The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bandwidth spike

Discussion in 'General Discussion' started by Secret Agent, Oct 21, 2005.

  1. Secret Agent

    Secret Agent Guest

    I got a report from NOC for sudden bandwidth spike on my server.

    WHM stats shows this:

    Code:
    nobody  356.37 0.01 0.0 
    Top Process %CPU 25.2 perl u 64.237.38.194 8099 60 
    Top Process %CPU 25.1 perl u 64.237.38.194 8099 60 
    Top Process %CPU 25.0 perl u 64.237.38.194 8099 60 
    root  9.11 5.66 2.0 
    Top Process %CPU 31.0 netstat -npl 
    Top Process %CPU 30.0 netstat -nlp 
    Top Process %CPU 13.0 netstat -npl 
    
    rkhunter and chkrootkit both show no indication of hacking or vulnerabilities

    chkrootkit did show this portion:

    warning, got duplicate tcp line. (about two dozens of this line)
    INFECTED (PORTS: 114 465)
    Checking `lkm'... You have 2 process hidden for readdir command
    You have 2 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed

    /tmp folder is clean as well, no suspicious files or such

    NOC said this:

    I'm currently showing an elevation in bandwidth and packetrate from server015 on your network.

    Bandwidth: 58.5Mbps
    Packetrate: 100Kpkts/sec

    I'm a bit confused as to what could have caused such a high spike suddenly.

    I do have a lot of security layers on the server including:

    APF
    BFD
    LSM
    SIM
    /tmp secure
    direct root disabled
    masked apache/bind
    LES
    Sysctl.conf hardening
     
  2. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    There have been a couple of posts regarding an exploit with Fantastico where the server can end up being used as a 'file dump' for xdcc... you might want to check to make sure that you were not hit by this... check the folders inside your Fantastico install (I don't have the exact path right now, but it's here on the forum somewhere) for any abnormal files... big ones (about the size of say, a movie rip, or 700mb-1.4gb) would be a dead giveaway.
    This is, of course, assuming you have Fantastico.
     
  3. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Do you backup via remote ftp? That might appear to spike the bandwidth when backups run.
     
  4. Secret Agent

    Secret Agent Guest

    No ftp backups
     
  5. Secret Agent

    Secret Agent Guest

    Someone sent an email complaing of being ddos'd as well from this same server (odd)

    01:15:53.587846 IP xxx.202.65.106.21560 > 64.237.38.194.8099: UDP, length 1

    01:15:53.587849 IP xxx.202.65.106.21559 > 64.237.38.194.8099: UDP, length 1

    01:15:53.587852 IP xxx.202.65.106.21561 > 64.237.38.194.8099: UDP, length 1

    01:15:53.587855 IP xxx.202.65.106.21563 > 64.237.38.194.8099: UDP, length 1

    01:15:53.587857 IP xxx.202.65.106.21561 > 64.237.38.194.8099: UDP, length 1

    01:15:53.587858 IP xxx.202.65.106.21559 > 64.237.38.194.8099: UDP, length 1



    Does this make sense? how could I track outgoing attacks (if true)? I have iptraf installed also.
     
  6. aryan

    aryan Member
    PartnerNOC

    Joined:
    Dec 8, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Help...

    Sir,

    Please tell me what enteries are required in these files (HTTPD.CONF,HOST.CONF,FTP)
    for hardening .

    Please help its urgent.

    Thanks.

    Regard's

    ASHOK
     
Loading...

Share This Page