Strange uploads - hacked?


ok, I don’t know where to put this so I try it here…

On the weekend, 30th of june in the early morning hours between 1:00 and 3:00 am there was heavy outgoing traffic around 3,74GB in total.

At 4:45 there is a fullbackup set up, this is around 760MB, so this was expected. But wat is the rest?

Coming from Webminport(??), remote port is not shown at all?

I’m really confused what happens here. This file upload is 4 time the backup, what the heck was done here?

If I look at /var/log/bandwidth the traffic is not shown. There is a gap between 24 of june and the first of july. I’m not quite sure, why this happened, perhaps I restarted it during the analyzing.

Does anyone have an idea how I can analyze where the data is uploaded and what this could be?

Thanks in advance!

Post edited by: ChristianReitz, at: 2007/07/02 13:12

Post edited by: ChristianReitz, at: 2007/07/02 13:13<br><br>Post edited by: ChristianReitz, at: 2007/07/02 14:33

Hmm, I was not successfull including the image… here it is in zip package. [file size=38891][/file]

Ok, I found a massive overview in the syslog. Bandwidth log for source an only one destination IP that is coming from a dialin subnet.

Is is possible that webmin might be hacked?

There is no occurance in the eventlog and I use very extensive passwords, 12-16 characters, with chars and digits etc. no password is equal… I was really paranoid setting them up, so I guess just hacking per brute force or somehting is not possible.

Authlog does not show anything usefull during the time and … I’m rather perplexed.

At the moment I’m scanning my system with clamav… does anyone have an idea, what I could do to exclude a system hack?

Guess my next steps will be to shutdown the connections, having webmin on a local port only and allow access only via openvpn or something… :frowning:

LOL!!! I found it! I was it myself…

What I did? I cannot believe it myself… laugh.

I installed OpenVPN and the Webmin-module. Then I tried to generate a key for the CA, with 4096bit. Every second there were about 10 or more "+" on the screen to show the progress.

After about 1 hour I decided to leave it for good and went to bed… I guess 10 or more upates on a page every second, this would summ up to the 2,5GB. The IP mentioned in the logs could be the one I had from the provider on this evening. And this is the only explanation I can find for this…

Guess my wife safed us another few GB traffic shuting down my computer in the middle of the night … I blamed her, because the key generation failed, but… I guess I have to thank her :wink:

CLOSED :wink: