Results 1 to 9 of 9
  1. #1
    Join Date
    Mar 2004
    Posts
    92

    Need advice after possible hack

    Hi Guys,
    I need some advice. I got up this morning to an email from my DC that said I had exceeded my bandwidth. My server had used 504gb this month. A check of the mrtg charts showed that the server had been using 10mb constanly for some time. The server usually uses about 40gb a month.

    I asked my server management company to look into it. After 4 hours I was told they had emptied the /tmp folder and needed to reboot the server. They also said nothing unusual was found in the logs.

    "It looks like a hack but nothing was found. Let us know if it happens again."

    Where should I go from here? Their were no root logins and Cpanel/WHM shows nothing unusual. It shows traffic for the month so far as 4gb total.

    All traffic for the rest of the month will cost me .60 per GB.

    How can I find out what caused this? How do I know that the traffic actually exisited? How can I protect myself from this in the future?

    Any help or advice is really appreciated.

  2. #2
    Join Date
    Mar 2004
    Posts
    92

  3. #3
    MY servers just been hacked the bandwdith went skyhigh + they got all my client details I think I will move to Directadmin because of Cpanel

  4. #4
    Join Date
    Mar 2004
    Posts
    92
    Good luck with your switch.

    Now, back to my question. Does anyone have any ideas what I need to do.

  5. #5
    Join Date
    Apr 2005
    Location
    San Francisco, CA
    Posts
    1,029
    Step #1 - hire a PRO to inspect/secure your box for you again. I would suggest to check Rack911.com for this job

  6. #6
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,878
    * Moved to Technical and Security Issues...

    Sirius
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.

  7. #7
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Agreed on Steven-v's response,

    "It looks like a hack but nothing was found. Let us know if it happens again."
    Who told you that? Cancel with whoever it is and move on.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  8. #8
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    Yeah the answer they gave was less then perfect.

    If it had still been happening they should have been able to check the traffic for what was trasnfering the most - IE if it was port 80 then maybe some sort of an exploited site. More likely it was going out via some other port/protocol for some sort of an attack or maybe even file serving.

    In wiping out the /tmp and other files they may have removed the evidence for another person to check, though since they didn't say they found it for sure it may not have even been there.

    Is the server still experiencing the same bandwidth usage? They should have found the problem vs just rebooting and praying the process would not start back up but since they did it may be pretty hard to track it down if the server is still not using the same amount of bandwidth.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  9. #9
    Join Date
    Mar 2004
    Posts
    92
    I agree that the reply from them was useless. I will not identify them right now but plan to speak to the owner. I have Steven from Rack911.com working on it and he found a bunch of stuff . I'll update as time goes on.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •