routing issue or hack

this week i having strange problem with server i installed tumbleweed . i install minimal system (textmode) , then one by one I installed the services I need which are apache, mariadb, vsftpd, openvpn, samba4 , ssh .

after a week I notice the server is very slow and intermittent disconnect client. at first I worry is because routing issue in openvpn . the vpn client can connect to vpn server and can access network behind the server without any problem . every services are working but somehow connection is very slow.
then I notice from router log , there huge and fast traffic in/out from server ip which cause router to drop connection . i tried to stop all the services but it doesn’t stop the traffic .

i suspect routing issue because the traffic is too fast but once i unplug internet from router , the traffic stop. because of that i suspect hacked , but this is new server and no live data in yet , I doing test for stability .

so, is the problem cause by routing or hacked ? is there a way i can find out for sure?

thanks
charles C

On 2015-07-08 17:36, kobolds1 wrote:
> after a week I notice the server is very slow and intermittent
> disconnect client. at first I worry is because routing issue in openvpn
> . the vpn client can connect to vpn server and can access network behind
> the server without any problem . every services are working but somehow
> connection is very slow.
> then I notice from router log , there huge and fast traffic in/out from
> server ip which cause router to drop connection . i tried to stop all
> the services but it doesn’t stop the traffic .

Have you tried iptraf, as I told you in the other thread?


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Hi Carlos,

Thanks for your advice. I try but the program doesn’t show correctly in the big monitor . i try use iftop and found the ip where the download/upload highest (100mb++)

when i do ip lookup , it return Zhejiang Telecom (china) ip range.

I don’t know why or how the hacker manage to hack into it and what data is flow in/out . since no live data , what i can do is format . this time i install opensuse 13.2 .I don’t dare to use tumbleweed after someone manage to punch a hole in it .

On Thu, 09 Jul 2015 14:46:01 +0000, kobolds1 wrote:

> Thanks for your advice. I try but the program doesn’t show correctly in
> the big monitor . i try use iftop and found the ip where the
> download/upload highest (100mb++)
>
> when i do ip lookup , it return Zhejiang Telecom (china) ip range.
>
> I don’t know why or how the hacker manage to hack into it and what data
> is flow in/out . since no live data , what i can do is format . this
> time i install opensuse 13.2 .I don’t dare to use tumbleweed after
> someone manage to punch a hole in it .

Just because someone is sending you large amounts of traffic doesn’t mean
your system was hacked.

Don’t jump to conclusions without understanding what you’re looking at.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2015-07-09 18:55, Jim Henderson wrote:
> On Thu, 09 Jul 2015 14:46:01 +0000, kobolds1 wrote:

>> I don’t know why or how the hacker manage to hack into it and what data
>> is flow in/out . since no live data , what i can do is format . this
>> time i install opensuse 13.2 .I don’t dare to use tumbleweed after
>> someone manage to punch a hole in it .
>
> Just because someone is sending you large amounts of traffic doesn’t mean
> your system was hacked.
>
> Don’t jump to conclusions without understanding what you’re looking at.

Right…

The port used might show a clue. A network capture could be another step.

Regarding the change to another openSUSE release, that might not help if
the problem is in the configuration of the services facing Internet… I
see apache, vsftp, and ftp. I hope that samba nor mariadb are not open
to Internet :-?


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))