Results 1 to 9 of 9
Thread: Need advice after possible hack
-
11-07-2006, 06:01 PM #1Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 94
Need advice after possible hack
Hi Guys,
I need some advice. I got up this morning to an email from my DC that said I had exceeded my bandwidth. My server had used 504gb this month. A check of the mrtg charts showed that the server had been using 10mb constanly for some time. The server usually uses about 40gb a month.
I asked my server management company to look into it. After 4 hours I was told they had emptied the /tmp folder and needed to reboot the server. They also said nothing unusual was found in the logs.
"It looks like a hack but nothing was found. Let us know if it happens again."
Where should I go from here? Their were no root logins and Cpanel/WHM shows nothing unusual. It shows traffic for the month so far as 4gb total.
All traffic for the rest of the month will cost me .60 per GB.
How can I find out what caused this? How do I know that the traffic actually exisited? How can I protect myself from this in the future?
Any help or advice is really appreciated.
-
11-07-2006, 06:12 PM #2Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 94
here are the graphs .....
http://360windsor.com/test/afficheGraph.png
http://360windsor.com/test/afficheGraph2.png
-
11-07-2006, 06:19 PM #3Disabled
- Join Date
- Nov 2006
- Posts
- 7
MY servers just been hacked the bandwdith went skyhigh + they got all my client details I think I will move to Directadmin because of Cpanel
-
11-07-2006, 07:18 PM #4Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 94
Good luck with your switch.
Now, back to my question. Does anyone have any ideas what I need to do.
-
11-07-2006, 07:26 PM #5Web Hosting Master
- Join Date
- Apr 2005
- Location
- San Francisco, CA
- Posts
- 1,031
Step #1 - hire a PRO to inspect/secure your box for you again. I would suggest to check Rack911.com for this job
-
11-08-2006, 09:54 AM #6Retired Moderator
- Join Date
- Nov 2002
- Location
- WebHostingTalk
- Posts
- 8,901
* Moved to Technical and Security Issues...
SiriusI support the Human Rights Campaign!
Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.
-
11-08-2006, 11:05 AM #7Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Agreed on Steven-v's response,
"It looks like a hack but nothing was found. Let us know if it happens again."
-ScottServer Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
11-08-2006, 11:44 AM #8Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Yeah the answer they gave was less then perfect.
If it had still been happening they should have been able to check the traffic for what was trasnfering the most - IE if it was port 80 then maybe some sort of an exploited site. More likely it was going out via some other port/protocol for some sort of an attack or maybe even file serving.
In wiping out the /tmp and other files they may have removed the evidence for another person to check, though since they didn't say they found it for sure it may not have even been there.
Is the server still experiencing the same bandwidth usage? They should have found the problem vs just rebooting and praying the process would not start back up but since they did it may be pretty hard to track it down if the server is still not using the same amount of bandwidth.John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
11-08-2006, 10:21 PM #9Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 94
I agree that the reply from them was useless. I will not identify them right now but plan to speak to the owner. I have Steven from Rack911.com working on it and he found a bunch of stuff . I'll update as time goes on.