# HD light solid. High net traffic. Hacked?

## HomerSimpson

I saw something strange tonight. My HD light went solid red. Running top, I didn't see anything taking much CPU. I run gnome and also run the system monitor applet. The HD block didn't show the HD being accessed but the computer itself showed solid red. As I was trying to figure it out, the net traffic went way up.

1) How can I tell who or what is accessing the disk?

2) How can I tell who or what is accessing the network?

I have a SonicWall firewall. The only ports that are forwarded to my computer are SMTP, SSH and 8086. I had tried to do some port forwarding a while back but forgot to turn this off. There should have been nothing listening on this port.

If this happens again, what tools do I need to find out what process is accessing the disk and which ones are accessing the network. I did a netstat but there are a lot of lines to go through. I do not know which ones are reasonable and which ones aren't.

Thanks

----------

## xbmodder

look throush sshd logs, logs in general netstat -p helps

----------

## dewke

you can use lsof to see whats accessing what.

----------

## HomerSimpson

I emerged lsof yesterday so if it happens again (while I am at my computer) I will try it.

This is what was in my sshd log:

```
Jul  9 02:40:25 [sshd] Did not receive identification string from ::ffff:218.70.229.56

Jul  9 17:08:30 [sshd] Did not receive identification string from ::ffff:202.225.133.27

Jul  9 17:24:15 [sshd] Invalid user amanda from ::ffff:202.225.133.27

Jul  9 17:24:17 [sshd] Invalid user iris from ::ffff:202.225.133.27

Jul  9 17:24:18 [sshd] Invalid user bonnie from ::ffff:202.225.133.27

Jul  9 17:24:20 [sshd] Invalid user sparky from ::ffff:202.225.133.27

Jul  9 17:24:21 [sshd] Invalid user clasic from ::ffff:202.225.133.27

Jul  9 17:24:23 [sshd] Invalid user jamy from ::ffff:202.225.133.27

Jul  9 17:24:24 [sshd] Invalid user david from ::ffff:202.225.133.27

Jul  9 17:24:26 [sshd] Invalid user administrator from ::ffff:202.225.133.27

Jul  9 17:24:27 [sshd] Invalid user info from ::ffff:202.225.133.27

Jul  9 17:24:29 [sshd] Invalid user webmaster from ::ffff:202.225.133.27

Jul  9 17:24:31 [sshd] Invalid user rebeca from ::ffff:202.225.133.27

Jul  9 17:24:45 [sshd] Invalid user optic from ::ffff:202.225.133.27

Jul  9 17:24:46 [sshd] Invalid user service from ::ffff:202.225.133.27

Jul  9 17:24:48 [sshd] Invalid user admin from ::ffff:202.225.133.27

Jul  9 17:24:49 [sshd] Invalid user danielle from ::ffff:202.225.133.27

Jul  9 17:24:51 [sshd] Invalid user nexus from ::ffff:202.225.133.27

Jul  9 17:24:52 [sshd] Invalid user arthur from ::ffff:202.225.133.27

Jul  9 17:24:54 [sshd] Invalid user fred from ::ffff:202.225.133.27

Jul  9 17:24:55 [sshd] Invalid user greg from ::ffff:202.225.133.27

Jul  9 17:24:57 [sshd] Invalid user steve from ::ffff:202.225.133.27

Jul  9 17:24:58 [sshd] Invalid user felix from ::ffff:202.225.133.27

Jul  9 17:25:00 [sshd] Invalid user sandra from ::ffff:202.225.133.27

Jul  9 17:25:02 [sshd] Invalid user security from ::ffff:202.225.133.27

Jul  9 17:25:03 [sshd] Invalid user chris from ::ffff:202.225.133.27

Jul  9 17:25:05 [sshd] Invalid user gabriel from ::ffff:202.225.133.27

Jul  9 17:25:06 [sshd] Invalid user dennis from ::ffff:202.225.133.27

Jul  9 17:25:11 [sshd] Invalid user mac from ::ffff:202.225.133.27

Jul  9 17:25:12 [sshd] Invalid user samba from ::ffff:202.225.133.27

Jul  9 17:25:14 [sshd] Invalid user martin from ::ffff:202.225.133.27

Jul  9 17:25:15 [sshd] Invalid user alan from ::ffff:202.225.133.27

Jul  9 17:25:17 [sshd] Invalid user allan from ::ffff:202.225.133.27

Jul  9 17:25:19 [sshd] Invalid user karl from ::ffff:202.225.133.27

Jul  9 17:25:20 [sshd] Invalid user test from ::ffff:202.225.133.27

                - Last output repeated 2 times -

Jul  9 17:25:25 [sshd] Invalid user media from ::ffff:202.225.133.27

Jul  9 17:25:29 [sshd] Invalid user darren from ::ffff:202.225.133.27

Jul  9 17:25:31 [sshd] Invalid user clasic from ::ffff:202.225.133.27

Jul  9 17:25:33 [sshd] Invalid user classic from ::ffff:202.225.133.27

Jul  9 17:25:34 [sshd] Invalid user igor from ::ffff:202.225.133.27

Jul  9 17:25:36 [sshd] Invalid user ivan from ::ffff:202.225.133.27

Jul  9 17:25:37 [sshd] Invalid user jeff from ::ffff:202.225.133.27

Jul  9 17:25:39 [sshd] Invalid user stan from ::ffff:202.225.133.27

Jul  9 17:25:40 [sshd] Invalid user public from ::ffff:202.225.133.27

Jul  9 17:25:42 [sshd] Invalid user eddie from ::ffff:202.225.133.27

Jul  9 17:25:43 [sshd] Invalid user ivan from ::ffff:202.225.133.27

Jul  9 17:25:45 [sshd] Invalid user marvin from ::ffff:202.225.133.27

Jul  9 17:25:47 [sshd] Invalid user andres from ::ffff:202.225.133.27

Jul  9 17:25:48 [sshd] Invalid user barbara from ::ffff:202.225.133.27

Jul  9 17:25:50 [sshd] Invalid user adine from ::ffff:202.225.133.27

Jul  9 17:25:51 [sshd] Invalid user test from ::ffff:202.225.133.27

Jul  9 17:25:53 [sshd] User guest not allowed because shell /dev/null is not executable

Jul  9 17:25:54 [sshd] Invalid user db from ::ffff:202.225.133.27

Jul  9 17:25:56 [sshd] Invalid user ahmed from ::ffff:202.225.133.27

Jul  9 17:25:57 [sshd] Invalid user albert from ::ffff:202.225.133.27

Jul  9 17:25:59 [sshd] Invalid user alberto from ::ffff:202.225.133.27

Jul  9 17:26:00 [sshd] Invalid user alex from ::ffff:202.225.133.27

Jul  9 17:26:02 [sshd] Invalid user alfred from ::ffff:202.225.133.27

Jul  9 17:26:04 [sshd] Invalid user ali from ::ffff:202.225.133.27

Jul  9 17:26:06 [sshd] Invalid user alice from ::ffff:202.225.133.27

Jul  9 17:26:07 [sshd] Invalid user andi from ::ffff:202.225.133.27

Jul  9 17:26:09 [sshd] Invalid user andrew from ::ffff:202.225.133.27

Jul  9 17:26:10 [sshd] Invalid user angie from ::ffff:202.225.133.27

Jul  9 17:26:12 [sshd] Invalid user angela from ::ffff:202.225.133.27

Jul  9 17:26:14 [sshd] Invalid user anita from ::ffff:202.225.133.27

Jul  9 17:26:15 [sshd] Invalid user anna from ::ffff:202.225.133.27

Jul  9 17:26:17 [sshd] Invalid user arthur from ::ffff:202.225.133.27

Jul  9 17:26:18 [sshd] Invalid user aron from ::ffff:202.225.133.27

Jul  9 17:26:20 [sshd] Invalid user austin from ::ffff:202.225.133.27

Jul  9 17:26:21 [sshd] Invalid user barbara from ::ffff:202.225.133.27

Jul  9 17:26:23 [sshd] Invalid user bart from ::ffff:202.225.133.27

Jul  9 17:26:24 [sshd] Invalid user ben from ::ffff:202.225.133.27

Jul  9 17:26:26 [sshd] Invalid user beny from ::ffff:202.225.133.27

Jul  9 17:26:28 [sshd] Invalid user bert from ::ffff:202.225.133.27

Jul  9 17:26:29 [sshd] Invalid user bill from ::ffff:202.225.133.27

Jul  9 17:26:31 [sshd] Invalid user bind from ::ffff:202.225.133.27

Jul  9 17:26:32 [sshd] Invalid user bob from ::ffff:202.225.133.27

Jul  9 17:26:34 [sshd] Invalid user bobby from ::ffff:202.225.133.27

Jul  9 17:26:35 [sshd] Invalid user bret from ::ffff:202.225.133.27

Jul  9 17:26:37 [sshd] Invalid user brian from ::ffff:202.225.133.27

Jul  9 17:26:38 [sshd] Invalid user bruce from ::ffff:202.225.133.27

Jul  9 17:26:40 [sshd] Invalid user carl from ::ffff:202.225.133.27

Jul  9 17:26:42 [sshd] Invalid user carol from ::ffff:202.225.133.27

Jul  9 17:26:43 [sshd] Invalid user cesar from ::ffff:202.225.133.27

Jul  9 17:26:45 [sshd] Invalid user clark from ::ffff:202.225.133.27

Jul  9 17:26:46 [sshd] Invalid user clinton from ::ffff:202.225.133.27

Jul  9 17:26:48 [sshd] Invalid user corinna from ::ffff:202.225.133.27

Jul  9 17:26:49 [sshd] Invalid user craig from ::ffff:202.225.133.27

Jul  9 17:26:51 [sshd] Invalid user daniel from ::ffff:202.225.133.27

Jul  9 17:26:52 [sshd] Invalid user danny from ::ffff:202.225.133.27

Jul  9 17:26:54 [sshd] Invalid user dave from ::ffff:202.225.133.27

Jul  9 17:26:55 [sshd] Invalid user dexter from ::ffff:202.225.133.27

Jul  9 17:26:57 [sshd] Invalid user dick from ::ffff:202.225.133.27

Jul  9 17:26:59 [sshd] Invalid user earl from ::ffff:202.225.133.27

Jul  9 17:27:00 [sshd] Invalid user ed from ::ffff:202.225.133.27

Jul  9 17:27:02 [sshd] Invalid user eddie from ::ffff:202.225.133.27

Jul  9 17:27:03 [sshd] Invalid user edgar from ::ffff:202.225.133.27

Jul  9 17:27:05 [sshd] Invalid user ellen from ::ffff:202.225.133.27

Jul  9 17:27:06 [sshd] Invalid user emil from ::ffff:202.225.133.27

Jul  9 17:27:08 [sshd] Invalid user enzo from ::ffff:202.225.133.27

Jul  9 17:27:09 [sshd] Invalid user felix from ::ffff:202.225.133.27

Jul  9 17:27:11 [sshd] Invalid user fred from ::ffff:202.225.133.27

Jul  9 17:27:13 [sshd] Invalid user francis from ::ffff:202.225.133.27

Jul  9 17:27:14 [sshd] Invalid user harry from ::ffff:202.225.133.27

Jul  9 17:27:16 [sshd] Invalid user ian from ::ffff:202.225.133.27

Jul  9 17:27:17 [sshd] Invalid user ismail from ::ffff:202.225.133.27

Jul  9 17:27:20 [sshd] Invalid user james from ::ffff:202.225.133.27

Jul  9 17:27:22 [sshd] Invalid user jesse from ::ffff:202.225.133.27

Jul  9 17:27:23 [sshd] Invalid user jim from ::ffff:202.225.133.27

Jul  9 17:27:25 [sshd] Invalid user jimmy from ::ffff:202.225.133.27

Jul  9 17:27:26 [sshd] Invalid user john from ::ffff:202.225.133.27

Jul  9 17:27:28 [sshd] Invalid user keith from ::ffff:202.225.133.27

Jul  9 17:27:30 [sshd] Invalid user ken from ::ffff:202.225.133.27

Jul  9 17:27:31 [sshd] Invalid user larry from ::ffff:202.225.133.27

Jul  9 17:27:33 [sshd] Invalid user lisa from ::ffff:202.225.133.27

Jul  9 17:27:34 [sshd] Invalid user matt from ::ffff:202.225.133.27

Jul  9 17:27:36 [sshd] Invalid user monica from ::ffff:202.225.133.27

Jul  9 17:27:37 [sshd] Invalid user nicole from ::ffff:202.225.133.27

Jul  9 17:27:39 [sshd] Invalid user paul from ::ffff:202.225.133.27

Jul  9 17:27:40 [sshd] Invalid user pete from ::ffff:202.225.133.27

Jul  9 17:27:42 [sshd] Invalid user peter from ::ffff:202.225.133.27

Jul  9 17:27:44 [sshd] Invalid user phil from ::ffff:202.225.133.27

Jul  9 17:27:45 [sshd] Invalid user philip from ::ffff:202.225.133.27

Jul  9 17:27:47 [sshd] Invalid user roland from ::ffff:202.225.133.27

Jul  9 17:27:48 [sshd] Invalid user samuel from ::ffff:202.225.133.27

Jul  9 17:27:50 [sshd] Invalid user sammy from ::ffff:202.225.133.27

Jul  9 17:27:51 [sshd] Invalid user samir from ::ffff:202.225.133.27

Jul  9 17:27:53 [sshd] Invalid user sean from ::ffff:202.225.133.27

Jul  9 17:27:54 [sshd] Invalid user shaun from ::ffff:202.225.133.27

Jul  9 17:27:56 [sshd] Invalid user sven from ::ffff:202.225.133.27

Jul  9 17:27:57 [sshd] Invalid user steve from ::ffff:202.225.133.27

Jul  9 17:27:59 [sshd] Invalid user steven from ::ffff:202.225.133.27

Jul  9 17:28:01 [sshd] Invalid user temp from ::ffff:202.225.133.27

Jul  9 17:28:02 [sshd] Invalid user tim from ::ffff:202.225.133.27

Jul  9 17:28:04 [sshd] Invalid user tom from ::ffff:202.225.133.27

Jul  9 17:28:05 [sshd] Invalid user tony from ::ffff:202.225.133.27

Jul  9 17:28:07 [sshd] Invalid user vanessa from ::ffff:202.225.133.27

Jul  9 17:28:08 [sshd] Invalid user will from ::ffff:202.225.133.27

Jul  9 17:28:10 [sshd] Invalid user willie from ::ffff:202.225.133.27

Jul  9 17:28:11 [sshd] Invalid user win from ::ffff:202.225.133.27

Jul  9 17:28:13 [sshd] Invalid user samba from ::ffff:202.225.133.27

Jul  9 17:28:15 [sshd] User sshd not allowed because account is locked

Jul  9 17:28:16 [sshd] Invalid user adam from ::ffff:202.225.133.27

Jul  9 17:28:18 [sshd] Invalid user anton from ::ffff:202.225.133.27

Jul  9 17:28:19 [sshd] Invalid user gary from ::ffff:202.225.133.27

Jul  9 17:28:21 [sshd] Invalid user thor from ::ffff:202.225.133.27

                - Last output repeated twice -

Jul  9 17:28:24 [sshd] Invalid user sue from ::ffff:202.225.133.27

Jul  9 17:28:25 [sshd] Invalid user daveb from ::ffff:202.225.133.27

Jul  9 17:28:27 [sshd] Invalid user terry from ::ffff:202.225.133.27

Jul  9 17:28:32 [sshd] Invalid user corey from ::ffff:202.225.133.27

Jul  9 17:28:33 [sshd] Invalid user core from ::ffff:202.225.133.27

Jul  9 17:28:36 [sshd] Invalid user ident from ::ffff:202.225.133.27

Jul  9 17:28:38 [sshd] Invalid user logadmin from ::ffff:202.225.133.27

Jul  9 17:28:39 [sshd] Invalid user markt from ::ffff:202.225.133.27

Jul  9 17:28:41 [sshd] Invalid user gopher from ::ffff:202.225.133.27

Jul  9 17:28:49 [sshd] Invalid user visitor from ::ffff:202.225.133.27

Jul  9 17:28:50 [sshd] Invalid user will from ::ffff:202.225.133.27

Jul  9 17:28:52 [sshd] Invalid user stef from ::ffff:202.225.133.27

Jul  9 17:28:55 [sshd] Invalid user steve from ::ffff:202.225.133.27

Jul  9 17:28:56 [sshd] Invalid user dbus from ::ffff:202.225.133.27

Jul  9 17:29:03 [sshd] Invalid user heather from ::ffff:202.225.133.27

Jul  9 17:29:04 [sshd] Invalid user cvsroot from ::ffff:202.225.133.27

                - Last output repeated twice -

Jul  9 17:29:07 [sshd] Invalid user wing from ::ffff:202.225.133.27

                - Last output repeated twice -

Jul  9 17:29:10 [sshd] Invalid user jboss from ::ffff:202.225.133.27

Jul  9 17:29:12 [sshd] Invalid user tina from ::ffff:202.225.133.27

Jul  9 17:29:14 [sshd] Invalid user ken from ::ffff:202.225.133.27

Jul  9 17:29:15 [sshd] Invalid user cheng from ::ffff:202.225.133.27

Jul  9 17:29:17 [sshd] Invalid user keiko from ::ffff:202.225.133.27

Jul  9 17:29:18 [sshd] Invalid user huey from ::ffff:202.225.133.27

Jul  9 17:29:20 [sshd] Invalid user sonia from ::ffff:202.225.133.27

Jul  9 17:29:21 [sshd] Invalid user sean from ::ffff:202.225.133.27

Jul  9 17:29:23 [sshd] Invalid user william from ::ffff:202.225.133.27

Jul  9 17:29:24 [sshd] Invalid user karlcheng from ::ffff:202.225.133.27

Jul  9 17:29:26 [sshd] Invalid user cfhorng from ::ffff:202.225.133.27

Jul  9 17:29:28 [sshd] Invalid user hjh from ::ffff:202.225.133.27

Jul  9 17:29:29 [sshd] Invalid user nancy from ::ffff:202.225.133.27

Jul  9 17:29:31 [sshd] Invalid user kk from ::ffff:202.225.133.27

Jul  9 17:29:32 [sshd] Invalid user 4388 from ::ffff:202.225.133.27

Jul  9 17:29:34 [sshd] Invalid user angel from ::ffff:202.225.133.27

Jul  9 17:29:35 [sshd] Invalid user pgsql from ::ffff:202.225.133.27

                - Last output repeated twice -

Jul  9 17:29:40 [sshd] Invalid user ident from ::ffff:202.225.133.27

Jul  9 17:29:42 [sshd] Invalid user resin from ::ffff:202.225.133.27

Jul  9 17:29:43 [sshd] Invalid user aron from ::ffff:202.225.133.27

Jul  9 17:29:45 [sshd] Invalid user shell from ::ffff:202.225.133.27

Jul  9 17:29:46 [sshd] Invalid user linux from ::ffff:202.225.133.27

Jul  9 17:29:48 [sshd] Invalid user unix from ::ffff:202.225.133.27

Jul  9 17:29:49 [sshd] Invalid user webadmin from ::ffff:202.225.133.27

Jul  9 17:29:51 [sshd] Invalid user info from ::ffff:202.225.133.27

Jul  9 17:29:54 [sshd] Invalid user adam from ::ffff:202.225.133.27

Jul  9 17:29:55 [sshd] Invalid user user from ::ffff:202.225.133.27

Jul  9 17:29:57 [sshd] Invalid user richard from ::ffff:202.225.133.27

Jul  9 17:29:59 [sshd] Invalid user user from ::ffff:202.225.133.27

Jul  9 17:30:00 [sshd] Invalid user airservice from ::ffff:202.225.133.27

Jul  9 17:30:02 [sshd] Invalid user airparts from ::ffff:202.225.133.27

Jul  9 17:30:03 [sshd] Invalid user doug from ::ffff:202.225.133.27

Jul  9 17:30:05 [sshd] Invalid user parts from ::ffff:202.225.133.27

Jul  9 17:30:06 [sshd] Invalid user juan from ::ffff:202.225.133.27

Jul  9 17:30:08 [sshd] Invalid user crissy from ::ffff:202.225.133.27

Jul  9 17:30:09 [sshd] Invalid user acct from ::ffff:202.225.133.27

                - Last output repeated twice -

Jul  9 17:30:12 [sshd] Invalid user clare from ::ffff:202.225.133.27

Jul  9 17:30:14 [sshd] User messagebus not allowed because account is locked

Jul  9 17:30:28 [sshd] Invalid user vcsa from ::ffff:202.225.133.27

Jul  9 17:30:29 [sshd] Invalid user nscd from ::ffff:202.225.133.27

Jul  9 17:30:31 [sshd] Invalid user ident from ::ffff:202.225.133.27

Jul  9 17:30:33 [sshd] Invalid user rpcuser from ::ffff:202.225.133.27

Jul  9 17:30:34 [sshd] Invalid user nfsnobody from ::ffff:202.225.133.27

Jul  9 17:30:36 [sshd] Invalid user mailnull from ::ffff:202.225.133.27

Jul  9 17:30:37 [sshd] User smmsp not allowed because account is locked

Jul  9 17:30:39 [sshd] Invalid user pcap from ::ffff:202.225.133.27

Jul  9 17:30:43 [sshd] Invalid user webalizer from ::ffff:202.225.133.27

Jul  9 17:30:45 [sshd] Invalid user dbus from ::ffff:202.225.133.27

Jul  9 17:30:47 [sshd] Invalid user desktop from ::ffff:202.225.133.27

Jul  9 17:30:50 [sshd] Invalid user pvm from ::ffff:202.225.133.27

Jul  9 17:30:51 [sshd] Invalid user canna from ::ffff:202.225.133.27

Jul  9 17:30:53 [sshd] Invalid user wnn from ::ffff:202.225.133.27

Jul  9 23:20:06 [sshd] Did not receive identification string from ::ffff:195.5.57.7

```

Is this pretty typical of what is in peoples sshd logs? 

I do not allow password authentication on ssh.

I have something like this in my current log but the network traffic is minimal right now.

Thanks

----------

## JeffBlair

Looks like someone was trying to do a brute force attack on you. I have had that in my log files as well. I know that my password is ok, 10 alfa/numeric, so I'm not that worried. It's just some script kiddy trying to get in.

----------

## HomerSimpson

I was getting the high net traffic problem again. 

I did

```
# lsof | grep socket
```

I stopped a few daemons but still had the high net traffic. I saw a socket with the name mount.smb so I unmounted the Windows mount I had and then the net traffic went down to normal. I thought it had something to do with Windows reading or writing over the samba connection. So I remounted and started killing processes on the Windows computer but the net traffic was still there. On the Windows computer it shows no network traffic. I assume then that this is on the Gentoo side. As soon as I mount the Windows drive, using samba, my net traffic jumps way up.

What could be causing this?

How do I find out?

Thanks

----------

## PMT

lsof | grep [your home directory, file directory, or something likely to be high-traffic].

Also, check what users are logged in.

----------

## HomerSimpson

I did a who and the only user logged in is me, twice. One for Gnome and one for the terminal to run who from.

As soon as I mount the directory on my windows share I get the high traffic. I did an lsof | grep /mnt/shareddocs and nothing shows. I don't see what is reading or writing to the the network when I have the share mounted. Neither hard drive (on my Gentoo box or Windows) looks like it is being accessed.

This is strange. I wonder why it is hitting the network?

Thanks

--Edit--

Could this be one of those viruses that spreads over windows shares? How can I tell? I run Norton Antivirus on my Windows computer but it doesn't see anthing wrong. I will run the scan again.

----------

## nielchiano

you could try the heavy duty stuff... emerge tcp-dump or ethereal and start dumping net-traffic... it'll tell you EXACTLY what was on the wire...

Only downside is: you might drown in the data it gathers...

----------

## HomerSimpson

I have ethereal. I was trying to avoid that. I have used it before  :Wink: 

I ran Norton again and Trend Micro scanner and it found nothing.

Thanks

----------

## earnoth

 *HomerSimpson wrote:*   

> I have ethereal. I was trying to avoid that. I have used it before 
> 
> I ran Norton again and Trend Micro scanner and it found nothing.
> 
> Thanks

 

A few things I suspect may help you:

Run Anti-spyware software on your Windows system in addition to the A/V stuff.  I typically use Spybot and Adaware, as they are free and seem to compliment each other well.

Enable better logging on the Samba server to see exactly what the Window system is doing.  According to http://www.oreilly.com/catalog/samba/chapter/book/ch09_01.html, adding the following line:

```
log level=2
```

 will let you see entries like this:

```
 /* Level 2 */

Got SIGHUP

Processing section "[homes]"

Processing section "[public]"

Processing section "[temp]"

Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$

Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/
```

That may give you a better handle on things.  You can further increase the log level, but past level two will give you far more diagnostic data than just "IP A connecting to Share Foo".

If you're really paranoid and worried your Gentoo system has been hacked, get fresh binaries of your system utilities like ps, ls, netstat, and lsof.  Additionally, you could install a rootkit detection package like the following:

```
emerge chkrootkit

*  app-forensics/chkrootkit

      Latest version available: 0.45

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 39 kB

      Homepage:    http://www.chkrootkit.org/

      Description: a tool to locally check for signs of a rootkit

      License:     AMS

```

You'll definitely need to run a packet trace to find out what's going on.  If you can manage to get yourself to run Ethereal, I suggest that you use the "Protocol Hierarchy" option under the Statistics menu.  It'll give you a great breakout by volume of what's happening on the network.  

Additionally, the ntop tool can give you traffic profiling, though Ethereal may be easier to use.  

To get a really good view as to what's happening on your Windows system, look at the free tools available at sysinternals.com:  http://www.sysinternals.com/Utilities.html.  In particular, I might recommend you use the following:

Filemon - 

This monitoring tool lets you see all file system activity in real-time.

TCPView - See all open TCP and UDP endpoints. On Windows NT, 2000 and XP TCPView even displays the name of the process that owns each endpoint. Includes a command-line version, tcpvcon.

ProcessExplorer - Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.

RegMon -  This monitoring tool lets you see all Registry activity in real-time.

In the end, your best bet is to look at packet traces of the network activity and figure out who the top talker is.  Once you determine that (and it sounds like your Windows box is the culprit from the earlier posts), investigate that host and see what's doing what.

I'll be watching this thread for further posts, so feel free to post what you see.  I'll help how I can.   :Smile: 

----------

## HomerSimpson

Wow! Thank you for all the suggestions.

----------

