how: figure out the cause of excessive bandwidth

S

sde

Verified User
Joined
Sep 11, 2004
Messages
213
Location
Temecula, CA
i have a user who's bandwidth shot through the roof today. after searching, i found that i can look at: /usr/local/directadmin/data/users/<username>/bandwidth.tally

the last part of it is many many lines with the same exact number.

i can't see anything in the apache logs. is there anywhere else i can look to try to determine what the problem is?

the account is suspended. i want to turn it back on, but i don't know how we can closely monitor it.

so: 1. where should i look? 2. how can i monitor bandwidth for 1 domain closely throughout the day.
 
i reset the user's bandwidth tally this morning and monitored it throughout the day.

I kept running
Code: 
echo "action=tally&value=myuser&type=user" >> /usr/local/directadmin/data/task.queue
and checking the bandwidth, it seemed ok.

Then, during the daily cycle around midnight tonight, it jumped from about 170mb to 4350mb.

What is tallying at the nightly run that would not be tallied during the command that I'm running above?

The domain usage under webalizer doesn't show the excessive numbers, so are the only other things it could be is FTP or mail?

Any insight would be greatly appreciated.
 
Last edited:
sde said:
i reset the user's bandwidth tally this morning and monitored it throughout the day.

I kept running
Code: 
echo "action=tally&value=myuser&type=user" >> /usr/local/directadmin/data/task.queue
and checking the bandwidth, it seemed ok.

Then, during the daily cycle around midnight tonight, it jumped from about 170mb to 4350mb.

What is tallying at the nightly run that would not be tallied during the command that I'm running above?

The domain usage under webalizer doesn't show the excessive numbers, so are the only other things it could be is FTP or mail?

Any insight would be greatly appreciated.
Click to expand...

Is it possible that this is the time that he makes a backup off his files and use ftp to get it on an other location?
 
thanks for the suggestion. i see a little activity in the proftpd logs at night, but he only has 260mb across 3 domains.
 
the last part of it is many many lines with the same exact number.
Click to expand...
Sounds like outgoing spam to me.

Check the /etc/virtual/usage/username.bytes logs, as that's where the data is take from.

I've seen several people install very insecure php formmailers, which allow for spammers to send spam at their leisure.

John
 
i searched around before i posted and found the idea of the insecure php mailer idea, but wouldn't that show up in the domain traffic?

i'm looking at this log and i do see a bunch of 25993 entries. is this showing me traffic such as mail as it happens?
 
Hello,

If it is a form mailer, the access to the php file would show up, but the bandwidth used by the email itself wouldn't (in the domain traffic).

John
 
we took down the forum mailer yesterday, but it still persists. it's not a big site and i've gone through the php scripts and can't find any instances of the mail function being called.

i'm viewing the usage log with a tail -f and occasionally it will be written to many lines at a time with a value of around 25000 on each.

if it were a php form, wouldn't the POST data being sent to the form count as domain traffic? and if so, wouldn't it be the same amount as the email traffic?

point being if traffic at the end of the day was 4000mb, then it seems like the apache traffic should be 2000 if they are sending POST data to a web form.

i'm stumped. i'll probably have to shut this one down.
 
thanks for the link, i'll check it out.

i have been tailing the usage file, and everytime it goes off, i look at the apache log.

the last 2 times it has done it, ( many lines with 25000bytes ) i checked the apache log and see that there are POST requests being made to the contact.php page that was deleted yesterday. it generates a 404 error.

is all this post data they could be sending what set's off the usage file?

if so, .. is there any way i can drop requests to this file? they are coming from all different IP addresses from places like china and mylasia, so i can't just drop traffic based on IP.
 
also, the interval between the 2 events was about 1/2.

if DA is running a tally of the usage every half hour, then it's all for stuff that has been happening over the last half hour.

if not, then it's all coming in at once.
 
The POST data and apache usage data won't be exactly the same size, as it's like comaparing apples to oranges.

POST data will also have httpd headers.. and email data will also have mail headers, so they'll vary roughly.

John
 
ok, after some more support emails I think i have it figured out.

I have my money on the possibility that there were a lot of emails held up in the exim queue (retrying to send) from before we took the PHP contact page down.

After I took the entire site down and deleted email accounts, I was still seeing mail traffic every 15 minutes to a half hour.

I'm guessing this was exim trying to resend the emails.

I reluctantly cleared the queue.

I've put the site back up and am now waiting .. so far so good.

Thanks for all the input. It's been another learning experience.
 
I have a spam laden exim queue -

what are the commands to delete this queue? - I can't find any info for this anywhere...
 
Hello,

I think there is an actual exim command around somewhere.. but sometimes, I'm in a rush, so I just do it manually:
Code: 
cd /var/spool
mkdir -p exim2/db exim2/input exim2/msglog
chown -R mail:mail exim2
chmod -R 711 exim2
/sbin/service exim stop
mv exim exim.old
mv exim2 exim
/sbin/service exim start
This method is handyer than just deleting the queue files, because sometime there are too many spam messages for "rm -f *" to handle. This doesn't actually delete anything, it just renames directories around, allowing you to get your cleared out exim up and running again asap. Once everything is fine, then you can go ahead and delete the exim.old directory.

John
 
You must log in or register to reply here.
Back
Top