Server transmitting?

[cburwell]

Oddly, my server that usually does not get any traffic seems to be sending and recieveing like crazy! Does anyone have any sggestions on what I can do to figue out what it going on?

I have closed port forwarding to the outside world, but the server is still transmitting.

I am runing Debian, and I have SSH access to the server.

Thank you!

[gtmtnbiker98]

What is it transmitting? What services are running or installed on the server, what does /var/log/messages reveal, have you did a security audit? Type last | head as root to see the last logon. We need a little more information.

[cburwell]

I am not sure what it is transmitting. I have never done this before, so if you could point me in the right direction of how to find out I would appreciate it.

Services that are running: Apache2, SSH, MYSQL, Samba, that's about it (PHP too if that matters).

In /var/log/messages nothing looks out of th ordinary to me, but I do have many lines that look like this (with different time stamps):

Sep 26 08:22:01 localhost -- MARK --

Logins look normal (all by me from clients I would expect).

I did notice that I just installed logwatch, and it has an odd entry in the cron jobs. It reads:

Commands Run:
User root:
run-parts --report /etc/cron.hourly: 24 Time(s)
[ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -r -0 rm: 48 Time(s)
test -x /usr/sbin/anacron || run-parts --report /etc/cron.daily: 1 Time(s)

I will look into doing a security autit.

[gtmtnbiker98]

The ---Mark entries are normal. As for the Cron entries, appears to be a PHP script peforming maintenance and or logging.

It is common to see servers chatter, especially on networks with Windows machines. RPC, SMB/CIFS are known to chatter a lot as well as DNS and DHCP. I wouldn't worry about the chatter unless you see signs of intrusion. What made you notice the chatter in the first place? Use Ethereal to really see all the chatter. All networks are noisy if you really get down to the "nitty/gritty."

[cburwell]

Thank you for the help! The reason why I ask is because this has never happened to any of my other servers.

I looked at my firewall log, and I notice that I have MANY (100+) entries of this:

INTERNAL Protocol EXTERNAL NAT Priority State DIR Timeout
192.168.0.113:52808 UDP 68.87.64.146:53 52808 130 - Out 300
192.168.0.113:52807 UDP 68.87.75.194:53 52807 130 - Out 300

It seems that there is something comming from my ISP's DNS servers? Is this normal to have all of these active sessions?

EDIT: I stand corrected. It seems that my server is sending something out to these DNS servers. Any ideas?

[gtmtnbiker98]

As root, type netstat -vatn and post the results and redact any identifying information.

In addition, I did an nslookup on the first IP and yes, that is a comcast server using the common DNS port 53. Have you been using any type of IM software and/or FTP software on this machine? These ports are common client ports for Red Hat and Fedora and as I have previously mentioned, are common RPC ports.

[cburwell]

I have not run any IM software on the server. I am trying to keep it as a server only, so I don't even have X11 installed (Which is standard on Debian).

Here are the results of netstat:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:793 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.113:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 14 192.168.0.113:25 211.208.174.16:1077 ESTABLISHED
tcp 0 0 192.168.0.113:25 200.168.6.43:3295 ESTABLISHED
tcp 0 0 192.168.0.113:25 80.245.113.151:3443 ESTABLISHED
tcp 0 14 192.168.0.113:25 201.21.151.183:4699 ESTABLISHED
tcp 0 0 192.168.0.113:25 201.220.68.27:4240 ESTABLISHED
tcp 1 0 192.168.0.113:25 200.28.244.146:4754 CLOSE_WAIT
tcp 0 0 192.168.0.113:25 82.104.3.42:1549 ESTABLISHED
tcp 0 0 192.168.0.113:25 200.89.123.64:1902 ESTABLISHED
tcp 0 0 192.168.0.113:25 219.153.4.98:3775 ESTABLISHED
tcp 0 14 192.168.0.113:25 211.234.93.146:1816 ESTABLISHED
tcp 0 1 192.168.0.113:34225 200.28.244.146:113 SYN_SENT
tcp 0 14 192.168.0.113:25 200.71.62.100:4909 ESTABLISHED
tcp 0 56 192.168.0.113:25 201.27.26.188:2417 ESTABLISHED
tcp 0 0 192.168.0.113:25 211.199.105.174:3466 ESTABLISHED
tcp 0 0 192.168.0.113:25 219.133.59.10:3103 ESTABLISHED
tcp 0 0 192.168.0.113:25 219.133.59.10:4184 ESTABLISHED
tcp 0 0 192.168.0.113:25 200.208.227.121:2598 ESTABLISHED
tcp6 0 0 :::995 :::* LISTEN
tcp6 0 0 :::110 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 3216 ::ffff:192.168.0.113:22 ::ffff:192.168.0.:33237 ESTABLISHED

[cburwell]

I found my problem. Apparently I need to read up on configuring exim4. It checked the exim4 mainlog file and it was filled with attempted mail relays! I stopped exim4 and killed all of it's processes. Now all is quiet.

If anyone has any suggested reads on properly configuring exim4 behind a firewall (NAT) I would appreciate it.

[gtmtnbiker98]

Glad to hear that you found the problem and at least you didn't get blacklisted!

[cburwell]

Glad to hear that you found the problem and at least you didn't get blacklisted!

I guess I will see if I did when I properly configure things. I use a "smarthost" to send all of my outgoing mail throuhg, so I am hoping I am ok.

Thank you again for your help! I learned some useful commands that I know I will be using in the future!