I need some advice. I got up this morning to an email from my DC that said I had exceeded my bandwidth. My server had used 504gb this month. A check of the mrtg charts showed that the server had been using 10mb constanly for some time. The server usually uses about 40gb a month.
I asked my server management company to look into it. After 4 hours I was told they had emptied the /tmp folder and needed to reboot the server. They also said nothing unusual was found in the logs.
"It looks like a hack but nothing was found. Let us know if it happens again."
Where should I go from here? Their were no root logins and Cpanel/WHM shows nothing unusual. It shows traffic for the month so far as 4gb total.
All traffic for the rest of the month will cost me .60 per GB.
How can I find out what caused this? How do I know that the traffic actually exisited? How can I protect myself from this in the future?
If it had still been happening they should have been able to check the traffic for what was trasnfering the most - IE if it was port 80 then maybe some sort of an exploited site. More likely it was going out via some other port/protocol for some sort of an attack or maybe even file serving.
In wiping out the /tmp and other files they may have removed the evidence for another person to check, though since they didn't say they found it for sure it may not have even been there.
Is the server still experiencing the same bandwidth usage? They should have found the problem vs just rebooting and praying the process would not start back up but since they did it may be pretty hard to track it down if the server is still not using the same amount of bandwidth.
John W, CISSP, C|EH
MS Information Security and Assurance ITEagleEye.com - Server Administration and Security Yawig.com - Managed VPS and Dedicated Servers with VIP Service
I agree that the reply from them was useless. I will not identify them right now but plan to speak to the owner. I have Steven from Rack911.com working on it and he found a bunch of stuff . I'll update as time goes on.