Yesterday morning we started seeing some unusual things at the firewall (7.502). The cpu usage went from minimal usage to about 20% usage, the external traffic went from peaks of up to 0.5 M, to running at 2.5 M outbound and 1.5 M inbound. The internal and dmz connections still look basically normal. The external connection stayed at those high levels overnight when no one was in the office. Obviously, our internet connection is running _very_ slow.
I'm trying to figure out what's happening. If this were an attack I would expect the inbound traffic to be high and the outbound to be at the normal level. Since the outbound is higher than the inbound, I'm wondering if the firewall has been compromised and is being used as a zombie or something.
Any suggestions on how I figure out what's going on is appreciated.
Larry
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
