From owner-freebsd-hackers@FreeBSD.ORG Sat Nov 24 14:01:27 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC79116A46C for ; Sat, 24 Nov 2007 14:01:27 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 891F113C4F3 for ; Sat, 24 Nov 2007 14:01:27 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-127-199.hsd1.pa.comcast.net [71.60.127.199]) (AUTH: LOGIN wmoran, SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Sat, 24 Nov 2007 08:51:20 -0500 id 0005645A.47482C58.00007CE3 Date: Sat, 24 Nov 2007 08:51:17 -0500 From: Bill Moran To: "Joel V." Message-Id: <20071124085117.5b31452c.wmoran@collaborativefusion.com> In-Reply-To: <000001c82e1c$27909d50$0200a8c0@windsor> References: <000001c82e1c$27909d50$0200a8c0@windsor> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org Subject: Re: Welcome to Hell / Mysterious networking troubles on FreeBSD X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 14:01:27 -0000 "Joel V." wrote: > > Hello all, > > I'm not experiencing this problem, my friend is. He's simply too pissed off > to write here and I'm afraid he's going to set his office on fire if he > doesn't solve the problem soon, so without further ado, here's the problem: > > He has two fbsd boxes, main server running 6.1 and dns server running 4.3. > He has 4 public IPs which he can use and the main server is running on > x.x.x.122. He's main box is NOT acting as a gateway/NAT box in the office. > Today he noticed that net is getting awfully slow. Sometimes there would be > 50% pl when pinging, sometimes pinging would be all OK, but SSH is dead-slow > and the webpages running on the main server are not displaying. E-mails are > not going through. He calls the ISP, who say that his network is showing > major uploading activity. He switches off networking services one by one in > the main box but situation does not improve. He disconnects the main server > and puts a windows xp box instead, which seems to run fine. He puts back the > freebsd box, disables all networking services again except for SSH and > connects the network: instant 100% networking slow-down. He tried to change > the switch, thinking it's faulty. He disconnect every other computer in the > office from the network: nothing. He put the public IP address on the > second, internal network NIC: same thing. Now it gets really mysterious: he > puts the old dns server with the x.x.x.122 IP and instantly it becomes slow > as death. The logical conclusion would be that someone is flooding that IP? > Only the windows xp box seemed to work fine and the ISP guy said it was > upload bandwidth that was excessive... > > Netstat -a doesn't show anything interesting, arp -a doesn't show any > incomplete addresses He tried to build and install a new fresh kernel. > Nothing. This is the most creepy networking problem I've heard of. Can YOU > help? Any ideas where to start looking? +1 on the tcpdump work. Once you have the packet capture, something like Wireshark will give you a pretty view of the packets. However, posting the text output of tcpdump will allow the crew on this mailing list to give you specific advice (once you've done what Julian suggests, you can get text output by doing tcpdump -r capture.out) Overall, based on your vague symptoms, I'd guess you got cracked and someone's running a spambot or other bot on that box. They may even have it rooted. -- Bill Moran Collaborative Fusion Inc. wmoran@collaborativefusion.com Phone: 412-422-3463x4023