sorry for the double post but the forum seems to have problems with friendly urls.. here's my post from before:
hi, i had some unusual bandwidth usage spikes (GBs) lately and am trying to find out which service they refer to.. i have bandwidth monitoring enabled and used that to find out about those spikes in the first place.. now i tried to narrow down the services that use up that bandwidth by filtering traffic by internal port.. to find all open ports i used a port scanner returning the usual: 21, 22, 25, 53, 80, 110, 143, 443, 554, 993, 995 + webmin/usermin ports.. the problem is that when i enter each of those ports, one after the other, into the bandwidth monitoring tool to filter by 'internal port' and sum up the bandwidth usage i get around 500MB in total for this morning.. however when i let it show 'everything' i get 20GB.. i can't work out where that's coming from.. any ideas how to find out?
Yeah this forum is whacko :-)
I'll re-post my response here:
Virtualmin keeps track of Web, Email, and FTP traffic on your server, and distinguishes between it all.
So if you are hosting "example.com", and someone started sending out a ton of email, that's going to show in the Virtualmin logs as email traffic in the example.com Virtual Server.
You can view that in System Settings -> Bandwidth Monitoring -> Show Usage Graph. Then I usually click "Parent and sub-servers".
It'll show whether it's web, email, or ftp traffic based on the color of the graph.
That much helps you nail down roughly where the usage is -- from there, you'll probably need to go to the logs to dig up more info once you know what logs to look in.
-Eric
but thats exactly the problem, the traffic of all virtual servers combined doesnt even comes close to the traffic shown in bandwidth monitoring which is why im suspecting that there is some other process sending and receiving data.. i should probably add that i recently got a mail from the internet police telling me about an illegal copy of windows7 (great) in one of my virtual server's wordpress installation.. now i dont know whether wordpress got hacked (probably easy using brute force with the default username admin) or whether my server got hacked alltogether - i disabled the ftp server and ssh access via password as a precaution for now but i still do get that gigantic traffic usage which none of the sites im hosting (including email) could ever produce..
anyway.. i found out that you can actually group the bandwidth monitor results via port which is what i've done.. total of 100MB.. now when i uncheck the 'Server ports only?' checkbox i do get thousands of entries like this:
TCP 57358 98.47 MB
TCP 52788 88.68 MB
TCP 33161 53.60 MB
TCP 42228 50.42 MB
TCP 33374 50.37 MB
TCP 37148 50.36 MB
TCP 40725 50.34 MB
TCP 37034 50.23 MB
TCP 51940 50.23 MB
TCP 38371 50.20 MB
TCP 49981 50.19 MB
TCP 47845 50.09 MB
TCP 38368 49.89 MB
TCP 40783 49.88 MB
TCP 53708 49.87 MB
TCP 38739 49.87 MB
TCP 58286 49.86 MB
TCP 54919 49.86 MB
TCP 59681 49.86 MB
TCP 57940 49.85 MB
TCP 40296 49.85 MB
with a total of 22GB.. i mean where could that possible come from? doesnt seem normal to me.. and what are ports not related to my server anyway? im not sure i understand..
Yeah, if bandwidth is used outside of Web/Email/FTP traffic, it's trickier for Virtualmin to track down the cause.
An example of when this could occur is if someone were logged into the shell, and downloaded something via, say, wget.
In your case -- if someone managed to compromise your system, and then either began using the shell, or installed their own application (both of which are common for system compromises), those wouldn't show up as web, email, or ftp traffic.
And then if they began redistributing software over, say, bittorrent, that could cause the symptoms you're seeing :-)
What I might do is make sure the processes you see running appear legitimate, and make sure the users logged into the system are all authorized.
As far as the specific ports and numbers you listed above -- I'm not entirely sure :-)
I suspect "ports not related to your server" might mean "ports not bound to a running daemon", but I haven't really tinkered with all that before.
-Eric
Note that random high ports are used for many protocols. It doesn't have to be outside of FTP, in particular, for it to look "random". These look like active FTP traffic (but could be any protocol that uses high ports).
--
Check out the forum guidelines!
Looks like transfer logging is already enabled, at /var/log/proftpd/xferlog . The problem with FTP is that it uses a dynamic port for the actual transfer, for Webmin's Bandwidth Monitoring module is useless .. it sees the transfers on all those random ports you mentioned.
--
Check out the forum guidelines!
ok sounds like it's most likely an ftp issue.. but how do i enable transfer logging in proftpd? the 'TransferLog' setting in the config is set but the xferlog file is still empty.. i thought this might have something to do with writing permissions of the files/directories and changed them to 0666 but it still doesnt seem to log any transfers (even after restart).. the config looks fine to me:
------
Include /etc/proftpd/modules.conf
UseIPv6 on
ServerName "Debian"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
Port 21
MaxInstances 30
User proftpd
Group nogroup
Umask 022 022
AllowOverwrite on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_tls.c>
TLSEngine off
</IfModule>
<IfModule mod_quota.c>
QuotaEngine on
</IfModule>
<IfModule mod_ratio.c>
Ratios on
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
------
any advice? there's no virtual server configured btw so this one should be the active config.. thanks so much!
ok sounds like it's most likely an ftp issue.. but how do i enable transfer logging in proftpd? the 'TransferLog' setting in the config is set but the xferlog file is still empty.. i thought this might have something to do with writing permissions of the files/directories and changed them to 0666 but it still doesnt seem to log any transfers (even after restart).. the config looks fine to me:
------
Include /etc/proftpd/modules.conf
UseIPv6 on
ServerName "Debian"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
Port 21
MaxInstances 30
User proftpd
Group nogroup
Umask 022 022
AllowOverwrite on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_tls.c>
TLSEngine off
</IfModule>
<IfModule mod_quota.c>
QuotaEngine on
</IfModule>
<IfModule mod_ratio.c>
Ratios on
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>
------
any advice? there's no virtual server configured btw so this one should be the active config.. thanks so much!
I dunno. I don't actually use FTP. ;-)
It looks like you might want to look at the ExtendedLog and LogFormat options. But, I'm not actually sure where Virtualmin's log analyzer looks for FTP transfer data.
I'll ask Jamie to chime in.
--
Check out the forum guidelines!