0) Absolutely distrust the server in question. If it appears that users aren't logged in, don't believe it. That goes for most admin utilities (w,users,uptime). Don't think you can delete things and restart it - you want to reimage the OS. 1) Ask the ISP if they detect promiscuous mode (meaning suspicious ARP) coming from the server 2) nmap or have the ISP nmap the server (from a nearby host) 3) Check for strange traffic with tcpdump/tshark (exclude the login traffic port with [(tshark) -f] 'not port 22', etc). This is probably only useful from another machine that sees all the traffic from that machine. 4) Check for rootkits. http://www.chkrootkit.org This isn't totally reliable though. 5) Sniff (or, better, have the ISP sniff and deliver) some outgoing traffic and analyze it with wireshark GUI. If any of the tests show something wrong, have the ISP cut power (don't run 'halt') forcefully. Save the hard drive image somewhere for forensics (don't boot off of it). You will likely have to rebuild the server - the only thing you should copy over are user files that have been examined. -Dave On Tue, August 8, 2006 10:03 pm, Chris Schumann wrote: > The ISP of my company's server called because our bandwidth was spiking. > No > one was logged in, and I'm not sure how to pinpoint what caused the > traffic. > > Tips or pointers on where to track this down are most sincerely > appreciated. > > Many thanks, > Chris Schumann > > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list > -=-=-=-=-=-=-=- David Carlson thecubic at thecubic.net