Suspicious traffic on new server

Portal Home > Knowledgebase > Articles Database > Suspicious traffic on new server

Posted by Bios, 05-01-2012, 10:48 PM
I currently have four servers each serving 1TB of static content using 3TB of bandwidth a month. However my newest server at only 7 days old is transferring 300GB a day with a paltry 250GB of static content which by my stats shouldn't account for this high usage (I have bandwidth stats for all static content and it adds up to 200GB for the 7 days). My set up is the same every single time I put up a new server: apache2 nginx (serving static content) vnstat (measuring eth0) That's it. I can't see anything wrong but I'm very much an amateur at the command line. I've looked through logs and top but see nothing wrong so what else can I do?
Posted by pioneernetworks, 05-01-2012, 10:58 PM
You could possible run a root kit, and scan the server for trojans, virus, etc. Is the server from the same provider as the other's?
Posted by Bios, 05-02-2012, 12:05 AM
I have two smaller servers with them and no problems for over a year. The four main servers are hosted elsewhere. Just tried rkhunter, chrootkit and unhide and nothing was returned as bad. It had a false positive to cron. I'll hold onto these for future use though, thanks. One crucial thing I forgot to mention is I received a null route warning recently for [possible?] DDoS related with this servers IP. However it was lifted as quickly as it was given. Traffic right now is actually at what I'd expect but it still managed 235GB today so far.
Posted by pioneernetworks, 05-02-2012, 12:13 AM
I would pull log data every so often maybe every 6 hours or so on the server to see if you find anything "suspicious".
Posted by rackulous_jonnyt, 05-02-2012, 06:46 AM
Have you ran tcpdump to see exactly what the traffic is?
Posted by Bios, 05-02-2012, 11:39 PM
Cool I'll check that out. Everything is running normally today so I guess I just monitor till it happens again. At least I'm somewhat prepared now thanks