I don't know it is Virus or DDOS

Discussion in 'General' started by asgare, Oct 28, 2018.

  1. asgare

    asgare Member

    Hi Friends
    We got a serious problem. Our server bandwidth usage increased dramatically. Each month our server uses 6 GB Internet but it's about two weeks that our server uses 5 GB per day. It cost me a lot.:(:(:(
    Remotely tried to monitor each node's to figure out whose uses. What I show was very shocking! results show that our customers overuse the Internet.
    I think ISPConfig infected by some PHP or AJAX virus because I checked attacks and all saw was our customers.
    Please anyone encountered with this kind of problem or knows the answer let me know. In my country, Internet costs are a lot and I can't afford it.

    Also, I put a client network monitor as an attachment.
     

    Attached Files:

  2. asgare

    asgare Member

    After a couple of minutes, client page still processing and sending data to the server. I think it shouldn't do like this. I don't know what is going on.
     

    Attached Files:

    • C2.png
      C2.png
      File size:
      116.3 KB
      Views:
      10
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you have reason to believe it is just one costomer, try removing Active for that website settings.
     
  5. asgare

    asgare Member

    Dear Taleman, thanks for your prompt reply.
    Well I just monitored for a couple of minutes, I checked randomly for two weeks and after lots of examination observed this as an issue.
     
  6. asgare

    asgare Member

    Regrettably, we are in a location because of US sanction can't pay the license fee. Please offer me an alternative way.
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You can try it for free. The trial is full version, it just limits number of scans.
     
  8. asgare

    asgare Member

    Here is the result of ISPPROTECT:



    !!! DO NOT INTERRUPT THE SCRIPT !!!!

    After the scan is completed, you will find the results also in the following files:
    Malware => /tmp/found_malware_20181028081235.txt
    Wordpress => /tmp/software_wordpress_20181028081235.txt
    Joomla => /tmp/software_joomla_20181028081235.txt
    Drupal => /tmp/software_drupal_20181028081235.txt
    Mediawiki => /tmp/software_mediawiki_20181028081235.txt
    Contao => /tmp/software_contao_20181028081235.txt
    Magentocommerce => /tmp/software_magentocommerce_20181028081235.txt
    Woltlab Burning Board => /tmp/software_woltlab_burning_board_20181028081235.txt
    Cms Made Simple => /tmp/software_cms_made_simple_20181028081235.txt
    Phpmyadmin => /tmp/software_phpmyadmin_20181028081235.txt
    Typo3 => /tmp/software_typo3_20181028081235.txt
    Roundcube => /tmp/software_roundcube_20181028081235.txt
    Shopware => /tmp/software_shopware_20181028081235.txt
    Mysqldumper => /tmp/software_mysqldumper_20181028081235.txt
    Starting scan level 1 ...
    Scanning 45091 files now ...
    Scan level 1 completed. 0 hits.
    Starting scan level 2 ...
    Scanning 25259 files now ...
    Read 119909 whitelist signatures ...
    Scan level 2 completed. 1 hits.
    Searching for open proxy plugin …
    Searching for cryptophp malware …
    ================================
    Found 1 malware file(s)
    ================================
    Malware {ISPP}suspect.big.phpfile in /var/www/clients/client0/web8/web/demo/assets/js/plugins/editors/ace/worker-xquery.js
    ================================
    Starting Wordpress check. This could take a while ...
    Most decent version(s): 4.9.8
    Outdated Wordpress version: 4.4.1 (newest is 4.9.8) in /var/www/clients/client0/web4/web/payamoshir
    Wordpress check found 0 current and 1 outdated versions.
    ================================
    Starting Joomla check. This could take a while ...
    Most decent version(s): 2.5.28, 3.1.3, 3.2.7, 3.6.5, 3.8.13
    Joomla check found 0 current and 0 outdated versions.
    ================================
    Starting Drupal check. This could take a while ...
    Most decent version(s): 6.38, 7.60, 8.6.2
    Drupal check found 0 current and 0 outdated versions.
    ================================
    Starting Mediawiki check. This could take a while ...
    Most decent version(s): 1.31.1
    Mediawiki check found 0 current and 0 outdated versions.
    ================================
    Starting Contao check. This could take a while ...
    Starting Magentocommerce check. This could take a while ...
    Most decent version(s): 1.9.3.10
    Magentocommerce check found 0 current and 0 outdated versions.
    ================================
    Starting Woltlab_burning_board check. This could take a while ...
    Most decent version(s): 4.1.19, 5.0.14, 5.1.4
    Woltlab Burning Board check found 0 current and 0 outdated versions.
    ================================
    Starting Cms_made_simple check. This could take a while ...
    Starting Phpmyadmin check. This could take a while ...
    Most decent version(s): 4.0.10.20, 4.8.3
    Phpmyadmin check found 0 current and 0 outdated versions.
    ================================
    Starting Typo3 check. This could take a while ...
    Most decent version(s): 7.6.31, 8.7.19, 9.4.0, 9.5.0
    Typo3 check found 0 current and 0 outdated versions.
    ================================
    Starting Roundcube check. This could take a while ...
    Starting Shopware check. This could take a while ...
    Starting Mysqldumper check. This could take a while ...
    ================================
    Starting WP plugin vulnerability scan. This could take a while ...
    ================================
    Starting WP plugin version scan. This could take a while ...
    Outdated WP plugin "wp-jalali" version: 5.0.0 (newest is 5.0.1) in /var/www/clients/client0/web4/web/payamoshir
    WP plugin version check found 0 current and 1 outdated versions.
    ================================
    Scan Level 4 (SQL) skipped.
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Old versions of software attract malware, so force users to upgrade or shutdown the website.
    Examine the file the script claims contains malware. It may be false alarm. Those bigfiles are often log files the program writes to but newer cleans.
     
  10. asgare

    asgare Member

    I deleted that Malware and waited to see the result of Internet usage within 12 hours. Still, nothing changed and I have that problem. :oops:
    Is there any monitoring program to give me detail report of each node Internet usage and let me know which site uses this Internet and what for it is used!
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Run the top command on the shell, then you will probably see which website uses the most resources by looking which PHP processes of a web[id] user are the topmost. Then look up which website it is and check out the access.log of the site to see what's going on.
     
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is nethogs available for your OS? It would show which user is using most bandwith.
    If bandwith is expensive, use quota to limit customers, or charge customers by usage.
     
  13. asgare

    asgare Member

    Hi till & Glad to see your attention in my question
    As far as I see this command, it only shows me the system usage or I couldn't understand your meaning about this command.
    I don't know if there is a command that lets me know how much the Internet via which file used! I think this way I can find the problem source.
     

    Attached Files:

  14. asgare

    asgare Member

    Above posted screenshot token via nethogs (in the early post). Would you please let me know how should I use this command (quota)
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I never wrote nothing about command quota. In ISPConfig, go to user settings. there are limit settings you can use to put quota on bandwith use.
     

Share This Page