Something make outgoing (dos) atack

[batoo]

I was under ddos atack last 2 weeks and finally i fixed it. It was strange that my ISP told my that my server make ddos attacks.

I didnt belive them, but from yesterday my server going down again.

When i see my apache process with high cpu, i check my incoming connections with "netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr". Nothing there, everything is normal.

So maybe its true that something is making outgoing ddos attack.

How i can monitor or check what or where my apache is making connections?

p.s why my access log file is buggy?

Simple output

::1 - - [31/Mar/2013:05:00:44 +0200] "OPTIONS * HTTP/1.0" 200 138
::1 - - [31/Mar/2013:05:05:04 +0200] "OPTIONS * HTTP/1.0" 200 138
::1 - - [31/Mar/2013:05:05:05 +0200] "OPTIONS * HTTP/1.0" 200 138

 

[chatwizrd]

Its normal it is not a ddos attack.

 

[batoo]

what is normal? Maybe my log but not my problem

 

[batoo]

Ok i think i got my problem.

On of mine users have joomla site and looks like it hacked.

Check image1, black is my server ip, blue is domain.

I also noticed some strange files, check image2.

But how those files can have "apache" user and group?

 

[LawsHosting]

Ok i think i got my problem.
On of mine users have joomla site and looks like it hacked.

Put in your TOS:

eg.
"As a host, we can do so much to combat hackers, but, as a client, it's your job to keep scripts and software up-to-date. If you fail to do this, we have the right to disable your account to protect other clients".

Also, I'd install mod_ruid2 and mod_security2 to PHP...... and maybe fail2ban with iptables or the like.