web security

Fri May 28 15:35:14 UTC 2010

Karl Pearson wrote:
>
> On Thu, May 27, 2010 6:35 am, Fred Grant wrote:
>   
>> I use the modem lights  to show modem activity.  Sometimes the lights
>> indicate that I am receiving a great deal of data (red color activity)
>> even though I have shut down email and web browser.  I use the standard
>> firewall and CentOS 5.
>>
>> I'd like to know which files, if any, are being written to and if there
>> are better firewalls that could be used.
>>
>>     
>
> Might I recommend using tcpdump against the inbound (outside) nic and see
> what traffic is actually moving across the pipe. (man tcpdump is your
> friend)
>
> Then, post what you find out.
>
> Karl
>   
Here is a sample when the modem seemed to be going wild:
> 10:23:43.353326 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1515447:1516895(1448) ack 378 win 62 <nop,nop,timestamp 754207286 3904561>
> 10:23:43.353402 IP host-69-95-141-148.pit.choiceone.net.57247 > mirrors.tummy.com.http: . ack 1516895 win 7783 <nop,nop,timestamp 3907914 754206620>
> 10:23:43.697248 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1516895:1518343(1448) ack 378 win 62 <nop,nop,timestamp 754207286 3904561>
> 10:23:44.033189 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1518343:1519791(1448) ack 378 win 62 <nop,nop,timestamp 754207946 3905222>
> 10:23:44.033268 IP host-69-95-141-148.pit.choiceone.net.57247 > mirrors.tummy.com.http: . ack 1519791 win 7783 <nop,nop,timestamp 3908594 754207286>
> 10:23:44.375144 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1519791:1521239(1448) ack 378 win 62 <nop,nop,timestamp 754207946 3905222>
> 10:23:44.712074 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1521239:1522687(1448) ack 378 win 62 <nop,nop,timestamp 754208630 3905901>
> 10:23:44.712153 IP host-69-95-141-148.pit.choiceone.net.57247 > mirrors.tummy.com.http: . ack 1522687 win 7783 <nop,nop,timestamp 3909273 754207946>
> 10:23:45.054007 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1522687:1524135(1448) ack 378 win 62 <nop,nop,timestamp 754208630 3905901>
> 10:23:45.371956 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1524135:1525583(1448) ack 378 win 62 <nop,nop,timestamp 754209306 3906579>
> 10:23:45.372033 IP host-69-95-141-148.pit.choiceone.net.57247 > mirrors.tummy.com.http: . ack 1525583 win 7783 <nop,nop,timestamp 3909933 754208630>
> 10:23:45.712884 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1525583:1527031(1448) ack 378 win 62 <nop,nop,timestamp 754209306 3906579>
> 10:23:46.049839 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1527031:1528479(1448) ack 378 win 62 <nop,nop,timestamp 754209955 3907237>
> 10:23:46.049917 IP host-69-95-141-148.pit.choiceone.net.57247 > mirrors.tummy.com.http: . ack 1528479 win 7783 <nop,nop,timestamp 3910611 754209306>
> 10:23:46.389774 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1528479:1529927(1448) ack 378 win 62 <nop,nop,timestamp 754209955 3907237>
> 10:23:46.725694 IP mirrors.tummy.com.http > host-69-95-141-148.pit.choiceone.net.57247: . 1529927:1531375(1448) ack 378 win 62 <nop,nop,timestamp 754210642 3907914>
> 10:23:46.725770 IP host-69-95-141-148.pit.choiceone.net.57247 > mirrors.tummy.com.http: . ack 1531375 win 7783 <nop,nop,timestamp 3911287 754209955>
>
>