Hi,

I have a reseller account with cpanel/whm

I just received an account for Bandwidth overcharges/spikes @ 5040GB $1089.04 USD

1) In WHM this monthly bandwidth for my total reseller account shows just below 600mb
2) The usage for the account that i am told is the cause for the problem is set to a monthly limit of 10gb bandwidth
3) i only had Word Press installed on this account and it wasn't even in use

Any suggestions on if this kind of bandwidth is possible and how can i be held responsible

Thanks

Dam, how is the possible if your only limited to 10 GB..

Is that five thousand GBs??? Kinda high, I would have the reseller provide you with a detailed line item for the bandwidth charges showing exactly what is using how much.

I would point on the WHM measurement to them and have them explain exactly how you used that much bandwidth. I know for a shared server, if you used that much on a Wordpress site, you'd be suspended for using too many resources before you can blow through 5000GB of traffic.

That is what i like to know as well;

1) When you setup an account in WHM and you limit the bandwidth to say 10m will after you downloaded just over 10m should the site show no more bandwidth
2) Is it possible for a account to be hacked and 5040gb of bandwidth used , that is an account setup with cpanel and whm and to bypass the 10gb limit?

i setup another account for only 10mb bandwidth and uploaded a file for 1.7mb. i then downloaded it 8 times but there is no warning and i can still download the file.

(overselling is not enabled on this reseller account)


(http://www.acutts.mobi)

I'd be suspicious of that for a number of reasons, not least the fact that if your account had pushed that much traffic you would have heard about it as soon as the rush started. For that much traffic to be used (5TB), it would cripple the server not just on the resource side (apache limits would probably be hit first on a cpanel machine, then sql) but it would have also caused a major network bottleneck.

I'd be asking the provider to show proper documentation on how exactly this occurred (though I doubt it did).

Simon

i have just received his reply from my support

I understand that the invoice may come as a shock, the bandwidth reads under the IP and cPanel doesn't pick it up hence the reason you would of been shown bandwidth graphs which picks up everything as it reads data from that port on the switch.

What normally happens with this kind of overcharge is we pickup 50% of the bill and 50% is billable to the client. Over time the spikes ranged from 10-50Mbps with an average of 28Mbps (your being billed for 14Mbps @ 360GB per 1Mbps = 5040GB bandwidth.

Can some explain the above pls

Please note that
1) The account that is setup under cpanel in WHM is set with a 10gb bandwidth limit

I would not trust that at all, they would have seen this coming a mile and a half away. 5TB doesn't just slip through the net. You don't pay for burstable bandwidth, you are paying for a reseller account. Don't just accept (though, again, I doubt you will) that answer, dig deeper.


I would get them to show you some backing for this, it obviously wasn't http traffic so get them also to find out the traffic type and whether it was incoming/outgoing.

There's more to the issue than meets the eye. I can't say this enough: If that traffic was valid and yours, they would have seen it coming a long time ago.

Simon

if i am paying for a reseller account that have a bandwidth limit of 200gb per month and this account is not enabled for overselling how is it possible for the bandwidth to go over 200gb without me knowing about it.

Shouldn't the account be suspended when the 200gb limit is reached?

i mean 200gb ----- 5040gb is a long way surely?

Also i am told it was Word Press problem. I think i had 2.2.1 installed but had not even posts on blog. I wasn't using the site actively.

I think they are trying to scam you!! It is their job to monitor server traffic. You have a reseller account and that's all. Also, check their terms of services if they have something there.

Were you using (or your customers) url's like http://serverip/~username/bigfile.zip ???

Ask them for logs - again it is their job to monitor traffic and they should pay for overage usage!!

Yeah that is absolutely insane I would not pay that. I'd love to see them give actual proof of that sort of usage.

Thanks for your input,

I am told that there is no monitoring of this usage as cpanel doesn't allow for bandwidth monitoring on an ip address. So it sounds like anybody can access the account via ip/~username and do as they please

Isn't that normally blocked?

Were you using (or your customers) url's like http://serverip/~username/bigfile.zip (http://serverip/%7Eusername/bigfile.zip) ???


No not at all. The account they say used this bandwidth only had Word Press installed with one post on and thats it. I do not access the server via ip.

If they insist on charges, I would name the host here. How it is possible to have a server and throughout a month not to monitor these high usage....

It seems shade from their explanation too!! Do not pay anything!

Agree, this is insane!

Whats probably happening is that their server that they sell reseller account on is on 95th percentile billing from their provider. So they got hit with the bandwidth bill from their server provider and now they are trying to get you to pony up the $$. Its possible some file was being redistributed from one of your accounts but thats not your problem as you are on a fix bandwidth per month? Either way they should have been monitoring their bandwidth stats.

Also like stated before that much traffic would have slowed down the server considerably especially on a shared server.

I would like to know the following as i see some of you guys out there offer reseller hosting using cpanel/whm

1) Can you prevent access to the account by using ipaddress/~username/file.zip or any access to this location
2) If not can you control the bandwidth to that ip and is it part of the bandwidth limits set in WHM with http and ftp
3) Not sure how servers connect etc. but can you place a hardcap on the bandwidth on a reseller account using cpanel/whm

Help much appreciated as i am still waiting for log files

Hi,
i have received a graph. Can you please explain to me the content of the graph

Thanks

someone correct me if I'm wrong here but that chart just shows traffic on the router for a given port. You're not getting a dedicated server from them are you? If it's just a reseller account then ALL that graph shows you is the traffic generated by THEIR server (or leased server whatever) on that port. This doesn't even prove to you that it's the server your account is on.

In NO way would I pay for this, this really sounds like a scam. They are offering no proof just really vague charts that have nothing to do with your account. I hope you have a current backup of your files (and if you don't get them FAST).

I really would like to know who this host is b/c this borders on either a poorly done scam or total incompentence.

That graph is for the server or switch overall. The biggest thing that jumps out is the massive amount of apparent downtime (multiple times per day, for extended periods of time). Outbound traffic spiking like that reeks of a vulnerability (IRC bot, etc). There's no way on earth you should be charged for that. Keep in mind, too, that the RTG they showed you has no proof that it has anything to do with your site.

I am told that there is no monitoring of this usage as cpanel doesn't allow for bandwidth monitoring on an ip addressThat's a bit of a fib on their part. Tell them to take a look at bandmin and send you a screenshot for the IP in question.


Simon

I would be very interested to know which host is this....

My advice : get a backup and move your sites elsewhere!

Hi,

I have a reseller account with cpanel/whm

I just received an account for Bandwidth overcharges/spikes @ 5040GB $1089.04 USD

1) In WHM this monthly bandwidth for my total reseller account shows just below 600mb
2) The usage for the account that i am told is the cause for the problem is set to a monthly limit of 10gb bandwidth
3) i only had Word Press installed on this account and it wasn't even in use

Any suggestions on if this kind of bandwidth is possible and how can i be held responsible

Thanks


WHM and bandadmin only monitor traffic that can be logged by programs WHM knows about. For example, if you have an account running shoutcast there is no way for cPanel to track that bandwidth.

I would be very interested to know which host is this....

My advice : get a backup and move your sites elsewhere!

Hi Tony,

Thanks for your advice but i have already paid for the next year and for 2 reseller account i have with this company.

What i would like to know. Is it my responsibility as a client that have a reseller account to insure that the security is in order on the ip level.

This is what i have done.

1) I set the bandwidth on 2 accounts to 10mb

2) On the first domain i uploaded and then downloaded a file of 1.7mb directly of the domain using www.domainname.com/file.zip (http://www.domainname.com/file.zip). When i downloaded the file approx 7 times is the site displayed "bandwidth limit exceeded" When i then tried to download using ip/~username/file.zip i get the same message. Then i used FTP and i am still able to download the file without any restrictions

3) On the second account i dowloaded the file using ip/~username/file.zip I downloaded the 1.7m file 10 times via the ip. I also uploaded the file and downloaded the file via FTP giving a total of 20mb although the limit is set to 10mb in WHM

If this is the case how can i be held responsible for any activity on my ip if i don't even have access to monitor it or control it.

Is there also a possible way how a person can prevent this kind of abuse on and IP and who is responsible for that.

The reason i got a reseller is to leave all those problems with the hosting company to deal with.

I have asked for logs but this is all they gave me.

For the last person, i only used WP with 1 post on and no shoutcast

Like others have said this is not your responsibility and I don't think you should pay it. If this was me I would not care if I pre-paid for 5 years I would not stay with a company that tried this sort of crap. Besides how expensive are they that it would be worth it to stay and pay the $1K?

unless you are on a dedicated server.. then those graphs mean nothing... then you can ask who else is on this server... what ip, who else is using the ip.. multiple domains can use an ipaddress...

Hi,
I asked for a graph to show my domain and i was send this one. Altough i am on a shared ip 89.21.8.41 this domain is on a dedicated 89.21.8.23 they say that is the problem domain

I am not sure how this graph works. Can somebody explain to me how they are getting the 5040GB and how they determine the IP addresses on the graph

Thanks

I am almost sure that your provider charged by the datacenter using 95% percentile. Because of the spikes the datacenter charges them more. It's the webhost job to limit their web-server at X mbit and not get overcharged or pay by the actual usage and not by 95% percentile.

johannes: They are playing with you. They have no idea about the usage and are trying to land someone with the bill. That graph doesn't even look real to me. rrdtool doesn't write all over the graphs (as far as I have ever seen). Tell them you want to see the very same documentation or proof that caused them to foot you with the bill in the first place.


It sounds like you're just getting the run-around.


Simon

Hi,
Thanks for all you input so far and i really appreciate the help.

I need to know the following and pls correct me if i am wrong;

1) There is 3 possible ways a hacker can abuse a site using either;
www.domainname.com
ftp.domainname.com
ipsaddress/~username

2) Now if the first 2 is available but the last one is disabled via WHM using "mod_userdir Tweak" then surely the account would have been disabled if the bandwidth was exceeded

3) In the graphs they send me (i am not exactly sure how the graphs work) what was the bandwidth used showed on the graphs.

4) Them saying those spikes on the graphs come from my site. How much bandwidth is used during the spikes (they use cacti)

5) Aren't a host selling reseller hosting not suppose to be in control of the bandwidth to the reseller account E.G. i have a limit of 200gb bandwidth. Aren't my reseller suppose to be suspended when that limit is reached?

i very much appreciate some answers pls

Hi,
Thanks for all you input so far and i really appreciate the help.

I need to know the following and pls correct me if i am wrong;

1) There is 3 possible ways a hacker can abuse a site using either;
www.domainname.com (http://www.domainname.com)
ftp.domainname.com
ipsaddress/~username


If it was a hacker or not, for them to know it was your account on the server causing the traffic would require logs. Either ftp logs, or web access logs. The gross amount of data transfered, without their knowledge is complete negligence on their part. The graphs they have showed you in no way prove you transfered 5000+ gigs of data.. which is unhread of on a shared hosting plan.

Beyond that, I don't think any other issue is relevant. They are trying to make you foot a bill for a mistake they made. I'm not sure how you could even consider sticking with this company when seemingly at random you may be charged for 1000's of gig of data, of which you have no way of monitoring.

Honestly, even if it was a script or some insecurity on your account, the host should have noticed long before 5000 gig was even approached, especially since your cap was ~10gig. After they noticed, they clearly should have investigated and took care of the problem. Also, what hosting company are you using ?

A Whois on the IP 89.21.8.41 Showed:-

IP Information for 89.21.8.41
IP Location: United Kingdom Port9 Ltd
Resolve Host: 39757.net
IP Address: 89.21.8.41 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
Reverse IP: 224 other sites hosted on this server.
Blacklist Status: Clear
Whois Record

inetnum: 89.21.8.0 - 89.21.8.255
netname: PORT9
descr: Port9 Ltd
country: GB
admin-c: RG3442-RIPE
tech-c: RG3442-RIPE
status: ASSIGNED PA
mnt-by: MNT-UKGRIDRG
source: RIPE # Filtered

person: Rob Garbutt
address: Greenheys Data Centre
address: Manchester Science Park
address: Pencroft Way
address: Manchester
address: M15 6JJ
phone: +44(0)845 260 4743
nic-hdl: RG3442-RIPE
source: RIPE # Filtered

route: 89.21.0.0/19
descr: The UK Grid Network Ltd
origin: AS39757
mnt-by: MNT-UKGRIDRG
source: RIPE # Filtered



A Whois on the IP 89.21.8.23 Showed:-

IP Information for 89.21.8.23
IP Location: United Kingdom United Kingdom Port9 Ltd
Resolve Host: 39757.net
IP Address: 89.21.8.23 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
SSL Cert: secure.ptlhosting.com SSL Certificate has expired.
Blacklist Status: Clear
Whois Record

inetnum: 89.21.8.0 - 89.21.8.255
netname: PORT9
descr: Port9 Ltd
country: GB
admin-c: RG3442-RIPE
tech-c: RG3442-RIPE
status: ASSIGNED PA
mnt-by: MNT-UKGRIDRG
source: RIPE # Filtered

person: Rob Garbutt
address: Greenheys Data Centre
address: Manchester Science Park
address: Pencroft Way
address: Manchester
address: M15 6JJ
phone: +44(0)845 260 4743
nic-hdl: RG3442-RIPE
source: RIPE # Filtered

route: 89.21.0.0/19
descr: The UK Grid Network Ltd
origin: AS39757
mnt-by: MNT-UKGRIDRG
source: RIPE # Filtered



So my guess is that you are hosted under ptlhosting.com. Am i right?

No you are wrong,

i am ptlhosting.com i have a reseller account with with hostingdepartment.net :eek:

My concern is that i have some clients on my reseller that wont be happy if they have downtime and also i am not a big hosting business.

now i suppose they are just going to cut my accounts if they should find this post

14.62 Mbps how many Gb is that please?

It depends on how much time did you use the 14.62 Mbps. It's 1.82 MB per second. So if you use it for 1 hour then you transfer 6.5GB. To transfer 5000GB with that speed you need 32 days.

I have asked for in invoice from there provider and this is what they send me attached

The invoice was also dated the 1/11/2007 and the cost is in pounds as they are in the UK

The first thing that jumps out at me is the fact that you say you have a reseller account yet they are sending you graphs for the whole server.

The second thing is that the graph, both graphs, they sent you are seriously full of holes. They're not being polled regularly and are hardly accurate.

I would ask them for the proof they have that it was your account that caused the traffic. You are well within your rights to dispute the bill.

If they stick to thier guns though you're going to have to pay it unless you want to move becasue in the end they can just turn you off.

I have asked them for proof that it was my account and for stats but they haven't given it to me. Like you said they can just turn me off.

I feel a bit done in as now i am very wary of a new host. Also i payed yearly and i have 2 reseller accounts with them and have just renewed both not so long ago. Ok it is only about $250 (for me it is a lot as i am not in the USA) but still all the hassle to move.

==========
i do have a dedicated server i am not using or should i say not sure how to use. i pay only $25 a month but haven't been able to get the dns right, so maybe somebody out there can help me.

The server is with corenetworks and it is a 2.6ghz /80gb harddrive + 1000gb bandwidth per month. i have centos installed with servercp but cant get it to work, so maybe somebody can help me out here ??

And i dont even have the firewall switched on because when i do servercp dont work.

i do have a dedicated server i am not using or should i say not sure how to use. i pay only $25 a month but haven't been able to get the dns right, so maybe somebody out there can help me.

The server is with corenetworks and it is a 2.6ghz /80gb harddrive + 1000gb bandwidth per month. i have centos installed with servercp but cant get it to work, so maybe somebody can help me out here ??

And i dont even have the firewall switched on because when i do servercp dont work.

If thats the route you want to go, and dont want to end up in the same boat.. I would have to recommend you hire a company to setup/secure your server for you. Theres plenty of companies around these forums, i'd suggest checking around.

Don't they provide manage servers?
As for your post, maybe the moderators can help by clearing out your hosting company's URL? I'll try asking them.

Don't they provide manage servers?
As for your post, maybe the moderators can help by clearing out your hosting company's URL? I'll try asking them.

Hi the dedicated server i mention is not the one causing the problems and they are unmanaged @ $24 i don't expect much more. And corenetworks is tops

I don't mind i anybody knows who i am its not a problem if you are taking about ptlhosting.com

Hi the dedicated server i mention is not the one causing the problems and they are unmanaged @ $24 i don't expect much more. And corenetworks is tops

I don't mind i anybody knows who i am its not a problem if you are taking about ptlhosting.com

Its ok then. I'm just worried your clients might cut you off as a result of that. ;)

I have done a reverse ip on my server and discovered the following;

1) There is 4 traffic exchange sites
2) 2 online war games sites
3) 3 sites offering flash games you download and play online
4) 1 page ranking site that is in the top 100 000 on alexa where you can place a page rank stat on you own site and then a php script is pulled of this site to show your page rank
5) 1 site also with a ranking of 576.825
6) 1 free image site
7) Plus about 200 other sites some static and some wp ect.

This is on a server with the following specs
Processor #1 Vendor: GenuineIntel
Processor #1 Name: Intel(R) Pentium(R) 4 CPU 3.06GHz
Processor #1 speed: 3067.323 MHz
Processor #1 cache size: 512 KB
Memory: 2073692k/2097024k available (1876k kernel code, 22344k reserved,
759k data, 184k init, 1179520k highmem)

Please don't misunderstand me but surely sites like this is bound to cause some
bandwidth problems on a shared server or am i wrong?

My reseller is on this server.

Thanks

Are you sure? For what I've seen:-

Frm domaintools.com
Whois Record for Ptlhosting.com

Registry Data
ICANN Registrar: GODADDY.COM, INC.
Created: 2005-05-29
Expires: 2008-05-29
Registrar Status: clientDeleteProhibited
Registrar Status: clientRenewProhibited
Registrar Status: clientTransferProhibited
Registrar Status: clientUpdateProhibited
Name Server: NS1.PTLHOSTING.COM
Name Server: NS2.PTLHOSTING.COM
Whois Server: whois.godaddy.com
Server Data
Server Type: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
IP Address: 89.21.8.23 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
IP Location United Kingdom - United Kingdom - Port9 Ltd
Response Code: 200
Blacklist Status: Clear
Domain Status: Registered And Active Website
DomainTools Exclusive
Registrant Search: "PTL Hosting" owns about 21 other domains New!
Registrar History: 1 registrar
IP History: 4 changes on 5 unique name servers over 2 years.
Whois History: 14 records have been archived since 2005-08-09.
Dedicated Hosting: ptlhosting.com is hosted on a dedicated server.


Whois Record

Registrant:
PTL Hosting
Box 647
Bothas Hill, Natal 3660
South Africa

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: PTLHOSTING.COM
Created on: 29-May-05
Expires on: 29-May-08
Last Updated on: 28-May-07

Administrative Contact:
Marais, Johan
PTL Hosting
Box 647
Bothas Hill, Natal 3660
South Africa
+2782133693 Fax --

Technical Contact:
Marais, Johan
PTL Hosting
Box 647
Bothas Hill, Natal 3660
South Africa
+2782133693 Fax --

Domain servers in listed order:
NS1.PTLHOSTING.COM
NS2.PTLHOSTING.COM



And according to Reverse IP from domaintools and oversoldhost.com, I can guarantee you only have a domain in your dedicated server, that is ptlhosting.com.

correct me if I'm wrong.

ptlhosting.com is on a dedicated ip. one of my domains is epropnet.co.za which is on the same server.

Not sure if you understand me correctly. This domain is not on my dedicated server as it is a reseller account on this server i have.

I see. If that is the case, its true. There are more than 200 site on your same server. But i don't think the website epropnet.co.za has many visitors. Maybe a ddos attack?

Ok, I noticed something funny. Why is the reverse IP showing other hosting provider's customer, like dreamhost, 1and1, etc? Is it a datacenter?

Goto http://www.myipneighbors.com/ and you will see all the domains on the server my reseller is.