Results 1 to 8 of 8

Thread: Bandwidth Spike

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Question Bandwidth Spike

    My wife and I were reviewing the stats in cPanel from our web host (I think they use awstats) and we noticed that with only 6 days completed we have almost maxed our 2Gb bandwidth usage for February.

    The site being hosted holds a simple Wordpress blog site. We don’t even upload our pictures there. Images are uploaded to Flickr and linked from the blog. There is email usage, but not nearly to the volumes we are seeing in the stats.

    It seems that each night between midnight and 4am – while we’re sleeping – a massive amount of POP3 traffic is being associated with our domain / web hosting account. Any ideas for how I can investigate this from my end or what I should tell the techs at the web host to look for? It seems to me that their server is being used as a spam distribution or relay point and that they need to go lock some stuff down, but I am not sure how to explain it to them.

    Thus far, their troubleshooting has amounted to “wow! I guess you get a lot of email after midnight!”. We explained that our computers are on 24/7 and the email client is set to download every 1 minute- so it is virtually impossible for us to have any such spike in traffic.

    Any clues?

  2. #2
    Member
    Join Date
    Dec 2006
    Posts
    33
    If it's pop3 traffic, shouldn't a packetsniffer be able to capture said traffic so you can view the contents in the morning? If you're relaying emails, you should be getting traffic in from one server, and traffic out to another server as well.

    If there is no/less traffic than reported, someone else may be spoofing your domain. But I'd be opening ethereal anyways.

  3. #3
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779

    yuo should know better

    Tony, is she useign an uptodate version of wordpress. dose her host allow f_open php calls. PHP is a very insecure language, wordpress is an extreamily insecure app. One of the hosting providers I worked for had thsi issue you could be looing at one of two things. Some one uploaded a spam remailer to your system and its now spamming the world via file uploads in wordpress. or someone is hitting wordpresses email ability with a email injection attack. dig through the apache logs jsut prio to the spam goign out and see if anyone is access an unuseual php page. other wise look for odd files on the system. This looks like the typical fallout of a php compromise
    Who is more trustworthy then all of the gurus or Buddha’s?

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Tell your ISp that you will switch ISPs due to the fact that they do not filter spam..unless they do..and you have just not turned on the filters??

    and if they dont listen...start forwarding the spam to the tech support....

    that usually does it

    or switch providers....its painless really...find one with filters

    MLF
    Last edited by morganlefay; February 9th, 2007 at 06:08 AM.
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    morganlefay: I don't think taht will help. some one is useing tonys account as a spam relay...tony if you could get them to look at the mail queue durign one of the spikes I bet it would be loaded with spam.
    Who is more trustworthy then all of the gurus or Buddha’s?

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Is this an ISP mailserver...or do you have your own mail server??

    If its your mail server...what flavor??

    If its the isps mail server....change ISPs...cause they dont seem to have a fricken clue if they are allowing mail to relay


    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    If the account were being used as a spam relay wouldn't we be talking about a large amount of SMTP traffic rather then POP3?

    Seems it's time to find a new provider. Without access to the system, network or detailed logs you are likely S.O.L.

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    If it really is POP traffic ..change passwords..
    make sure the machines accessing the the mail are clean....
    if it is smpt........check the mail server....

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

Similar Threads

  1. SNMP bandwidth requirements
    By phishphreek in forum General Computer Discussions
    Replies: 4
    Last Post: September 17th, 2004, 03:21 AM
  2. bandwidth management help
    By ol jeb in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: January 28th, 2004, 09:16 PM
  3. Getting the Most out of your Bandwidth
    By sickyourIT in forum Other Tutorials Forum
    Replies: 27
    Last Post: July 9th, 2003, 07:54 AM
  4. Bandwidth shaping with Linux
    By problemchild in forum The Security Tutorials Forum
    Replies: 1
    Last Post: September 5th, 2002, 06:53 PM
  5. Bandwidth Bandits
    By Remote_Access_ in forum Security News
    Replies: 2
    Last Post: July 16th, 2002, 10:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •