strange network slowdown issue

[Dillinger]

For over a month I've been noticing a slowdown in my network connectivity. I've been using an old P3 box as a router/server for about a year and a half. I use a second NIC and a crossover cable to give my main desktop net access. When browsing images on my file serve I noticed they were taking a while to load, almost as if I was browsing them from an outside website. I discovered that unplugging and plugging in the ethernet cable solved the issue for anywhere between 3-9 hours. I thought maybe the cable was fried so I bought a new one but the problem persisted. I thought maybe the NIC was bad so I replaced it, no dice. I changed the PCI slot it was in, nothing. I upgraded the kernel, nothing. The only thing that fixes it is unplugging and replugging in the cable. I noticed about a 30% cpu load during large transfers between the two computers and I thought that was awfully high. I'm out of ideas here, any help would be much appreciated.

[DougMills]

Although it is seldom, there are those of us who try to crack linux systems instead of WinBlows. I'm not trying to read too much into this, but from the troubleshooting you've done and the information you provided, the idea of you being hit by a cracker is somewhat plausible. My reasons behind this are that you switched a network cable and card, *and* unplugging the cable stops the symptoms. A program may be stealing your bandwidth to scan your network and use vulnerabilities against you. This would explain that the program stops when you unplug the cable - giving you the 3-9 hours of speed before the program is re-itterated. Try running a network scanner (such as Ethereal) on your network and test for vulnerabilities. These programs may even tell you what is using up your bandwidth so you can patch the source of the problem.

[Dillinger]

I ran ethereal for a while and noticed nothing really unusual. If my system was compromised I think the hard drive would be working a lot and the only time I hear it is when Im doing stuff on the computer or when people are looking at my website; its never constantly working. Also my ssh and ftp logs are all normal too. If there's something else specific I should run on ethereal or another program I'm open to suggestion, I just ran a capture for a while to see if there was an abnormal amount of traffic coming from IPs other than my own.

[AlexK]

Try rootkit_hunter, it scans your system for trojans, backdoors etc. maybe someone has cracked your system and with this tool, you should be able to find out wether this has happened.

[DougMills]

If there's something else specific I should run on ethereal or another program I'm open to suggestion

You could also try port scanning your computer. If you notice open ports that your programs don't use, you may want to find out what program(s) uses those ports. If you don't use that program, close the ports it uses.

Also try what AlexK said.

[Dillinger]

The only open ports I have are 21 for FTP, 80 for HTTP and a port I use for SSH, thats it. You can not ping my IP from an outside network so an attacker would have to be going after me specifically rather than some script kiddy just scanning for systems with open ports.

Thanks for the rootkit link, thats a pretty handy tool. I ran it and it came up with nothing.

Another side note I just compared an ftp transfer and an scp transfer and the ftp transfer is much faster but the CPU usage goes almost up to 100 percent.

--Tyler