On 12/3/2013 4:49 PM, m.roth at 5-cent.us wrote: > Bowie Bailey wrote: >> Since Sunday morning, one of my CentOS servers has been generating a >> small spike of outbound traffic every 30 minutes (X:00 and X:30). It's >> not enough traffic to really cause any notice except for the fact that >> it is a very regular pattern and it started abruptly at midnight Sunday. >> >> This server is used for mail (Courier-MTA), and DNS (Bind). I cannot >> find anything unusual in either of those logs. I tried grepping through >> my firewall logs, but have been unable to find anything useful there >> either. I don't see any cron jobs that would generate network traffic. >> >> Any suggestions how I can go about tracking this down? > Run rkhunter? > > Actually, if it's that regular, you could run tcpdump when you expect it. rkhunter complained about a few files, but "rpm --verify" doesn't flag any of them. Other than that, just a few insecure settings and out of date programs, which are not ideal, but do not indicate a problem on their own. I could try running tcpdump or wireshark, but that's going to generate a lot of data and I'm not sure how to go about filtering it. I know the spike happens on the hour and half hour, but my traffic monitor does not give me enough detail to see exactly when it starts or exactly how long it lasts and I don't know what protocol or port I'm looking for. -- Bowie