Need some help

R

redeye

Verified User
Joined
May 11, 2004
Messages
145
Need some help [Solved]

Hi guys,

I need some help here. Since 3 days, some huge datatransfers are takening place from my webserver. Download Peaks of 60Mbit are killing me. Somehow someone is transfering data from my webserver, for short period of time.

I just can't find out how it's done. I used mod_bandwidth to limit to 512kB on all domains. I use proftp which is limited per session to 200 kB.

How should I solve this? What can i do with loggings to see what going on?

I've checked with roothunter to be sure that i'm not compromised. Checked some with tcpdump, but it's not telling me alot, because, you never know when it hits you.

Any advice is welcome,


Redeye
 
Last edited:
If your absolutely sure that both apache and proftpd are properly limiting all accounts, have you tested? You might want to consider email logs as well. Maybe a spammer?

You could try keeping an eye on the highest used programs from top to determine which service or application the data is being transfered through the next time it happens. At least that will help you determine which log to start in.
Using that information, you would then check those logs out for excessive entries for a particular user.
http://help.directadmin.com/item.php?id=11

Do you have ssh enabled for any accounts other than the admin?
 
Last edited:
Thx for your reply. The cause was something compleet diferent.

This worm hit the server:
http://packetstormsecurity.org/0501-exploits/phpbb.ssh.D.txt

It's an worm making abuse of websites running <= phpbb 2.0.10

This worm is trying to setup an huge ircd network and is spreading fast.

I added a few lines to mod_security that did the trick to prevent new infections, after that i had to reboot our server. Now I'm just searching for tracks of what else it did to the system.
 
You must log in or register to reply here.
Back
Top