11 posts / 0 new
Last post
AdrianSimpson
AdrianSimpson's picture
Joined: 2019/03/13
Points: 20

Hi All,

we noticed unusually high network traffic on our instance:

13984 - nginx - nginx: worker process - eth0 - 44.179 - 20.604 KB/sec

It doesnt seem like much up and down but over the course of a day or 2 it amounts to MANY GBs.

We are on the latest version of webmin 1.930 - i didnt noticed the Nginx being used it quite an old version? has anyone else experienced this before?

Also when i kill the specific PID another starts up right away.

I am in the process of installing all the package updates and and will reboot later on.

Any help appreciated.

Kind Regards
Adrian

volodya
volodya's picture
Joined: 2017/01/05
Points: 230

Hello Adrian,

Can you see any suspicious activity in /var/log/nginx/access.log and /var/log/nginx/error.log log files?

AdrianSimpson
AdrianSimpson's picture
Joined: 2019/03/13
Points: 20

Just looked in the folder, downloading the 1.1GB access.log file! i'd say that was suspicious in itself!

Kind regards

volodya
volodya's picture
Joined: 2017/01/05
Points: 230

You should check variety of source IP addresses and consider adjusting your firewall configuration.

AdrianSimpson
AdrianSimpson's picture
Joined: 2019/03/13
Points: 20

Thanks Volodya, Im going to get all the updates applied tonight and rebooted - but the funny thing is, i cannot open the log file as any program i try to open it in says the file is too large!

I have tried
Notepad
Notepad ++
Wordpad
Word
CSV Viewer (clutching straws!)

Any recommendations?

Kind regards

volodya
volodya's picture
Joined: 2017/01/05
Points: 230

You can use vi, vim, nano or any other text editor right from the system. Please note that this may hurt system performance if it's in production.

You can also get a fragment trom the bottom of the file like so:
tail -100000 /var/log/nginx/access > /trimmed_access

mattdarnell
mattdarnell's picture
Joined: 2007/10/25
Points: 30

Try glogg, it has worked for me in the past

http://glogg.bonnefon.org/

AdrianSimpson
AdrianSimpson's picture
Joined: 2019/03/13
Points: 20

Thanks Matt, will check it out

chrisc@accentse...
chrisc@accentservices.com's picture
Joined: 2018/05/07
Points: 0

Please when you have a chance let the forum know if you find the source of the intrusion. Thanks!!

AdrianSimpson
AdrianSimpson's picture
Joined: 2019/03/13
Points: 20

Hi Chris,

Well we found that multiple of our instances were communicating with numerous Azurecloud servers in poland & germany.

After finding that out I reached out to Azurecloud support, as we dont have an account with them and there was no reason for the to be an active connection to thier servers. The next day, all connections had dropped.

I havent had any word back from them at all though.

The main tools used we used were 'nethogs' and 'iftop'

Cheers

chrisc@accentse...
chrisc@accentservices.com's picture
Joined: 2018/05/07
Points: 0

Thanks for the follow up info Adrian!