-1

I have a VPS hosted on Godaddy, managed with cpanel.

I've averaged 30-50GB a month, but then it went up to 1200+GB in one day. It appears my server has been compromised. The thing is my website itself uses only 45GB per month.

I paid to increase the bandwidth and checked, my website bandwidth is still at 45GB, But my server is at 1293GB. A couple hours later, it spiked again to 4983GB, although I was enrolled in bandwidth overage protection then. It is now suspended. They want me to pay again to cover the overage in order for them to check the problem.

How can I stop it? What's the likely cause of it? Someone suggested disabling access to all ports except SSH. I am on a VPS with Godaddy using Cpanel. No one has root access to the server except me.

I know I really don't need a VPS at the moment, but it is really stopping me from moving forward with my plans.

gideon
  • 1,145
  • 2
  • 13
  • 28
user111533
  • 1
  • 1
  • 1

3 Answers3

2

Since you know you've been compromised I'm not sure exactly what you're asking, but I'll try my best to help answer some of your questions.

What could be causing outrageous bandwidth spikes?: Spammers, botnets, anonymous proxies, file sharing activities.

How can I stop it?: Destory the server and rebuild it. You'll never be sure that your new hacker friends haven't left you presents until you do that.

Someone suggested disabling access to all ports except SSH.: Can I make an alternate suggestion? Don't allow SSH access into your server from the Internet. If you need remote SSH access, add firewall rules from static network ranges you control. In fact, you should have explicit firewall rules for every service you offer on your system allowing access only where absolutely necessary.

No one has root access to the server except me.: I bet there are a few hackers that would disagree with this statement.

I am on a VPS with Godaddy using Cpanel.: If you're going to use solutions like Cpanel, you need to be sure you keep it up to date. Them and Wordpress monopolize the "please hack me" industry as people install the software and very often do not maintain it.

Kyle Smith
  • 9,683
  • 1
  • 31
  • 32
  • Thanks for the help. Destroying the server and rebuilding is a good idea, will have to make it a smooth transition. I have a shared hosting still active. – user111533 Feb 23 '12 at 02:30
1

Fire up tcpdump and run a capture. I'm sure you'll find your culprit in no time - it should be fairly obvious.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Thanks. I'm reading up on tcpdump. I'm afraid I am a little over my head here, taken by surprise. Is it simply this command $ tcpdump -vvxXlnni eth0 port 53 | grep A? | awk -F? '{print $2}' ? – user111533 Feb 23 '12 at 02:24
  • Perhaps iftop would be a better tool to start with. Tcpdump will show you the headers(and data with more switches) of the low level packets but if you dont know much about what these mean It will be alot of spam to you. – Flamewires Feb 23 '12 at 22:40
  • I found the problem. There was a security in a timthumb script used by my wordpress theme....http://www.websitedefender.com/wordpress-security/timthumb-vulnerability-wordpress-plugins-themes/ – user111533 Feb 24 '12 at 02:20
0

If you think you've been compromised IMMEDIATELY backup the site and take it down until you determine exactly how you were compromised and what information was lost, then recreate the server with the fix and apologize to your users and tell them what was lost. The large data spikes could very well be a hacker downloading all your user data. If your lucky some portion will forgive you and continue using your site/service.

Flamewires
  • 433
  • 2
  • 10
  • Yeah I've made a backup, changed passwords, ran a virus scan. I found a file that was using up like 99% CPU on my website. Working on other fixed recommended here. But it happened so quickly, over 3000GB in less than 20 mins it seems. – user111533 Feb 23 '12 at 02:22
  • If you believe the file was created via some application error, then thats one thing. But if you think someone has broken in, a virus scan will do little to find all the possible backdoors a good hacker could have left. The only way to be sure theres no way in is to reformat and reinstall with however they got in fixed. – Flamewires Feb 23 '12 at 22:31
  • It was found to be a timthumb script in my theme. The support staff found it. The attacker took control of my server. They told me they deleted all processes and connections etcc...do you think I should still reformat everything? – user111533 Feb 24 '12 at 02:27
  • If they had access, yes. From the look of the vulnerability it seems they could have run arbitrary scripts, so they could easily have gotten root access. Would you rather be confident, and bite the bullet for a little downtime, or months from now discover that there's been another root use besides you this whole time? You should never continue using a box after someone has hacked into it. Always restore data from backups and remake the server (obviously with the newly patched plugin) – Flamewires Mar 02 '12 at 08:31
  • Oh and generally on this site people like it if you found a particular answer helpful to select it as the best answer (doesn't have to be mine, I'd probably pick Kyle Smiths) – Flamewires Mar 02 '12 at 08:33