rblampain
asked on
machine exploited
Linux ximian evolution.
I am on a AU$ 28.95 plan with a 200MB download limit which is far more than I need for the time. All of a sudden My ISP is charging AU$149 for the last month which is about AU$120.00 of excess download that I definitely did not have. With the plan I have this is about 9 days of non-stop download. I've reported the situation to the ISP and asked them to investigate but their answers are not promising. So I have a few questions.
1) I have tried to trace the source of the trouble on my machines but without success. Is there some tools I can use to help, preferably free. Perhaps I already have some with my distro (Fedora C2).
2) With the plan I have I get a "dynamic" ISP address and since all my internet connections are through this ISP, I thought that should
automatically offer some protection and that such exploit should mostly be detected by the ISP, so I blame the ISP for the problem. Is my view unfair?
3) I cannot afford this sort of monthly expense and I've told the ISP if there is no clear result of their investigation I will have to terminate the service just to prevent a repeat. Will it help if I change to another ISP? (I'm beginning to wonder about the one I have because they send me an email asking me to provide them with my password so that they could carry on with their investigation)
4) The "inbox" shows all the emails I've received and all the ones that are junk mail carry the mention "invoked by network" which I assumed means that one machine on the LAN (there is 3) is asking for it. Is that assumption correct?
It is worth noting that I have been working some 12 hours a day at this LAN (the 3 machines are next to one another) for the period involved, mainly testing network scripts, this involved regularly checking the modem's leds are blinking, showing the scripts did something and this modem was looking idle all the time except when a script was running successfully. On top of that, when I got up in the morning, it often happened that the internet connection was lost (another post) and as a result, I'm amazed that, if there was illicit traffic going on, I didn't notice it.
Thank you for your help.
I am on a AU$ 28.95 plan with a 200MB download limit which is far more than I need for the time. All of a sudden My ISP is charging AU$149 for the last month which is about AU$120.00 of excess download that I definitely did not have. With the plan I have this is about 9 days of non-stop download. I've reported the situation to the ISP and asked them to investigate but their answers are not promising. So I have a few questions.
1) I have tried to trace the source of the trouble on my machines but without success. Is there some tools I can use to help, preferably free. Perhaps I already have some with my distro (Fedora C2).
2) With the plan I have I get a "dynamic" ISP address and since all my internet connections are through this ISP, I thought that should
automatically offer some protection and that such exploit should mostly be detected by the ISP, so I blame the ISP for the problem. Is my view unfair?
3) I cannot afford this sort of monthly expense and I've told the ISP if there is no clear result of their investigation I will have to terminate the service just to prevent a repeat. Will it help if I change to another ISP? (I'm beginning to wonder about the one I have because they send me an email asking me to provide them with my password so that they could carry on with their investigation)
4) The "inbox" shows all the emails I've received and all the ones that are junk mail carry the mention "invoked by network" which I assumed means that one machine on the LAN (there is 3) is asking for it. Is that assumption correct?
It is worth noting that I have been working some 12 hours a day at this LAN (the 3 machines are next to one another) for the period involved, mainly testing network scripts, this involved regularly checking the modem's leds are blinking, showing the scripts did something and this modem was looking idle all the time except when a script was running successfully. On top of that, when I got up in the morning, it often happened that the internet connection was lost (another post) and as a result, I'm amazed that, if there was illicit traffic going on, I didn't notice it.
Thank you for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> Would this be "normal" practice?
hmm, don't know what oz praxis is, just know that police in Qld for example is strange, somehow .. ;-)
hmm, don't know what oz praxis is, just know that police in Qld for example is strange, somehow .. ;-)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to SunBow
a) Yes I do suffer. I do go off-net most of the time since the problem arose. I only turn the modem on when ready to "surf". Could you elaborate about your comment:"If they have daily billing, with complete off days you can find out if their numbers are invalid"? I'd love to do that.
b) I'm ready to switch ISP, this ISP's competitors offer "shaped" download for excess downloads, no charge at all for excess downloads.
c) Will keep an eye on it but never noticed anything, disk activity led is close to screen and in full view from the corner of my eye, the best way to detect (light) movement.
d) My only web activity is to find solutions to programming problems, I'm setting up a site for a not-for-profit as a volunteer and have a lot to learn in many areas, downloading the same stuff is very unlikely and downloads are always small and saved for reference.
e) I'd like to leave unexpected mail on the server but it's not an option, mail is kept on the server (ISP) and downloaded in bulk and when I download it I don't know what's coming but my first action is to send unexpected mail to the bin without opening it.
f) FTP is not enabled, I just checked and the ~/vsftpd.conf (ftp configuration file) does not even exist except for the logs
g) I'll monitor disk storage, as far as mass activity is concerned I thought the best indication is the leds of the modem, please tell me if this assumption is wrong. Setup is: 3 Linux/Fedora C2 machines ---> modem/router/switch ---> ADSL line. Unexpected activity wouldn't go unnoticed, see my initial explanations.
h) I'm the only one using this home LAN, basic iptables (firewall) is running, could probably be better though especially if I knew what I'm chasing.
Your suggestions are excellent for the process of eliminations I' m finding myself in.
To all:
Latest developments: when logging in, this ISP presents a new "agreement" that gives 2 options, "agree" or "disagree", I suspect this is
an attempt at covering themselves for the 22 fold increase mentioned above. Clicking "disagree" gives a very small message "session terminated". I've contacted the "Telecommunications Ombudsman" we have and this gave me the name and phone number of a person to contact at this ISP, which I did immediately. However I got an answering machine and left all my details with my phone number repeated twice as their message promised to return the call. A full working day has elapsed since and no return call was received. I will ring them again on Monday and most likely will have to return to this ombudsman just to have access to my history as a first step.
In my view, it's getting more and more obvious that there is something fundamentally wrong going on with this ISP and that my system has never been exploited.
a) Yes I do suffer. I do go off-net most of the time since the problem arose. I only turn the modem on when ready to "surf". Could you elaborate about your comment:"If they have daily billing, with complete off days you can find out if their numbers are invalid"? I'd love to do that.
b) I'm ready to switch ISP, this ISP's competitors offer "shaped" download for excess downloads, no charge at all for excess downloads.
c) Will keep an eye on it but never noticed anything, disk activity led is close to screen and in full view from the corner of my eye, the best way to detect (light) movement.
d) My only web activity is to find solutions to programming problems, I'm setting up a site for a not-for-profit as a volunteer and have a lot to learn in many areas, downloading the same stuff is very unlikely and downloads are always small and saved for reference.
e) I'd like to leave unexpected mail on the server but it's not an option, mail is kept on the server (ISP) and downloaded in bulk and when I download it I don't know what's coming but my first action is to send unexpected mail to the bin without opening it.
f) FTP is not enabled, I just checked and the ~/vsftpd.conf (ftp configuration file) does not even exist except for the logs
g) I'll monitor disk storage, as far as mass activity is concerned I thought the best indication is the leds of the modem, please tell me if this assumption is wrong. Setup is: 3 Linux/Fedora C2 machines ---> modem/router/switch ---> ADSL line. Unexpected activity wouldn't go unnoticed, see my initial explanations.
h) I'm the only one using this home LAN, basic iptables (firewall) is running, could probably be better though especially if I knew what I'm chasing.
Your suggestions are excellent for the process of eliminations I' m finding myself in.
To all:
Latest developments: when logging in, this ISP presents a new "agreement" that gives 2 options, "agree" or "disagree", I suspect this is
an attempt at covering themselves for the 22 fold increase mentioned above. Clicking "disagree" gives a very small message "session terminated". I've contacted the "Telecommunications Ombudsman" we have and this gave me the name and phone number of a person to contact at this ISP, which I did immediately. However I got an answering machine and left all my details with my phone number repeated twice as their message promised to return the call. A full working day has elapsed since and no return call was received. I will ring them again on Monday and most likely will have to return to this ombudsman just to have access to my history as a first step.
In my view, it's getting more and more obvious that there is something fundamentally wrong going on with this ISP and that my system has never been exploited.
ASKER
To ahoffmann:
QLD police are just boy-scouts compared to some AU other state's. There are fascinating stories much better than any TV you can watch.
QLD police are just boy-scouts compared to some AU other state's. There are fascinating stories much better than any TV you can watch.
<off-topic>
> .. fascinating stories ..
yes I know, have been part of it :-( but also know that the biker's community is pefect organized :-))
</off-topic>
> .. fascinating stories ..
yes I know, have been part of it :-( but also know that the biker's community is pefect organized :-))
</off-topic>
ASKER
To SunBow:
I've written a little script that shows disk usage differences between instances of this script and it is always what I expect. Every passing day convinces me more that my system was never exploited.
To all:
I managed to talk to somebody at this ISP and I was told my case would be examined this week. I think it's unfair of me to hold anylonger on the points. My original question has become obsolete really.
To ahoffman:
very very tempting to keep the conversation going but we might upset the moderator ..........
I've written a little script that shows disk usage differences between instances of this script and it is always what I expect. Every passing day convinces me more that my system was never exploited.
To all:
I managed to talk to somebody at this ISP and I was told my case would be examined this week. I think it's unfair of me to hold anylonger on the points. My original question has become obsolete really.
To ahoffman:
very very tempting to keep the conversation going but we might upset the moderator ..........
temptation may continue with laverda dash achim at gmx dot net, and I know how to talk to the moderators ;-)
ASKER
This is a 22 fold increase, what should have cost me $6.00 now cost $132.00.
There is still some downloads that I definitely never had like 1133 MB one day, 1103MB spread over 2 consecutive days, 1032MB on another day, the rest is small downloads.
If I need a 30MB file, I usually find out if I can get the CD, so that gives you an idea how I go about downloads. The total download for the next bill is 3632.71 MB which is hugely more than I use. at their current charges this will be AU$399.59
I tought I would check the previous bills to make sure the AU$0.005 per MB is not my imagination but my work was interupted by their implementation of a new splash page and site presentationwhich unfortunately prevents me from accesing my history. I managed to get access to my usage before this happened then I can't get access at all. So I'll have to wait some time untill this is resoved and I'll then try to make sense of it all and perhaps give more details in this post.
In the mean time I'd like to ask your opinion about the jump from 0.005 to 0.11 for excess downloads. Would this be "normal" practice?