Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

machine exploited

Linux ximian evolution.
I am on a AU$ 28.95 plan with a 200MB download limit which is far more than I need for the time. All of a sudden My ISP is charging AU$149 for the last month which is about AU$120.00 of excess download that I definitely did not have. With the plan I have this is about 9 days of non-stop download. I've reported the situation to the ISP and asked them to investigate but their answers are not promising. So I have a few questions.

1) I have tried to trace the source of the trouble on my machines but without success. Is there some tools I can use to help, preferably free. Perhaps I already have some with my distro (Fedora C2).

2) With the plan I have I get a "dynamic" ISP address and since all my internet connections are through this ISP, I thought that should
automatically offer some protection and that such exploit should mostly be detected by the ISP, so I blame the ISP for the problem. Is my view unfair?

3) I cannot afford this sort of monthly expense and I've told the ISP if there is no clear result of their investigation I will have to terminate the service just to prevent a repeat. Will it help if I change to another ISP? (I'm beginning to wonder about the one I have because they send me an email asking me to provide them with my password so that they could carry on with their investigation)

4) The "inbox" shows all the emails I've received and all the ones that are junk mail carry the mention "invoked by network" which I assumed means that one machine on the LAN (there is 3) is asking for it. Is that assumption correct?

It is worth noting that I have been working some 12 hours a day at this LAN (the 3 machines are next to one another) for the period involved, mainly testing network scripts, this involved regularly checking the modem's leds are blinking, showing the scripts did something and this modem was looking idle all the time except when a script was running successfully. On top of that, when I got up in the morning, it often happened that the internet connection was lost (another post) and as a result,  I'm amazed that, if there was illicit traffic going on, I didn't notice it.
Thank you for your help.
  • 4
  • 4
2 Solutions

2) yes, you have to protect yourself. The ISP just routes any traffix transparently.

3) no (if the problem is on your machine)
    don't hand out your password

4) your description is to vague to give an answer here

rblampainAuthor Commented:
I made a mistake assuming the integrity of the ISP, I assumed the traffic did happen in such a huge way (24 gig). After the last post I decided to check everything and found this ISP has increased the charge for excess downloads from AU$0.005 to AU$0.11 without warning.  
This is a 22 fold increase, what should have cost me $6.00 now cost $132.00.

There is still some downloads that I definitely never had like 1133 MB one day,  1103MB spread over 2 consecutive days, 1032MB on another day,  the rest is  small downloads.
If I need a 30MB file, I  usually find out if I can get the CD, so that gives you an idea how I go about downloads. The total download for the next bill is 3632.71 MB which is hugely more than I use.  at their current charges this will be AU$399.59

I tought I would check the previous bills to make sure the AU$0.005 per MB is not my imagination but my work was interupted by their implementation of a new splash page and site presentationwhich unfortunately prevents me from accesing my history. I managed to get access to my usage before this happened then I can't get access at all. So I'll have to wait some time untill this is resoved and I'll then try to make sense of it all and perhaps give more details in this post.

In the mean time I'd like to ask your opinion about the jump from 0.005 to 0.11 for excess downloads. Would this be "normal" practice?

>  Would this be "normal" practice?
hmm, don't know what oz praxis is, just know that police in Qld for example is strange, somehow .. ;-)
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

a) You are suffering, So suffer. Turn it off, go off-net for awhile. If they have daily billing, with complete off days you can find out if their numbers are invalid

b) Look for alternative, no fee service for bytes

c) Look at monitoring yourself better.  For example, is disk indicating activity when you have nothing in transit.

d) Make sure your browser, for example, is using caching, and not always downloading same webpages over and again

e) For eMail, defend first against obvious spam, don't even bother to download unexpected mail content

f) Look for a shared area someone could be borrowing, such as for FTP

g) Watch very regularly you available disk storage, make notes, look for unexpected spikes of mass activity

h) Check to ensure you have not become some zombie who is reduced to being transparent forwarder from one person to another.  Some of this you may be able to defend via a firewall to block both the incoming and outgoing packets you have not knowingly solicited
rblampainAuthor Commented:
Thanks to SunBow

a) Yes I do suffer. I do go off-net most of the time since the problem arose. I only turn the modem on when ready to "surf". Could you elaborate about your comment:"If they have daily billing, with complete off days you can find out if their numbers are invalid"? I'd love to do that.
b) I'm ready to switch ISP, this ISP's competitors offer "shaped" download for excess downloads, no charge at all for excess downloads.
c) Will keep an eye on it but never noticed anything, disk activity led is close to screen and in full view from the corner of my eye, the best way to detect (light) movement.
d) My only web activity is to find solutions to programming problems, I'm setting up a site for a not-for-profit as a volunteer and have a      lot to learn in many areas,  downloading the same stuff is very unlikely and downloads are always small and saved for reference.
e) I'd like to leave unexpected mail on the server but it's not an option,  mail is kept on the server (ISP) and downloaded in bulk and when I download it I don't know what's coming but my first action is to send unexpected mail to the bin without opening it.
f) FTP is not enabled, I just checked and the ~/vsftpd.conf (ftp configuration file) does not even exist except for the logs
g) I'll monitor disk storage, as far as mass activity is concerned I thought the best indication is the leds of the modem, please tell me if this assumption is wrong. Setup is: 3 Linux/Fedora C2 machines ---> modem/router/switch ---> ADSL line. Unexpected activity wouldn't go unnoticed, see my initial explanations.
h) I'm the only one using this home LAN, basic iptables (firewall) is  running, could probably be better though especially if I knew what I'm chasing.

Your suggestions are excellent for the process of eliminations I' m finding myself in.

To all:
Latest developments: when logging in, this ISP presents a new "agreement" that gives 2 options, "agree" or "disagree", I suspect this is
an attempt at covering themselves for the 22 fold increase mentioned above. Clicking "disagree" gives a very small message "session terminated". I've contacted the "Telecommunications Ombudsman" we have and this gave me the name and phone number of a person to contact at this ISP, which I did immediately. However I got an answering machine and left all my details with my phone number repeated twice as their message promised to return the call. A full working day has elapsed since and no return call was received. I will ring them again on Monday and most likely will have to return to this ombudsman just to have access to my history as a first step.

In my view, it's getting more and more obvious that there is something fundamentally wrong going on with this ISP and that my system has never been exploited.

rblampainAuthor Commented:
To ahoffmann:
QLD police are just boy-scouts compared to some AU other state's. There are fascinating stories much better than any TV you can watch.
> .. fascinating stories ..
yes I know, have been part of it :-( but also know that the biker's community is pefect organized :-))
rblampainAuthor Commented:
To SunBow:
I've written a little script that shows disk usage differences between instances of this script and it is always what I expect.  Every passing day convinces me more that my system was never exploited.

To all:
I managed to talk to somebody at this ISP and I was told my case would be examined this week. I think it's unfair of me to hold anylonger on the points.  My original question has become obsolete really.

To ahoffman:
very very tempting to keep the conversation going but we might upset the moderator ..........
temptation may continue with laverda dash achim at gmx dot net, and I know how to talk to the moderators ;-)

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now