February 7, 2023, 10:56pm
I’m hosting a website, particularly trivial and without anything special, but which using a HUGE bandwith by comparison of the others.
Have a look :
145Gb on seven days !
This is not a normal bandwidth usage for this website and I wonder if there is not a issue something (hack on this website?).
It’s a Wordpress website (and I’m not the webmaster)
I have check the hosted files and the more bigger are png photo file (2Mo for the largest one)
My question is the following : which tools can I use to find HOW this simple website is generating BW : which files are read thousand of times etc… ?
Or maybe have you simply an idea about the cause ?
February 7, 2023, 11:01pm
Here the history of this site :
As I can see, the BW increased progressively from one year…
One year ago, it consume only 30Gb/month
And the website didn’t receive any big change (as I can see)
February 7, 2023, 11:07pm
The database looks normal :
A lots of spam comments, but normal for a wordpress…
You should read the Nginx or apache logs. You will see all the http requests and you will have your answers.
For an hestiaCP with apache and Nginx you can see the logs with this command
February 8, 2023, 10:34am
I will try to understand the log with https://goaccess.io/
February 8, 2023, 11:11am
Number of comments are high are you sure it not something like comments spam and a page that loads by the spammers?
February 8, 2023, 11:14am
goaccess is a amazing tool !
I found this king of requests :
Hits h% Vis. v% Tx. Amount Mtd Proto Data
----- ------- ---- ------- ---------- ---- -------- ----
2325 100.00% 1009 100.00% 17.37 GiB GET HTTP/1.0 /?attachment_id=102
1071 46.06% 503 49.85% 14.06 GiB GET HTTP/1.0 /?attachment_id=111
1044 44.90% 481 47.67% 13.08 GiB GET HTTP/1.0 /?attachment_id=39
468 20.13% 30 2.97% 8.84 GiB POST HTTP/1.0 /?attachment_id=185/wp-comments-post.php
977 42.02% 289 28.64% 4.95 GiB GET HTTP/1.0 /?attachment_id=185
213 9.16% 30 2.97% 1.31 GiB GET HTTP/1.0 /?attachment_id=185/wp-comments-post.php
238 10.24% 189 18.73% 1.01 GiB GET HTTP/1.0 /?attachment_id=184
98 4.22% 51 5.05% 956.43 MiB GET HTTP/1.0 /?attachment_id=276
90 3.87% 48 4.76% 729.65 MiB GET HTTP/1.0 /?attachment_id=181
177 7.61% 116 11.50% 685.00 MiB GET HTTP/1.0 /?attachment_id=339
126 5.42% 110 10.90% 521.34 MiB GET HTTP/1.0 /?attachment_id=180
122 5.25% 78 7.73% 511.30 MiB GET HTTP/1.0 /?attachment_id=340
9 0.39% 1 0.10% 160.51 MiB POST HTTP/1.0 /?attachment_id=339/wp-comments-post.php
5 0.22% 5 0.50% 86.04 MiB POST HTTP/1.0 /?attachment_id=340/wp-comments-post.php
2 0.09% 2 0.20% 42.66 MiB POST HTTP/1.0 /?attachment_id=181/wp-comments-post.php
The url with /?attachment_id=102 is just a standard photo of the customer…
And the main “visitor” with biggest BW is a Chrome/Windows user… maybe a bot…
I think I will ask my customer to simply maintain his website up to date because it’s probably an obsolete version of Wordpress…
And obviously delete all spams comments…
February 8, 2023, 11:24am
Looks like raw photos … or at least large one
February 8, 2023, 11:42am
yes, it looks like this… but in fact, the photo is a classical picture of 990kb…
And best : absolutely no reason than a human open it thousand times a day.
So if it’s a bot, what is it for ?
February 8, 2023, 12:20pm
Seing the number of posts requests it probably is used for comment spam on the attachment pages and then keep on loading
Why? No idea…
Install a temporary fail2ban rule to block some of those resources. Maybe they will stop soon. Or an nginxz template denying access to those attachments and the comments.php
Alternatively you may see the countries from which those connections come from and block them
February 8, 2023, 3:37pm
This simply Competitor’s/Spammer DDoS attacks & login hack tries.
And there are some tools, CleanTalk for preventing spam comments and form spam. They also have a security plugin. And you can turn off hotlinks to pictures, which is an option in several security plugins like AIO security.
February 14, 2023, 7:24am
Thanks all for you answers.
Finally, I ask my customer to update his Wordpress and every abnormal traffic is gone !
You can update WP, plugins and themes with a WP cli command. They have a policy to only perform minor updates if you want.
You can have a script that updates the whole server.
February 14, 2023, 7:53am
However, I’m just the hoster, so I won’t touch my customer’s files…