Hi!

I'm a Linux newbie, so I might have posted this message to the newbie board just as well, but perhaps this is the better board due to the particular security expertise found here.

Here's my situation:
Tonight I was running Red Hat 6.2 (on my dual-boot machine), connected to my ISP via PPP, simply surfing the web for a couple hours. Eventually, I was ready to shut things down, so I closed down the few browser windows that I had open. However, just as I was about to disconnect my modem connection, I just happened to notice that it nonetheless appeared to be steadily *maxing out* [downloading or uploading, I'm not sure which, at capacity]. This was at least 30 seconds after I had closed my few browser windows down. So, there is really no reason why my modem should have indicated any activity at all, as far as I know.

OK, here are my questions:
1. Does it seem likely/conceivable, given the description above, that someone could have been hacking my machine via PPP? (Or is there possibly some more benign explanation for what I was observing?)
2. How, if at all, might I determine if this was the case?
3. If this were to happen again in the future, specifically what (if anything) could/should I check while it is going on to diagnose what is happening?
4. Is there anything (practically feasible) that I can do to assess damage at this point?

Just one additional comment:
Ironically, I have recently been downloading and installing as many Red Hat security advisory patches on my machine as time permits, just to prevent any such mayhem.

Thanks for any suggestions/comments you may have,
Ben

If you run some servers on yours machine(like FTP,telnet,or something else)than it's posible that you have been hacked, but i dont think so.
For any case, check log files

Aethereal,

It's unlikely someone was trying to hack your box as people normally like to go for targets that are not PPP and don't have dynamic IP addresses.

Someone could be trying to cause a DOS attack and due to the fact your have very limited bandwidth on a modem, very easy to do, but again unlikely with the short time your on"

It's more likely your connection is trying to be a good TCP stack and follow the RFC and send FIN flags to the sites sockets that you had connected to, tell em your closing your connection and free the resources.

Next time it happens try typing "netstat -e | grep ESTABLISHED" and look at these.

Should see a FIN WAIT1 or 2, also all local connection from the remote system shouldn't be on any ports below 1024.

Put a simple firewall on so that it can do some packet logging for you.

Also download TCPDUMP and run it next time you disconnect to see what's talking to what.

/Raz

Cool! Thank you very much guys!

I really appreciate your helpful comments and suggestions. I will definitely check these out.

Thanks again!
Ben