0

I have a Debian 6.0 server and everything was running fine with it. This server is my environnement so I can develop web application.

Since yesterday, the server is doing something to the network and I don't know how to find the source. Everytime the server is plugged in the network, the switch and the router go crazy and the network doesn't work fast anymore. I get 2654ms when I ping Google. However, when I ping another computer I still get 1ms. This only mean that the problem is between my server and Internet. The router is so busy that he don't answer when you contact it. If I unplug my server, everything goes back to normal. If I plug it back, I can see the LED on the switch flashing crazy like it's gonna blow.

Is there a way to isolate the problem ? I have no clue at all.

Thanks you.

David Bélanger
  • 227
  • 1
  • 2
  • 12
  • Is this running behind a firewall or NAT of some sort? That may help to narrow things down. – Soviero Feb 07 '13 at 15:26
  • Boot the Deb6 hardware off a livecd, and reconnect. Do you still have problems? If yes, then hardware/wiring is messed up. If no then it is something running on the Deb6 box. Login, and see what is running. – Zoredache Feb 07 '13 at 15:31
  • 1
    First off, cool the hyperbole - your switch is not "gonna blow". You have a problem, troubleshoot it *logically and methodically* - you already determined this system is the culprit, so now put it on an isolated network and look at the traffic it produces. Run `nettop` or similar to see if it's a specific process causing the problem. Boot off a LiveCD to rule out a hardware issue. If you determine the box is compromised proceed per http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – voretaq7 Feb 07 '13 at 17:29

3 Answers3

3

Sounds like the server has been infected and you need to reinstall it.

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Is there a way to isolate the % of use of the network per process ? – David Bélanger Feb 07 '13 at 15:04
  • Yes - see [Daniel's suggestion](http://serverfault.com/a/476464/2101) for nethogs or [voretaq7's suggestion](http://serverfault.com/questions/476448/debian-server-is-killing-my-network/476449#comment527899_476448) for nettop. – MikeyB Feb 07 '13 at 18:06
1

It's a shot in the dark, but does your Debian server have an Intel 82574L ethernet controller? If yes, take a look at http://blog.krisk.org/2013/02/packets-of-death.html

weeheavy
  • 4,039
  • 1
  • 27
  • 41
1

Try to identify the process which is generating all the traffic. One useful utility would be nethogs. Once you have identified the process, use lsof to see all the files opened by that program and look for any suspicious looking files, in case your server is infected.

Daniel t.
  • 9,061
  • 1
  • 32
  • 36