Website Bombarded overnight

[dankellys]

For about the last week or so, one of the websites I host for one of my clients has been getting bombarded with traffic overnight. It has gone from using about 500mb of bandwidth per month, to using 1GB PER DAY! The website is for a local windows and conservatories installation company, and has no reason to be having such high volumes of traffic, especially overnight. Is there any way of tracing this back, and stopping this rogue traffic?

The site has a handful of jpg images on, but nothing of a large size (about 1000px on longest edge), and is just a bog-standard Wordpress brochure site.

[jimbouk]

Server logs should give you ip addresses, which will give you countries. Then just start blocking in chunks.

[dankellys]

Cheers, looked like the traffic was coming from an IP address in Germany. Blocked now

[peterb]

if you are hosting on a *nix machine, you might like to look at fail2ban, www.fail2ban.org - it may be available from your distro's repository.

[DarthRager]

If you're hosting client sites shouldn't you have like.. unlimited bandwith?

My server is £11 a month, unlimited bandwith and a 500GB HDD...

Then there's nothing wrong with *shock horror* 1GB a bandwith a day.

[virtuo]

Then there's nothing wrong with *shock horror* 1GB a bandwith a day.

If it was legitimate traffic then 1GB a day wouldn't be a problem, but if I saw bandwidth usage for any site increase by 60x in a very short period of time, then I'd be looking for files or services that have "found their way" on to the server. Regardless of how unlimited my usage is, I wouldn't want anything dodgy running in the background. I've seen a lot of FTP servers, IRC servers and proxy scripts secretly installed on less than secure web servers before. And they chew through the bandwidth.

[DarthRager]

If it was legitimate traffic then 1GB a day wouldn't be a problem, but if I saw bandwidth usage for any site increase by 60x in a very short period of time, then I'd be looking for files or services that have "found their way" on to the server. Regardless of how unlimited my usage is, I wouldn't want anything dodgy running in the background. I've seen a lot of FTP servers, IRC servers and proxy scripts secretly installed on less than secure web servers before. And they chew through the bandwidth.

I suppose that is a possibility.

[virtuo]

Did the access logs show what resource(s) the IP in Germany was requesting? I think just blocking that IP might be ignoring the bigger issue that someone has managed to install something on the server. Is Wordpress up to date?

Edit: Didn't notice the age of the thread, take it the site's been fine since?