On 02/21/12 16:13, David Camm wrote:
> thanks to all of you who tried to help.
>
> ultimately it was chris p's suggestion to look at 'network' that did 
> the trick.
>
> sad to say, one of our web servers was hacked, and the malware was 
> actually sending stuff (we have yet to determine what or where) at 
> such a rate that it was pegging our 100Mb/sec switch. no wonder 
> surgemail was having delivery problems with larger attachments!
>
> once i was able to stop the errant processes, traffic volume was back 
> to normal in minutes.
>
> for all you linux users who are also hosting web/ftp....
>
> what i do know at this point is that there were two possible attack 
> vectors: phpmyadim and proftpd. if you are using either of these 
> packages be sure to upgrade to the latest levels asap.
>
> also be on the lookout in your logs for any attempt to download a file 
> called apache_32.png which i believe contains the malware payload.
>
> it's been a fun day......
>
> david camm
> advanced web systems
> keller, tx
>
>
>
>
>
>
MRTG and managed switches go a long way to seeing that kind of a 
problem.  You need to know what is normal traffic levels and it's not 
hard to spot problems.  I have found many times outlook sending the same 
message over and over again because it's too big to send and Outlook is 
too dumb to know it won't send and keeps trying.

On our webservers, I run wusage to track web stats on them.  I 
frequently take a look at 'Documents Not Found'.  Phpmyadmin ranks quite 
high in that catagory.

Lyle Giese
LCR Computer Services, Inc.