ETH0 Inbound 10 times normal past 30 hours!


For the past 30 hours my inbound traffic, as seen on my ETH0 server overview graph, has been 10 times normal.

Now I checked each SiteWorx account’s real-time bandwidth graph, and NONE of them show any such increase.

How can I check what the heck is going on? Where all that inbound traffic is coming from!

I forgot to mention that I have stopped the FTP service, so I know the inbound traffic is NOT coming from there!

Is it Mail Traffic?

I had bad PHP mail() script once that someone was using to send spam and I noticed b/c of a small, but constant eth0 usage.

I don’t know. How can I check?

I also tried to restart my server.

There must be some way, some tool that can tell what this inbound traffic is.

For the past our I stopped all services concerning email, pop, imap and smtp.

That did NOT help!

Have you tried looking into HTTP? That was my problem that I mentioned earlier. I had a poorly written PHP script :o for sending mail. Someone was able to inject their own email into it and used my server to send out a bunch of spam.

I would look at your HTTP logs and also do a “top” to see which process are being used that should give you some more clues.

Possibly do a netstat to see which ports are open too?

I don’t have any PHP mail scripts accesible to the public, only one in a member area of a site in beta test! No links to the beta area accesible anywhere!