?
Solved

machine exploited

Posted on 2005-02-28
9
Medium Priority
?
321 Views
Last Modified: 2010-04-22
Linux ximian evolution.
I am on a AU$ 28.95 plan with a 200MB download limit which is far more than I need for the time. All of a sudden My ISP is charging AU$149 for the last month which is about AU$120.00 of excess download that I definitely did not have. With the plan I have this is about 9 days of non-stop download. I've reported the situation to the ISP and asked them to investigate but their answers are not promising. So I have a few questions.

1) I have tried to trace the source of the trouble on my machines but without success. Is there some tools I can use to help, preferably free. Perhaps I already have some with my distro (Fedora C2).

2) With the plan I have I get a "dynamic" ISP address and since all my internet connections are through this ISP, I thought that should
automatically offer some protection and that such exploit should mostly be detected by the ISP, so I blame the ISP for the problem. Is my view unfair?

3) I cannot afford this sort of monthly expense and I've told the ISP if there is no clear result of their investigation I will have to terminate the service just to prevent a repeat. Will it help if I change to another ISP? (I'm beginning to wonder about the one I have because they send me an email asking me to provide them with my password so that they could carry on with their investigation)

4) The "inbox" shows all the emails I've received and all the ones that are junk mail carry the mention "invoked by network" which I assumed means that one machine on the LAN (there is 3) is asking for it. Is that assumption correct?

It is worth noting that I have been working some 12 hours a day at this LAN (the 3 machines are next to one another) for the period involved, mainly testing network scripts, this involved regularly checking the modem's leds are blinking, showing the scripts did something and this modem was looking idle all the time except when a script was running successfully. On top of that, when I got up in the morning, it often happened that the internet connection was lost (another post) and as a result,  I'm amazed that, if there was illicit traffic going on, I didn't notice it.
Thank you for your help.
0
Comment
Question by:rblampain
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1000 total points
ID: 13423944
1)

2) yes, you have to protect yourself. The ISP just routes any traffix transparently.

3) no (if the problem is on your machine)
    don't hand out your password

4) your description is to vague to give an answer here

0
 

Author Comment

by:rblampain
ID: 13428675
I made a mistake assuming the integrity of the ISP, I assumed the traffic did happen in such a huge way (24 gig). After the last post I decided to check everything and found this ISP has increased the charge for excess downloads from AU$0.005 to AU$0.11 without warning.  
This is a 22 fold increase, what should have cost me $6.00 now cost $132.00.

There is still some downloads that I definitely never had like 1133 MB one day,  1103MB spread over 2 consecutive days, 1032MB on another day,  the rest is  small downloads.
If I need a 30MB file, I  usually find out if I can get the CD, so that gives you an idea how I go about downloads. The total download for the next bill is 3632.71 MB which is hugely more than I use.  at their current charges this will be AU$399.59

I tought I would check the previous bills to make sure the AU$0.005 per MB is not my imagination but my work was interupted by their implementation of a new splash page and site presentationwhich unfortunately prevents me from accesing my history. I managed to get access to my usage before this happened then I can't get access at all. So I'll have to wait some time untill this is resoved and I'll then try to make sense of it all and perhaps give more details in this post.

In the mean time I'd like to ask your opinion about the jump from 0.005 to 0.11 for excess downloads. Would this be "normal" practice?

 
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13428813
>  Would this be "normal" practice?
hmm, don't know what oz praxis is, just know that police in Qld for example is strange, somehow .. ;-)
0
RHCE - Red Hat OpenStack Prep Course

This course will provide in-depth training so that students who currently hold the EX200 & EX210 certifications can sit for the EX310 exam. Students will learn how to deploy & manage a full Red Hat environment with Ceph block storage, & integrate Ceph into other OpenStack service

 
LVL 24

Assisted Solution

by:SunBow
SunBow earned 1000 total points
ID: 13461065
a) You are suffering, So suffer. Turn it off, go off-net for awhile. If they have daily billing, with complete off days you can find out if their numbers are invalid

b) Look for alternative, no fee service for bytes

c) Look at monitoring yourself better.  For example, is disk indicating activity when you have nothing in transit.

d) Make sure your browser, for example, is using caching, and not always downloading same webpages over and again

e) For eMail, defend first against obvious spam, don't even bother to download unexpected mail content

f) Look for a shared area someone could be borrowing, such as for FTP

g) Watch very regularly you available disk storage, make notes, look for unexpected spikes of mass activity

h) Check to ensure you have not become some zombie who is reduced to being transparent forwarder from one person to another.  Some of this you may be able to defend via a firewall to block both the incoming and outgoing packets you have not knowingly solicited
0
 

Author Comment

by:rblampain
ID: 13464848
Thanks to SunBow

a) Yes I do suffer. I do go off-net most of the time since the problem arose. I only turn the modem on when ready to "surf". Could you elaborate about your comment:"If they have daily billing, with complete off days you can find out if their numbers are invalid"? I'd love to do that.
b) I'm ready to switch ISP, this ISP's competitors offer "shaped" download for excess downloads, no charge at all for excess downloads.
c) Will keep an eye on it but never noticed anything, disk activity led is close to screen and in full view from the corner of my eye, the best way to detect (light) movement.
d) My only web activity is to find solutions to programming problems, I'm setting up a site for a not-for-profit as a volunteer and have a      lot to learn in many areas,  downloading the same stuff is very unlikely and downloads are always small and saved for reference.
e) I'd like to leave unexpected mail on the server but it's not an option,  mail is kept on the server (ISP) and downloaded in bulk and when I download it I don't know what's coming but my first action is to send unexpected mail to the bin without opening it.
f) FTP is not enabled, I just checked and the ~/vsftpd.conf (ftp configuration file) does not even exist except for the logs
g) I'll monitor disk storage, as far as mass activity is concerned I thought the best indication is the leds of the modem, please tell me if this assumption is wrong. Setup is: 3 Linux/Fedora C2 machines ---> modem/router/switch ---> ADSL line. Unexpected activity wouldn't go unnoticed, see my initial explanations.
h) I'm the only one using this home LAN, basic iptables (firewall) is  running, could probably be better though especially if I knew what I'm chasing.

Your suggestions are excellent for the process of eliminations I' m finding myself in.

To all:
Latest developments: when logging in, this ISP presents a new "agreement" that gives 2 options, "agree" or "disagree", I suspect this is
an attempt at covering themselves for the 22 fold increase mentioned above. Clicking "disagree" gives a very small message "session terminated". I've contacted the "Telecommunications Ombudsman" we have and this gave me the name and phone number of a person to contact at this ISP, which I did immediately. However I got an answering machine and left all my details with my phone number repeated twice as their message promised to return the call. A full working day has elapsed since and no return call was received. I will ring them again on Monday and most likely will have to return to this ombudsman just to have access to my history as a first step.

In my view, it's getting more and more obvious that there is something fundamentally wrong going on with this ISP and that my system has never been exploited.


0
 

Author Comment

by:rblampain
ID: 13464860
To ahoffmann:
QLD police are just boy-scouts compared to some AU other state's. There are fascinating stories much better than any TV you can watch.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13465089
<off-topic>
> .. fascinating stories ..
yes I know, have been part of it :-( but also know that the biker's community is pefect organized :-))
</off-topic>
0
 

Author Comment

by:rblampain
ID: 13487475
To SunBow:
I've written a little script that shows disk usage differences between instances of this script and it is always what I expect.  Every passing day convinces me more that my system was never exploited.

To all:
I managed to talk to somebody at this ISP and I was told my case would be examined this week. I think it's unfair of me to hold anylonger on the points.  My original question has become obsolete really.

To ahoffman:
very very tempting to keep the conversation going but we might upset the moderator ..........
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13488140
temptation may continue with laverda dash achim at gmx dot net, and I know how to talk to the moderators ;-)
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month8 days, 17 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question