We've found out a abnormal usage of one of our servers, our RTG graphs shows:
And a strage traffic:
We are running two websites on this server, and we looked at raw log apache, we've compilers disabled, we block most of outgoing / incoming packets on firewall, we ran chkrootkit, rkhunter and nothing was found. We checked for cronjobs, suspect files, netstat, but we can't see anything strange. We use the latest server software (apache 2.2.x), PHP 5.2.x, MySQL 4.1.x, we have most of the server optimized.
We are running iptraf now, and it seems normal:
│ Incoming rates: 85.8 kbytes/sec
│ Outgoing rates: 636.4 kbytes/sec
Anyone have an idea? And some way to properly monitor incoming traffic? I'm looking to find how/where is the source of this traffic.