Posted by Crosstalk, 03-25-2009, 11:24 AM | I've seen some bandwidth spikes on my server recently, and it seems to be related to this entry (corresponds to iftop's output):
udp 0 27900 myip:43610 80.93.89.215:www ESTABLISHED
Any ideas where I should look? I have blocked the IP for now, but I'm curious what he might have been accessing. There were large (8MB/s+) spikes for at least 10 minutes, and once for almost an hour. Outbound traffic too, so I don't know what could be served up from that.
|
Posted by coeplicltd, 03-25-2009, 12:13 PM | Somebody downloading a file?
|
Posted by Crosstalk, 03-25-2009, 12:17 PM | But why udp? I wasn't able to find anything in the apache logs.
|
Posted by Host Our Web, 03-25-2009, 12:42 PM | www is just the port number. in this case it's port 80.
what do you have listening on port 80?
also.. is the ip address of 80.93.89.215 attached to anything you own?
|
Posted by durak, 03-25-2009, 12:47 PM | Well, there's no rDNS entry for this IP, so, I bet it's not important to the operation of your server. However, if you have shell accounts or some other sort of access for your users, they might be getting pissed off at you right now.
Can you find out which process was using that port? I don't think downloads use UDP. UDP is more for things like remoting software, VoIP, streaming. It was only one connection? It hit 8megabytes per second? or bits? If 8MB/s, that's one helluh residential connection, it sounds corporate to me. If it's 8Mb/s, that very well could be residential, as I know that People have some really fast connections in Europe.
Last resort: sniff the connection, see what's cookin'.
Of course, all this is predicated on your desire to unblock that IP and investigate.
Netsol says this:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
RegDate:
Updated: 2005-07-27
XKCD confirms it, it's in Europe:
xkcd . com/195/
Durak.
|
Posted by Crosstalk, 03-25-2009, 04:28 PM | That IP has nothing to do with me. Domaintools returns this: http://whois.domaintools.com/80.93.89.215
I did check server-status on Apache while it happened, and it seems this was not using Apache, as I thought. Next time it happens I will have to use top to see what process/user it is affecting. I saw a few more spikes in my MRTG chart today.
|
Posted by Crosstalk, 03-25-2009, 04:56 PM | It just happened again, from another IP, pulling 40mbit. This is getting a bit worrying as the results seem so bizarre.
udp 0 0 myip:44389 141.218.71.123:www ESTABLISHED
Top output:
5347 www-data 25 0 1560 468 400 R 37.6 0.0 0:44.02 s
So, it is www-data that is running the "s" command that is causing this. I simply don't see how this could be legitimate. Where should I start to track this down?
|
Posted by Crosstalk, 03-25-2009, 05:31 PM | I've found some DDOS and perl shell scripts in various /tmp dirs. Going to have to see what's all affected. Yikes...
|
|
Add to Favourites
Print this Article |