PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Jun 01, 2020 9:15 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Jun 12, 2009 3:38 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
I noticed that the other day my server had a massive inbound traffic of over 160GB in a matter of a few hours. This is very strange considering on an average month I use about 30GB total.

I am not sure what logs to check, how can I hunt this down? To try and find out what it was. At least which IP it came from or which user etc.

I am a bit concerned as it is excessively high.


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 3:50 am 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6887
Inbound? I would check FTP logs and disk space.

_________________
Image


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 4:27 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
What port does ftp work on? I think it is block as I only have a few ports open on my firewall (http, ssh).

Diskspace is a good idea, thanks


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 4:43 am 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6887
Default FTP port is 21.

_________________
Image


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 4:50 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
Thanks. I checked my firewall and 21 is not on the safe list (blocked).

So it could not have been via ftp.

I did check the disk space as you mentioned, and no extra diskspace has been taken. Which is a good thing I guess, but still confusing.

That morning with the high bandwidth I did download the source for php and a few devel libs, then compiled php few times, but I cant see that causing the issue? :?

Any other ideas?


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 5:45 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 5:50 am 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
Somebody ran a bruteforce attack on your ssh.


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 6:03 am 
Offline
Forum Newbie

Joined: Thu May 14, 2009 11:40 am
Posts: 12
Location: Germany
Generating 160gb of traffic in a couple of hours is very uncommon if you don't have a big website running on your server. There might be someone who is trying to break into your system by attempting to log in with a lot of different passwords, but 160gb is still way too much for that. I don't know what software you have running, but if I were you I would immediately look for bugs that your php scripts might have and take the system down if there was still a lot of traffic in the next hours/days. In my opinion, the most likely reason, in case someone broke into your server, is that someone set up a FTP server and uploaded warez. That's the only thing I have seen so far where such huge amount of data came in.


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 6:16 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
Thanks for your feedback.

The only ports open on the server are ssh, http, mail, pop, smtp. So no one can upload apart from me via ssh.

It is the 1st time it has happened and it has not happened since, so it was a one off occasion. i only have a few websites on the server and none of them are big, none of them have been updated in a while so I dont think it will be a run away script - server sits idle most of the time. Disk space has not changed, I can account for all of it, so does not appear to have any additional files on there.

But you think 160GB is alot for someone trying a brute force attack?

I could limit access via ssh to my IP only, would this help? or would it still show up in the logs as an attempted login?


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 7:03 am 
Offline
Site Administrator
User avatar

Joined: Sun May 19, 2002 10:24 pm
Posts: 6887
Sounds more like a DOS attack to me.

_________________
Image


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 7:05 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
If so how can I prevent it?


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 7:12 am 
Offline
Forum Newbie

Joined: Thu May 14, 2009 11:40 am
Posts: 12
Location: Germany
Yep, I think it is way too much for that..by the way, is it a dedicated server?
Just because tools like df say that diskspace has not changed, it does not automatically mean that nothing has happened, or could have happened. Someone could have installed a rootkit that hides everything.
And even if your firewall blocks incoming connections, one can still upload files using a reverse proxy, or just downloading files by connecting from your server to another one. There are countless ways of transferring data ;)
Well, of course, all this does not mean that something bad happened to your server, but there is always a chance.
Restricting ssh access to your ip would work, if nobody has gained access yet, but there are better things. On my server I also block anything except HTTP. Lighttpd is running in a jail so even if there is a bug in one of my scripts, nothing dangerous can happen to my system. To log in I have knockd running and also a little program that I wrote on my own that looks up a dynamic domain name (no-ip.org) and allows connections from that ip. So everyone but me can only access HTTP :)


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 7:34 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 7:56 am 
Offline
Forum Newbie

Joined: Thu May 14, 2009 11:40 am
Posts: 12
Location: Germany
At first I wasn't sure if you were talking about a dedicated server or just shared webspace, but since you have root access and everything, nevermind ;)
Clearing the login history is one of the easiest things and also getting root access is not that hard. Just take a look at bugtraq or milw0rm, there are many "local root" exploits floating around. In the worst case a hacker would exploit vulnerabilities that have not been reported yet to the developers. That's why I like to keep every port shut. Of course, there could be a bug in iptables, but the risk is hopefully very low.
Putting lighttpd into a jail took me some time, but there is a good available. You can find knockd and a good documentation over .


Top
 Profile  
 
PostPosted: Fri Jun 12, 2009 9:46 am 
Offline
Forum Contributor
User avatar

Joined: Sun May 24, 2009 5:37 pm
Posts: 355
Location: Chester, UK
sounds like it might be a distributed DOS? Did the server go down, even for only a couple of minutes?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group