-1

Last night some one exploit some vulnerability in my site and then upload php script in my images folder.

I have the Amazon EC2 server with centos.

Now the Hacker downloaded 600GB and increased my bill.

Can this be DOS attack. How can I check it.

When hacker was downloading then I see

  1. CPU usage being 100%
  2. I saw many apache kworker process running
  3. I stopped the apache service but data was still being transmitted

I then stopped my instance

How can I see what happened

rav_kr
  • 119
  • 4
user22
  • 101
  • 1

1 Answers1

0

if the data is transfered via http, then this is probably not an attack; check your apache-logs. check the user-agents and corresponding ips

what it might be:

  • webcrawlers
  • buggy setup

btw, if you still have data-transer w/out apache ... do your really know what you are doing there? how do you know about non-HTTP-data-transfer?

  • is there any way to find non http data transfer – user22 Sep 05 '13 at 06:34
  • Have you checked your Apache logs yet? That is the first step. It probably has the right answer. I expect you will find millions of requests to that file the attacker uploaded. By default, the size of the response is the field after the response code and is measured in bytes. – Ladadadada Sep 05 '13 at 07:09
  • you can use ntop to monitor traffic on that host, but you need root access. another tool for live-traffic-monitoring is iptraf, or you can run (as root) "lsof | grep TCP" or "netstat -nv -t tcp". you server is probably part of an irc-botnet already. if so, you'll probably see strange stuff in /tmp, like hidden directories. – that guy from over there Sep 05 '13 at 19:28