Hi All,
we noticed unusually high network traffic on our instance:
13984 - nginx - nginx: worker process - eth0 - 44.179 - 20.604 KB/sec
It doesnt seem like much up and down but over the course of a day or 2 it amounts to MANY GBs.
We are on the latest version of webmin 1.930 - i didnt noticed the Nginx being used it quite an old version? has anyone else experienced this before?
Also when i kill the specific PID another starts up right away.
I am in the process of installing all the package updates and and will reboot later on.
Any help appreciated.
Kind Regards
Adrian
Just looked in the folder,
Just looked in the folder, downloading the 1.1GB access.log file! i'd say that was suspicious in itself!
Kind regards
You should check variety of
You should check variety of source IP addresses and consider adjusting your firewall configuration.
Thanks Volodya, Im going to
Thanks Volodya, Im going to get all the updates applied tonight and rebooted - but the funny thing is, i cannot open the log file as any program i try to open it in says the file is too large!
I have tried
Notepad
Notepad ++
Wordpad
Word
CSV Viewer (clutching straws!)
Any recommendations?
Kind regards
You can use vi, vim, nano or
You can use vi, vim, nano or any other text editor right from the system. Please note that this may hurt system performance if it's in production.
You can also get a fragment trom the bottom of the file like so:tail -100000 /var/log/nginx/access > /trimmed_access
Please when you have a chance
Please when you have a chance let the forum know if you find the source of the intrusion. Thanks!!
Hi Chris,
Hi Chris,
Well we found that multiple of our instances were communicating with numerous Azurecloud servers in poland & germany.
After finding that out I reached out to Azurecloud support, as we dont have an account with them and there was no reason for the to be an active connection to thier servers. The next day, all connections had dropped.
I havent had any word back from them at all though.
The main tools used we used were 'nethogs' and 'iftop'
Cheers
Hello Adrian,
Can you see any suspicious activity in /var/log/nginx/access.log and /var/log/nginx/error.log log files?