[nsp] Detecting hacked boxes on switch
Gert Doering
gert at greenie.muc.de
Tue Jul 1 22:21:48 EDT 2003
Hi,
On Tue, Jul 01, 2003 at 09:27:19AM -0400, James hampton wrote:
> Our bandwidth meters are maxing out on an incoming link to our provider, this usually means one of our boxes has been hacked and someones pushing a bunch of mp3's or what ever onto one of our boxes. Most of our servers are connected to one of two switches, is there anyway I can look at switchport utilization or some other method on the switch to help narrow down or identify which box is being hacked?
On a Cisco switch with CatOS, try "show top" - it will tell you which port
has the highest usage. Quite helpful.
(Do IOS-Switches have this as well?)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
More information about the cisco-nsp
mailing list