Transmitting bandwidth maxing out

Hey All,
I have searched high and low to figure this problem out, to no avail. For about a week, one of my pbx’s starts transmitting packets to the point of maxing out my bandwidth. This box has been running for almost a year with no problems. If I restart the box, it corrects it self but the packets it is transmitting start increasing in about 2-3 hours it get to the maxed out state. during this time the system becomes more and more unusable. When we max an outgoing call the voice chops really bad. Now during this time there are no phone calls going on. Any ideas on where to look would be greatly appreciated!


Here is a screen shot to show the bandwidth.

Capture some packets to see what is going on, start with

tcpdump -nnvv -i eth0 -c 100

which will capture 100 packets

Please excuse my ignorance, i have not dealt with captures before. Here is a txt dump of some of them, I do not know how to view the full dump since it looks like it was not dumped to a file.

Looks like something is being transmitted to a bunch of different ip addresses on port 123… not sure what this is used for. Was box possibility hacked?

123 both TCP and UDP are normally used for ntp service, it is often used for trojans/botnets

If you haven’t set up your ntpd server to only service your LAN you should, but I suspect you have been “rooted” and thjere is something bogus running on your machine

lsof -i UDP:123


lsof -i TCP:123

should identify the process serving that port.

pidof -s (the first column) should agree with the second column.

Check /tmp for bogus stuff and cron jobs that you don’t know about.

But ultimately, if you are running without any prophylactic firewall/ids in place you really need to fix that.

Their is a huge NTP Amplify attack going around for a month now. Looks like you got hit. Dont expose ports like NTP to the outside world.

We were able stop this attack by adding “disable monitor” to /etc/ntp.conf and restarting ntpd

We had the same issue. This solved the problem for us. Thanks @tonyclewis