Ok, I have a few questions and a little story. I am on a shared account if it matters.

On Monday, August 6, 2001 at 10:55:47 (MDT), I checked my web statistics and discovered my site had used exactly 0.212 gigs since August 1st. I have been monitoring the bandwidth a lot lately, and this seemed normal.

The next day, Tuesday August 7th, 2001 at 14:37:14 (MDT), I checked the statistics again and the stats said I had used 3.730 gigs. These are supposed to be real-time stats.

During this time, I had only recorded 250 pageviews, and nothing seemed out of place. The day before, I had uploaded 20 megs of HTML files (thats a lot of HTML files), but through this time, very few people viewed the pages.

I am wondering where all this bandwidth went? I asked support, and I don't doubt them, but they said it was most likely code red related. The problem is, the server is a RaQ, so Code Red does not really affect it.

Could code red really use up this much bandwidth in a matter of hours?

Thanks,
Shawn

Because Code Red hits port 80, I'm thinking that either:

a.) Your logs aren't accurate (and you did use 3.2 gig)
b.) You really didn't use 3.2 gig overnight (and your logs are correct)
c.) or perhaps tech support is smoking crack (which is related to point b.)

HTTP traffic would be logged (normally) even if the attempted hit was trying to access something that wasn't on your site.

Is SMTP traffic counted in your bandwidth? Is somebody using your mail server in a bad way?

Just a thought.

Dan

Originally posted by CagedTornado
...or perhaps tech support is smoking crack...

What host are you using? ***** has this problem quite often (the techs on crack)...You may want to switch your hosts or try your own monitoring software...

Well, seems that some people aren't aware of what the code red worm virus is actually capable of doing.

shawn, it is very possible that if you are on a nt build, then the data transfer can rise, if you have been infected with the code red worm virus.

What this virus does, is it scans internal network machines and infects them also, finally it will "DOS" your'e machine and the machine will die, I am assuming that you have patched your server etc.....

Here is what you need to do to make sure you are clean and not infected, this is advice for everyone :)

WE ARE EXPERIENCING A NUMBER OF PROBLEMS WITH THE "CODE RED" VIRUS. IT IS ABSOLUTELY VITAL THAT ALL WINDOWS NT AND WINDOWS 2000 COMPUTERS, EITHER WORKSTATIONS OR SERVERS WHICH ARE RUNNING INTERNET INFORMATION SERVICES (IIS) ARE CHECKED :-

To check if you are running Internet Information Services (IIS)

Press ALT, CTRL & DEL.
Select <TASK MANAGER)
Select the <PROCESSES> Tab
If you see a process called 'inetinfo.exe' in the Image-Name column then you are running IIS

If you are not running IIS then you have no problems

However, if you are running IIS then from a Command Prompt enter the following command:-

'DIR C:IDQ.DLL/S'

If this command finds any files with a date stamp older than 24/05/01 then shut down and switch off the computer immediately and call the helpdesk immediately.

Heres more insight to the actual feature of the code red worm :)

As the worm only exists in memory on an affected server (it is not written to disk), once the patches have been applied, the server should be re-booted. If the server is re-booted without the patches in place, the worm will re-infect.

A variant of Code Red called W32/CodeRed.c.worm is also known to be in the wild (it appears to have been discovered on Saturday 4th August 2001). The worm is basically similar to the original Code Red worm but it affects only Windows 2000 and Windows XP machines running web servers. Its infection pattern is different (it spreads for 24 hours after infection) and also drops a backdoor Trojan on the machine with the following files:

c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.

It also tries to create the file c:\explorer.exe and d:\explorer.exe which it caries within itself. This exploits the "Relative Shell Path" Vulnerability, which states that Windows will run c:\explorer.exe before %windir%\explorer.exe. So, the trojan can be run where EXPLORER.EXE is called. The 4152 DAT file for VirusScan will detect this trojan.

If anyone require more info then don't hesitate to email me, this worm is not a hype :)

The machine is running Linux, so I doubt that is the problem. Thanks for the help thus far, and it is a shared account, so its not necessarily my server.

Thanks,
Shawn

Is your account running anon ftp?

Shawn: The Code Red worm doesn't attack URLs, it attacks IP numbers. I did a ping to your site and got the IP number for your site. I entered that number into my browser and got a completely different site. That means that your site is on a shared IP number, and it is *impossible* that Code Red is attacking your site.

Even if it was attacking your site, the way it works is to send a very long URL to your server; if you're on a Cobalt, the only thing that would happen is that it would generate a "404 not found" page. Unless you had a custom 404 page that played a several-megabyte MP3 file or something, the traffic generated from a Code Red "hit" would be insignificantly small.

Our busiest server has had about 1100 Code Red "hits" in the last 16 hours (since the logs rolled over). That's for the whole server, so devide that by 40 IPs on that server and you get about 28 hits per IP, which is less than 2 an hour--as I said, completely insignificant.

I don't know what's causing the discrepancies in your log files, but it sure ain't Code Red, and you need to tell the techs at your hosting company that so they won't try and brush you off and not investigate what the real problem is.

I appreciate the assistance and help from everyone.

The site has its own static ip, http://66.51.110.46/ is also the same as the domain.

I will contact support again and try to solve this issue.

Regards,
Shawn

Originally posted by Shawn (Wrestlecar.com)
The site has its own static ip, http://66.51.110.46/ is also the same as the domain.
When I ping or traceroute (http://net.yahoo.com/cgi-bin/trace.sh?wrestlecar.com) to "wrestlecar.com" I get an IP number of 64.75.34.136. But a traceroute/ping (http://net.yahoo.com/cgi-bin/trace.sh?www.wrestlecar.com) to www.wrestlecar.com gives the IP number you mentioned above. I see you're using the MyDomain DNS service, which explains that.

Even so, Code Red cannot swell your bandwidth as you reported.

i am on tera-byte and got a unique ip...

and my bandwith explodes:-((
i also get a lot of request of pages that don't exists. and it is always a lookup of nt-files.
here some samples:
216.86.194.75 - - [20/Sep/2001:08:09:09 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 234 "-" "-"
216.205.78.42 - - [20/Sep/2001:08:14:49 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 226 "-" "-"

i knew why i did choose linux. but still my bandwith is used... emailed tera-byte to work on that and set my bandwith to a maximum. hopefully they do that soon!

is that also the virus???
any suggestions for me?

i am an it-profesional, too and know pretty well what the virus is doing... but still i can't do something against that...

the only thing i could think of was reading what ip's try to fetch non existent files, try to contact the webmaster... and ping them from fast T1 servers, to let those hackers/viruses die with the servers...
But that would be the last thing... But if I don't see another chance....

i contacted tera-byte for seting a maximum to my usage and trying to fix the problem.

cablestudios, thanks a lot for your informational and interesting postings!!

i am thinking of reporting the attack to the fbi...
perhaps they care than more about that, if a lot people are complaining and try more severe to solve the problem:
http://www1.ifccfbi.gov/index.asp

I have an idea that the FBI probably knows all about this most recent worm. :)

This CERTAINLY IS NOT CORRECT!!

Something is messed up with Tera-Byte's bandwidth program, and personally, I am getting REALLY tired of it.

There is NO possible way that my Bandwidth can jump 3.8 GB over ONE NIGHT, but it managed to do so last night. This is especially concerning because only 280 pageviews were recorded overnight.

I checked my Bandwidth last night, and it was about 800MB for the month. This was using their "new realtime bandwidth" application.

This afternoon, i checked it again, and it was at 4.362 GB.

This is not an isolated incident. If you read above, the same thing happened to me last month around the same time. I am not the first person to complain about this eather, as you can look through this post and around these forums and you will find many other having the same problem with tera-byte.

I am seriously considering moving, as this simply is not right. There is no way that the bandwidth usage could go up almost 4 GB when my logs only read that 280 PAGEVIEWS have occured since then. 280 PAGEVIEWS!

This is the math I use:

The largest page with images is about 150KB. The average page is about 70KB with images. Lets just use 200KB for representation.

I am going to use a few rounded numbers to make calculations somewhat easier.

200KB Per Page x 300 Pageviews = 60000KB

60000KB = 58.59 MB

By this rate, every page has to be 15.95MB! I certainly don't think so!

I am very tired of this occuring, and I am beginning to get very concerned. Its hard to believe that this has happened twoo month's in a row around the same time of the month, and the bandwidth usage jumped a few gigs. Last month when I contacted their support, they said it was related to the Code Red virus, but the number of requests to use 3-4 gigs of bandwidth would have brought the server to a crawl.

Every month the bandwidth jumps more and more, last month is jumped 3 gigs at one time, this month is was almost 4. What is to say next month it wont jump to 7-8 gigs? The traffic has been the same on the site for about 3 months, and all of a sudden, bandwidth usage just skyrocketed for no reason.

Welp, I am done my rant here. If anyone has anything they would like to add, or any questions or comments, please feel free to reply.

Regards,
Shawn

Originally posted by XnHost
I have an idea that the FBI probably knows all about this most recent worm. :)
i believe, too, they know about it. BUT if more people are complaining the chances are higher, that they really get worried and do more!

Before switching hosts, have you asked your current host about the problem? Maybe it's an issue with the monitoring software on your end, but the monitor they use from billing says something completely different. Maybe it's a problem they don't know about, but would fix if they knew about it. The first thing I would do is send them a respectful (no yelling or accusing) support request (using whatever their favorite form of handling support is), point out what your bandwidth monitor says, and ask them for help. Give them a chance to work this out.

Shawn, there have been thousands of requests to non-existent sites... or ping commands or other attacks you even don't see in your log...
but you are right: something is wrong on tera-byte....

Originally posted by XnHost
Before switching hosts, have you asked your current host about the problem? Maybe it's an issue with the monitoring software on your end, but the monitor they use from billing says something completely different. Maybe it's a problem they don't know about, but would fix if they knew about it. The first thing I would do is send them a respectful (no yelling or accusing) support request (using whatever their favorite form of handling support is), point out what your bandwidth monitor says, and ask them for help. Give them a chance to work this out.

you are totally right!
i am not mad at tera-byte. (ok, i admit their security might lack a little bit) they have great uptime and so far support was great.
and i send them a email over 5 hours ago. and asked them kindly to work on solving that. and asked to set a maximum to my sites usage...
(but i am worried until the case is solved)

I tried that last month and all I got was a "Code Red" is at fault, reply.

I just sent a polite support request to them, and I will reply here when I get a response.

Just to inform you akersche, I asked for that last month, and they said they do not put limits on accounts. They told me if you go over, it cannot be cutoff, and you just have to pay for the overused bandwidth.

Regards,
Shawn

Originally posted by akersche
...i am not mad at tera-byte. (ok, i admit their security might lack a little bit) they have great uptime and so far support was great....


What's wrong with Tera-Byte's security?

About code red. You said that the data jumped in the night of 20 to 21. I remember reading somewhere that code red becomes active on some days in the month. Maybe it jus got active on this night.
Check the specs for Code Red, this could explain the sudden extra load of traffic

I just received a reply back from Tera-Byte support.

Here is the quote from the reply I received:

"i looked through the logs on the server the most the worm could have added to your site is 112 megs over the last 30 days "

I can understand this completely, but am still unsure where the excess bandwidth that day came from. They still didn't really answer my question. The e-mail then went on to say that "Bandwidth is bandwidth wherever it comes from".

I am still seeking an answer on my original question :mad:

Well, if everything you said its true i guess it's a virus or the monitoring software is borked.
Check the logfiles, and especially at those protocolling how many data was transfered to which IP and which files where requested.
Such a huge jump in bandwith usage HAS to show up in one of the logfiles, and if it isn't there it hasn't been used, period.

By the way, the 3.2 GB over night roughly equal to 800 kbyte/second...Or 40 page views per second, assuming an average size of 20kb/page and that every page gets loaded in one single second...that would be 107 136 000 page views per month...

Is anonymous ftp enabled for any of the sites on this server? Could someone be using the site for unauthorized ftp? Do you see any suspicious ftp activity in your logs?

My servers have been receiving a lot of anonymous ftp probes, so many, in fact, that I moved ftp to a different port than 21.

Anon FTP is disabled on the accounts, and the logfiles do not contain any suspicious activity.

There might be some illegal activity on your server (ftp). When pirates use your box for spreading say the latest win XP your bandwidth can and will sky rocket.

Shutdown anonymous ftp access right away and don't let them fool you with hidden directories.

Originally posted by Shawn (Wrestlecar.com)
This CERTAINLY IS NOT CORRECT!!

Something is messed up with Tera-Byte's bandwidth program, and personally, I am getting REALLY tired of it.

There is NO possible way that my Bandwidth can jump 3.8 GB over ONE NIGHT, but it managed to do so last night. This is especially concerning because only 280 pageviews were recorded overnight.

I checked my Bandwidth last night, and it was about 800MB for the month. This was using their "new realtime bandwidth" application.

This afternoon, i checked it again, and it was at 4.362 GB.

This is not an isolated incident. If you read above, the same thing happened to me last month around the same time. I am not the first person to complain about this eather, as you can look through this post and around these forums and you will find many other having the same problem with tera-byte.

I am seriously considering moving, as this simply is not right. There is no way that the bandwidth usage could go up almost 4 GB when my logs only read that 280 PAGEVIEWS have occured since then. 280 PAGEVIEWS!

This is the math I use:

The largest page with images is about 150KB. The average page is about 70KB with images. Lets just use 200KB for representation.

I am going to use a few rounded numbers to make calculations somewhat easier.

200KB Per Page x 300 Pageviews = 60000KB

60000KB = 58.59 MB

By this rate, every page has to be 15.95MB! I certainly don't think so!

I am very tired of this occuring, and I am beginning to get very concerned. Its hard to believe that this has happened twoo month's in a row around the same time of the month, and the bandwidth usage jumped a few gigs. Last month when I contacted their support, they said it was related to the Code Red virus, but the number of requests to use 3-4 gigs of bandwidth would have brought the server to a crawl.

Every month the bandwidth jumps more and more, last month is jumped 3 gigs at one time, this month is was almost 4. What is to say next month it wont jump to 7-8 gigs? The traffic has been the same on the site for about 3 months, and all of a sudden, bandwidth usage just skyrocketed for no reason.

Welp, I am done my rant here. If anyone has anything they would like to add, or any questions or comments, please feel free to reply.

Regards,
Shawn

Has this only been happening at Tera-Byte? or has this been happening at anybody elses web sites for different hosts?

this is making me think twice about tera.

No, not just tera. I've read this has caused problems many places, though it will depend on how much spare pipe the host has (if the capacities are near max'ed, this would slow down the whole network). The hits have to go *somewhere*, though I'm not sure how the infected machines seek targets, etc.

i have this problem with terabyte as well. I'm on No 5 plan and in august i got 38 GB of extra bandwidth (total of 68GB). They have no logs (said it wasn't working since july). Webtrends didn't register any increased activity on my site - actually there were decline in traffic - my site has been using 21-23GB worth of data transfer steadily.

I took my site down when from sept 21 to sept 22 it generated almost 10 GB of traffic which is crazy.

You can see the thread about this ordeal here.

http://www.freewebspace.net/forums/showthread.php?threadid=10930

i wouldn't reccomend tera-byte anymore. Its not the company that it used to be...