If someone downloaded 600GB , can that be ddos attack

Question

Last night some one exploit some vulnerability in my site and then upload php script in my images folder.

I have the Amazon EC2 server with centos.

Now the Hacker downloaded 600GB and increased my bill.

Can this be DOS attack. How can I check it.

When hacker was downloading then I see

I then stopped my instance

How can I see what happened

Please don't ask the same question on multiple StackExchange sites. — Ladadadada, Sep 05 '13 at 09:27
It's not really a dupe, but it's definitly close-worthy. I voted as 'unclear'. — Adi, Sep 05 '13 at 10:00
What do you mean by downloaded? Was this traffic downloaded FROM your vm or TO your VM? If the former, what do your logs show you? — symcbean, Sep 05 '13 at 10:16

score 0 · Answer 1 · answered Sep 05 '13 at 06:27

0

if the data is transfered via http, then this is probably not an attack; check your apache-logs. check the user-agents and corresponding ips

what it might be:

btw, if you still have data-transer w/out apache ... do your really know what you are doing there? how do you know about non-HTTP-data-transfer?

answered Sep 05 '13 at 06:27

is there any way to find non http data transfer – user22 Sep 05 '13 at 06:34
Have you checked your Apache logs yet? That is the first step. It probably has the right answer. I expect you will find millions of requests to that file the attacker uploaded. By default, the size of the response is the field after the response code and is measured in bytes. – Ladadadada Sep 05 '13 at 07:09
you can use ntop to monitor traffic on that host, but you need root access. another tool for live-traffic-monitoring is iptraf, or you can run (as root) "lsof | grep TCP" or "netstat -nv -t tcp". you server is probably part of an irc-botnet already. if so, you'll probably see strange stuff in /tmp, like hidden directories. – that guy from over there Sep 05 '13 at 19:28

1 Answers1