0

Last night my server(centos5) had unusual outgoing traffic, About 12kGB and right now my server is down because I have to pay that traffic's cost. My server is a small server for a small App. I don't know whats happened but the support of hosting says it can be your server hacked and used for DDOS attack or can be amplification bug etc. They don't help much.

My questions is: How I can check that traffic is what about and used for what? How I can check my server hacked? Hosting staff had my root password for some tasks i gave them already. and how I can prevent this? Is there any way to set limit to outgoing traffic?

Fcoder
  • 341
  • 1
  • 4
  • 8
  • 2
    After the fact you can't readily determine what the traffic was unless you had set up logging beforehand. The same systems your hosting provider used to detect the traffic spike *may* have some record, but they're not obliged to share that with you. Most likely is indeed a compromise of your server resulting in it getting abused for sending spam or generating other traffic at your expense. – HBruijn May 24 '19 at 10:34

2 Answers2

1

How I can check that traffic is what about and used for what? How I can check my server hacked?

Answering this will be pretty difficult without investigating logs. The fact that the hosting company took your server down until you pay is understandable given the situation, but this is also blocking investigations. Maybe they can retrieve logs for you so that you can investigate ?

One other thing you could try is reaching their network operations people and have information on what happened on the network on that night : they probably have figures / charts / reports that can be a good source of information.

and how I can prevent this?

This will be done by fixing the bug / security issue / whatever evil people exploited (considering you were actually hacked). And keep up-to-date with security upgrades !!!

Is there any way to set limit to outgoing traffic?

This is a pretty complex question, as you'd like your server + app to reply as fast as possible to "legal" traffic (like 100 users connecting to your app at the very same time, which will result in a spike of network usage), while still being able to defeat evil incoming requests.

Httqm
  • 225
  • 2
  • 10
0

Do forensics on the disk, or their network traffic logs, to see what this was. This requires working with your provider.

From the volume of transfer, likely someone set up a file share, or a bandwidth amplification attack, at your expense. US-CERT TA14-017A has an overview of amplification attacks. Note in particular how common services like NTP or Memcached can generate huge attack traffic if incorrectly configured.

Assess this hosts security: how far behind on security updates, is remote login with password allowed, how easy are passwords to crack, have you ever looked at authentication logs. Be honest.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34