Bandwith going up even though I'm not using any?
The past 2 days my bandwidth has increased by about 180MB even though I haven't actually used any - my site is still down. Is this normal (from people probing my ports etc) or is this possbily an attack on the server? Overnight the bandwidth went up by 80MB while I slept.
Currently it is secured with a specific SSH port and connection by keys only. There are some crecords redirecting mail to gmail.
8 Replies
Even worse - its'gone up 60MB since I wrote this this morning!! Again - NOTHING on the graphs. Am I under attack and should I open a ticket on this?
Paste output of ifconfig -a.
And it very well can be random portscans and bot-knocks, 60MB isn't much…
root@li190-127:/etc/init.d# ifconfig -a
dummy0 Link encap:Ethernet HWaddr 1a:09:3d:21:bc:16
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr fe:fd:b2:4f:86:7f
inet addr:178.79.134.127 Bcast:178.79.134.255 Mask:255.255.255.0
inet6 addr: fe80::fcfd:b2ff:fe4f:867f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:55679 errors:0 dropped:0 overruns:0 frame:0
TX packets:20397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:60903275 (60.9 MB) TX bytes:2290751 (2.2 MB)
Interrupt:28
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-66-65-34-66-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ip6tnl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1460 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:240 errors:0 dropped:0 overruns:0 frame:0
TX packets:240 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:292248 (292.2 KB) TX bytes:292248 (292.2 KB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@li190-127:/etc/init.d#
@tentimes:
Could you explain this loopback for me please?
Well, Loopback is the virtual netowrk card that's used for "talking to yourself" via 127.0.0.1 (actually, all of 127.x.x.x). But, your ifconfig output says
@tentimes:lo Link encap:Local Loopback (...) RX bytes:292248 (292.2 KB) TX bytes:292248 (292.2 KB)
that only 300 KB went through it.
Now, your main Ethernet interface,
@tentimes:
eth0 Link encap:Ethernet HWaddr fe:fd:b2:4f:86:7f (...) RX bytes:60903275 (60.9 MB) TX bytes:2290751 (2.2 MB)
had 60MB of incoming data since last reboot. And 2.2 MB of outgoing data.
So, you either ran a few apt-get installs, urpmis, or whatever command your distro uses for software installation and it downloaded the packages, OR you uploaded a few files, OR there was quite a bunch of bots trying to knock on your door. Check out /var/log/auth.log for SSH password probes, maybe.
Can't believe it only took a couple of days for the russians to find my server!
Thanks for the help