User´s traffic in DA show 50GB, but not webalizer/awstats

G

GoranTornqvist

Verified User
Joined
Sep 13, 2004
Messages
58
Location
Stockholm
Hello,
A customer´s traffic has gone thru the roof this month:
48409.5 / 10240

But it´s not his homepage that´s been visited more, according to awstats and webalizer.

How do I determine what caused this rise in bandwidth usage?
My customer need an answer and I obviously don't have one :)

Thanks for your help...
 
Has he got a php form which might have been hijacked to send spam?

Jeff
 
Yes he has, and I know that he's been having trouble with people using his html form to spam.
According to awstats the html form have had 612 hits in december so it's in the top.

What I found out:
Checking his user´s bandwidth.tally file (size 13MB) I can see that there MILLIONS of lines that show the same info, like:

30304
30304
30304
30304
30304
30304
30304
30304
30304
30304
30304
30502
30502
30502
30502
30502
30502
30502
30502
30502
30502
30502
30502
30502
30502
30502
30502
30502

last tally "querystring" looks like:

18685343.000000=type=tally&time=1134431505&ftp_bw_total=0.000000& http_bw_total=18489211.000000&da_bw_total=196132.00
0000


"http_bw_total" looks suspecious to me. sums up to 18,48 GB which seems OK since the bandwidth for his account was about 20 GB less yesterday when I checked it in DA.

But since the traffic is not shown in awstats and webalizer I'll have a hard time convincing him that he used all this bandwidth :)

Checked the homedir log file (temporary adress servername/~user) but couldn't find anything.

I'm lost, any ideas...?
Really need the the source of this...

EDIT:
Got this answer from John, so it looks like its email traffic:

Hello,

Check his /usr/local/directadmin/data/users/username/bandwidth.tally file
Any line that does not have an = sign in it is an outgoing email (taken from /etc/virtual/usage/username.bytes)
If you see many repeated lines of the same size (within a few bytes), then it's likely a spammer on his account.

Thank you,

John
 
Last edited:
Found it.

The user´s script was using the From e-mail in the mail header in the php mail() function without checking if it was valid...so the script was e-mail injected.

70GB of bandwidth...that's a lot of e-mails!
 
I'm surprised your DC didn't shut it down.
Mine shuts down the server completly at any sign of outgoing DoS attack.
They're a little overly strict though.

Anyways, Congratulations on solving your problem! :D
 
Goran, your customer is lucky we're not his host :) .

Our TOS allows us to charge us$10 per spam email sent.

After we point that out to them they're more than happy to pay for the bandwidth and for the time we spend to find and clean up the mess.

Do we always charge it? No.

Do we always charge something? No.

But it's important to have terms in place that allow you to recover your costs.

Jeff
 
You must log in or register to reply here.
Back
Top