Quoting Raymond Norton (admin at lctn.org):
> Over the last week we had a few Linux servers abused at some member
> schools. The culprits took advantage of poorly configured squid.conf files
> that had the default 0.0.0.0/0.0.0.0 statement in the ACL section. We have
> corrected most of the problem by only letting local LANS use squid. I have
> one school in particular who is still being abused. It is peculiar because

Network topology switched or shared?

If switched, do your switches support port mirroring?

Does all the traffic do through a firewall?

What I'm getting at is, can snoop all incoming/outgoing traffic somewhere?

Install tcpdump and capture a sample of the traffic, or use ethereal to view
it and see what's going on.

Both tools are in the tclug's greyhatpak.

Let's say you are switched, and the switches support port mirroring. At the
min, mirror your uplink port (router, dsl modem, etc) to an open port.

Plug a linux box into the open port, run ethereal on the that NIC interface and
you'll get what you need.

If you want to do it remotely, it's little more involved, but....

Let's say you have a linux firewall, ssh to it, install tcpdump, run tcpdump on
both interfaces.

/usr/sbin/tcpdump -w eth0.pcap -i eth0 -n
/usr/sbin/tcpdump -w eth1.pcap -i eth1 -n

scp the *.pcap files to your linux box running X, load up the files with
ethereal.

-- 
Bob Tanner <tanner at real-time.com>         | Phone : (952)943-8700
http://www.mn-linux.org, Minnesota, Linux | Fax   : (952)943-8500
http://www.tcwug.org, Minnesota, Wireless | Coding isn't a crime. 
Fingerprint: 02E0 2734 A1A1 DBA1 0E15  623D 0036 7327 93D9 7DA3