I recently noticed unbelievable high incoming traffic on my RaQ and I don't have a clue where it's coming from. Just have a look at the attached image, that's about 2 MBit incoming over several hours (until I manually rebooted the server which stopped it).

I'm quite sure that the traffic was not sent through FTP and HTTP (there is nothing about it in the FTP logs and nothing in the Apache logs).
So does anyone has a clue what's (or what could be) going on there?
Or how to find out? Are there any other logs I should check?

I'm a bit scared since I guess the traffic would still be there if I didn't stop it by rebooting the server manually. So any ideas are highly appreciated.

You might have been DOS attacked, for around 9 hours ... I feel really bad for you. I hope you will be billed based on average, not 95th percentile ... How does this affect you monthly graph?

cheers,
:beer:

Well I'm with 4webspace and there are still about 60 gb traffic left of the initial 100 gb.
So this should be hopefully no problem.

I'm also have a RAQ with 4webspace and i also checked my traffic. It isn't that high but there is also a rise.
A bit strange since they also had more trouble with code red then other companies?!

In a reply i can't add an attachment so here is the link to my graph
http://www.lanthost.com/fetch.gif

It's starting again
http://www.lanthost.com/fetch2.gif

Where do you get that image from? I am also with 4webspace.


-Omair

You log in at http://www.tera-byte.com/config and click on "IP Administrator"

If i recall correctly the blue is outgoing and green is incoming, got a software download of somesort on that server? Also its in bits so its less than you think, watch the graph change to bytes and watch it shrink :)

yes i know that, but the sudden rise is the strange thing.
There are very few sites on this server, that's why the traffic is so low.

Originally posted by mlx
You log in at http://www.tera-byte.com/config and click on "IP Administrator"

If you can't see the graph, contact support, they'll fix it for you.
It wasn't enabled for me too

@ nexzt:

I know when you install MRTG on your server it's normally the other way round (green=in, blue=out).
But the tera-byte graph (about which we are talking) definitely uses green for outgoing traffic to the internet and blue for incoming.

Then it's very strange the incoming graph is higher then the outgoing!?!

you might check you /var/log/httpd/access file and look for either default.ida which is code red
cmd.exe which is nimba
they wont harm your system but they will cause traffic and bog your system down

MLX,

I also recommend you immediately check out your server for NIMDA and Red Code.

That is what I think is causing the increase in Incoming.
But that is just a thought.

For newbies reading this, you just SU to root and type this:


locate default.ida


Thats for Red Code and for Nimda type this:


locate cmd.exe


If any of the two files are there in the server, then you are effected.


-Omair

Linux servers are NOT affected by Nimbda. RAQ's are Linux, so there is no worries about Nimbda.

this is not true!! your system might not get infected but I guarentee if you check your logs the viruses are there. i am well aware of what kind of servers we are working with (that is why I am in the RAQ forum) just check the logs as stated above and ignore the post right above this one:rolleyes:

The virus' are not there, there are just logs showing that someone was looking for the default.id or cmd.exe files...which DO NOT exist on linux systems.

So yes the logs will show attempts to run the exploit, but there is no danger on a Linux system...other than the bandwidth being used.

Well jahsh you are right that you will find many 404 errors concerning limbda and code red in your access log.

But (@ Omair Haroon) you won't find the files "cmd.exe" or "default.ida" on your RaQ.

Oops I did not see the reply above so just ignore my post

Originally posted by mlx
Well jahsh you are right that you will find many 404 errors concerning limbda and code red in your access log.

But (@ Omair Haroon) you won't find the files "cmd.exe" or "default.ida" on your RaQ.

I guess that was the point I was trying to make...that it is a Windows IIS virus.

Originally posted by nexzt
If i recall correctly the blue is outgoing and green is incoming, got a software download of somesort on that server? Also its in bits so its less than you think, watch the graph change to bytes and watch it shrink :)

This is the case if the MRTG is installed on the server, but since the MRTG is installed on the switch, then relative to the switch, any data coming to your server will be considered outgoing data from the switch while any data coming from your server will be considered incoming data to the switch. Hence, in this case blue lines will be incoming traffic to the server and green line would be outgoing data from the server ... CMIIW

cheers,
:beer:

"Unbelievable high incoming traffic " this was the original post!!! i know that the system cannot get the virus however it will scan your system and bog your system down.

heres a brilliant quote:
"So yes the logs will show attempts to run the exploit, but there is no danger on a Linux system...other than the bandwidth being used."

that is why i posted this..because of the incoming traffic (BANDWIDTH). THE ORIGINAL THREAD stated " Unbelievable high incoming traffic " if you read my previous posts i stated that the system wont be infected. would you like me to attach part of my access logs with both in there to prove my point?

Dude...RELAX! Take a couple of deap breaths...everything will be o.k.

Now that you have calmed down, my original post was not in reference to your post but the post from Omair Haroon where he as telling the original poster to run "locate default.ida". I was just clarifying to say that linux servers can not be infected and that there is no need to look for those files on the server.

I agree and agreed that there will be plenty of entries in the log files and that bandwidth can be higher with these attempts. The problem is that these attempts have dropped off dramitically after the second or third day. I would be very suprised if nimda or code red is the cause of this.

Feel better now?

WOW...i feel a lot better now. I guess those breathes of fresh air really helped!!! thanks for the input