Server Hacked + Huge Bandwidth Usage Spike

Question

Possible Duplicate:
My server's been hacked EMERGENCY

I run a couple of sites on Ubuntu via Rackspace Cloud Server. My site typically uses about 3 GB of outbound bandwidth a day. Today, I was shocked to discover that for the past week, my server has logged 2 Terabytes of outbound bandwidth a day. This is obviously completely abnormal and is costing me an arm and a leg. Interestingly, awstats shows my sites have been using the typical amount of bandwidth, so it's something else that's causing this ridiculous spike.

I suspect my site has been hacked. I ran root checks, went through my server logs, and found nothing suspicious. Do you guys have ideas on what else I can do to figure this out?

mrdenny · Answer 1 · 2012-03-15T02:25:51.220

7

I'd start by having RackSpace shutdown all outbound traffic from your server at the firewall with the exception of traffic which is coming from port 80. Then setup new VMs, migrate your data and inspect the compromised machines VM later using what you've learned to better secure your new server.

edited Mar 15 '12 at 02:25

answered Mar 14 '12 at 23:48

mrdenny

27,212

Server Hacked + Huge Bandwidth Usage Spike

1 Answers1