1

Possible Duplicate:
My server's been hacked EMERGENCY

I run a couple of sites on Ubuntu via Rackspace Cloud Server. My site typically uses about 3 GB of outbound bandwidth a day. Today, I was shocked to discover that for the past week, my server has logged 2 Terabytes of outbound bandwidth a day. This is obviously completely abnormal and is costing me an arm and a leg. Interestingly, awstats shows my sites have been using the typical amount of bandwidth, so it's something else that's causing this ridiculous spike.

I suspect my site has been hacked. I ran root checks, went through my server logs, and found nothing suspicious. Do you guys have ideas on what else I can do to figure this out?

Community
  • 1
weicool
  • 111
  • 1

1 Answers1

7

I'd start by having RackSpace shutdown all outbound traffic from your server at the firewall with the exception of traffic which is coming from port 80. Then setup new VMs, migrate your data and inspect the compromised machines VM later using what you've learned to better secure your new server.

mrdenny
  • 27,074
  • 4
  • 40
  • 68
  • that's kind of bad advise, obviously the OP has some serious security issues with his sites and his setup, it would be wise to try and find those issues or else he will soon be in trouble again.. – Niko S P Mar 15 '12 at 00:25
  • 1
    He can always keep the VM around and do analysis on it later. Right now he's spending money like crazy on bandwidth. First problem stop spending money on nothing. Second problem find the whole and plug it. – mrdenny Mar 15 '12 at 00:36
  • you are right about that, but i suggest editing your answer to reflect the "keep the vm and analyse" part. – Niko S P Mar 15 '12 at 02:12
  • That's a fair point. I've updated it. – mrdenny Mar 15 '12 at 02:26