0
I have received some alerts from AWS that my instance is sending out large amounts of data to some websites. Close to and greater than 10TB a month.
I have wordpress and apache installed on this ec2.
I ran iftop from this answer.
I get this result
ip-xx-xxx-x-xx.xx-xxx-x.compute.xxxxx => xxx.xx.xx.x 4.33kb 48.2kb 59.6kb <= 141kb 3.45Mb 4.18Mb
ip-xx-xxx-x-xx.xx-xxx-x.compute.xxxxx => yyy.yyy.yy.yyy 20.7kb 23.9kb 9.22kb
If I run nethogs I get
? root my-ec2-ipaddress:randomportnumber-externalipaddress:80 0.021 0.182 KB/sec
? root my-ec2-ipaddress:randomportnumber-externalipaddress:80 0.021 0.12 KB/sec
? root my-ec2-ipaddress:randomportnumber-externalipaddress:80 0.021 0.185 KB/sec
? root my-ec2-ipaddress:randomportnumber-externalipaddress:80 0.021 0.152 KB/sec
How do I find the offending program ?
Siddharth
Posted 2016-04-29T04:26:59.510
Reputation: 111
Try using
netstat -tupnto get name/pid of program that is using those ports. Thenps fauxcould be used to see if that process was spawned by other process. – Madoc Comadrin – 2016-04-29T05:51:27.540/usr/bin/host is sending out all that data – Siddharth – 2016-04-29T06:25:46.483
What user is running that process? Look like it might be case of attack like this one: https://nixtree.com/blog/detecting-wordpress-outbound-bruteforce-attack-from-server/
– Madoc Comadrin – 2016-04-29T06:41:42.283