this week i having strange problem with server i installed tumbleweed . i install minimal system (textmode) , then one by one I installed the services I need which are apache, mariadb, vsftpd, openvpn, samba4 , ssh .
after a week I notice the server is very slow and intermittent disconnect client. at first I worry is because routing issue in openvpn . the vpn client can connect to vpn server and can access network behind the server without any problem . every services are working but somehow connection is very slow.
then I notice from router log , there huge and fast traffic in/out from server ip which cause router to drop connection . i tried to stop all the services but it doesn’t stop the traffic .
i suspect routing issue because the traffic is too fast but once i unplug internet from router , the traffic stop. because of that i suspect hacked , but this is new server and no live data in yet , I doing test for stability .
so, is the problem cause by routing or hacked ? is there a way i can find out for sure?
On 2015-07-08 17:36, kobolds1 wrote:
> after a week I notice the server is very slow and intermittent
> disconnect client. at first I worry is because routing issue in openvpn
> . the vpn client can connect to vpn server and can access network behind
> the server without any problem . every services are working but somehow
> connection is very slow.
> then I notice from router log , there huge and fast traffic in/out from
> server ip which cause router to drop connection . i tried to stop all
> the services but it doesn’t stop the traffic .
Have you tried iptraf, as I told you in the other thread?
Thanks for your advice. I try but the program doesn’t show correctly in the big monitor . i try use iftop and found the ip where the download/upload highest (100mb++)
when i do ip lookup , it return Zhejiang Telecom (china) ip range.
I don’t know why or how the hacker manage to hack into it and what data is flow in/out . since no live data , what i can do is format . this time i install opensuse 13.2 .I don’t dare to use tumbleweed after someone manage to punch a hole in it .
On Thu, 09 Jul 2015 14:46:01 +0000, kobolds1 wrote:
> Thanks for your advice. I try but the program doesn’t show correctly in
> the big monitor . i try use iftop and found the ip where the
> download/upload highest (100mb++)
>
> when i do ip lookup , it return Zhejiang Telecom (china) ip range.
>
> I don’t know why or how the hacker manage to hack into it and what data
> is flow in/out . since no live data , what i can do is format . this
> time i install opensuse 13.2 .I don’t dare to use tumbleweed after
> someone manage to punch a hole in it .
Just because someone is sending you large amounts of traffic doesn’t mean
your system was hacked.
Don’t jump to conclusions without understanding what you’re looking at.
On 2015-07-09 18:55, Jim Henderson wrote:
> On Thu, 09 Jul 2015 14:46:01 +0000, kobolds1 wrote:
>> I don’t know why or how the hacker manage to hack into it and what data
>> is flow in/out . since no live data , what i can do is format . this
>> time i install opensuse 13.2 .I don’t dare to use tumbleweed after
>> someone manage to punch a hole in it .
>
> Just because someone is sending you large amounts of traffic doesn’t mean
> your system was hacked.
>
> Don’t jump to conclusions without understanding what you’re looking at.
Right…
The port used might show a clue. A network capture could be another step.
Regarding the change to another openSUSE release, that might not help if
the problem is in the configuration of the services facing Internet… I
see apache, vsftp, and ftp. I hope that samba nor mariadb are not open
to Internet :-?