip

I'm running Redhat Enterprise Linux AS 4 Update 4

My network engineer told me recently that one of my server is sending data to a public ip (he found it out with wireshark)

Can anyone guide me on this.
How do i find out what is being sent and my which service?
How do i stop this, is it a virus?

Any help/ guidance is appreciated.


sparc86 05-07-2009 01:13 PM

You could try using tcpdump (it's a sniffer for unix, just like wireshark).

By the way, before it, you could firstly try to disable all the network services, then this box should stop sending data, otherwise yes it could be a virus/bot/whatever.

There are many ways to debug it, try these options. If you cannot solve it, then come back here and we'll help you.

But please, let us know what you did, in the case you got it solved.

This is an excellent tcpdump tutorial that might help you:

farslayer 05-07-2009 02:07 PM

did he say what data ? could it simply be doing DNS lookups ? kinda vague..

Packet Capture.. as suggested.

sp149 05-07-2009 02:15 PM

Thank you - Appreciate your prompt reply

Will try the same and get back on the findings.

salasi 05-07-2009 03:36 PM

Could you post some data please? The last person who posted a thread like this had made a mistake, and assumed that some upnp/avahi/mdns/bonjour packets were being sent to an external address (to be fair, that is how it looks, until you know not to be deceived by appearances).

It is a quite important factor, as the various 'there is a network service here' packets are generally harmless, but may be a bit irritating if they are for a service that you don't use.

OTOH, the other explanation goes along the lines 'you've been hacked and...' or 'you've got something seriously misconfigured and...' (or something like 'you've forgotten DNS lookups...' as mentioned earlier) and some of those are pull the cable out and try to work out what went wrong before it gets any worse.

sp149 05-12-2009 11:25 AM

The ip was showing data going to amsterdam - europe. The server is configured for metalink - oracle and the ip address and data passing is legitimate.

Thank you everyone..appreciate your help/guidance

All times are GMT -5. The time now is 09:26 PM.