❔ Traffic out on asp.net
Hi, for around 3 days, I had a small ASP.NET application (https://github.com/dotnet/dotnet-docker) on my Ubuntu VPS. And today, I was notified by my VPS provider that 'Traffic out' reached over 60 TB, and I'm about to be charged a bit too much money than I intended.
Apart from the few times I called get request from the terminal, this application did not receive any web requests, and I find the number 60 TB to be really strange.
Do you guys suggestions on what to do or how to investigate something this like?
GitHub
GitHub - dotnet/dotnet-docker: Docker images for .NET and the .NET ...
Docker images for .NET and the .NET Tools. Contribute to dotnet/dotnet-docker development by creating an account on GitHub.
20 Replies
Here are more details
do you have any more granular traffic information than that?
that looks like pretty constant traffic so first thing i would do is find out which process is sending it
getting a packet capture of that traffic would be my next step
I'm not an expert on this. However, I would do the following:
- can you reproduce it with a virtual machine on youre own computer
- then like said before capture packets, but also endpoints where does the data go to. (something like wireshark).
after that I wouldn't know
averaging 200 mbps is.... a lot.
Is there any other service running on the VPS?
I honestly doubt its the ASP service
I’ve had other servers (from same company/setting) running on VPS before with non ASP.net app, and these kind of stuff never happened
Okay, thank you guys. I’ll try getting more traffic information first
Yeah its very odd, but 200 mbps is a HUGE amount of traffic
my first thought was "there might be a torrent client somewhere on that VPS"
💀 it’s really strange
Noteworthy again, I’m just testing different deployment method with .net’s example code here ‘https://github.com/dotnet/dotnet-docker’
like https://github.com/dotnet/dotnet-docker/tree/main/samples/aspnetapp/aspnetapp ?
thats a super barebones asp app, shouldnt generate ANY traffic at all unless you hit it
Yah, there doesn’t seems to be no code that’s sending traffic out constsntly, and for a large amount
I’ll follow everyone’s advice and learn more about the traffic information
👍
Okay, I think I figured out the puzzle. There's nothing wrong with the ASP.NET application.
I checked the traffic requests, and there was a bunch of request being made to this one IP address with all of them sending roughly same amount of packets.
I killed an application that was using 80% of CPU, then that application quickly came back arrive still using the same amount of CPU.
I think my server just got hacked, because I used relatively weak password/had default port open/had
root user, and it was a rat program that was sending those requests
RANDOM.ORG - Password Generator
This page allows you to generate random passwords using true randomness, which for many purposes is better than the pseudo-random number algorithms typically used in computer programs.
😂 my password was "server"
I'm never making this mistake again
I'll use ssh keys from now
even better
if this was one of the mainstream servers like azure or aws, I would have been charged $5k no jokes
and go to jail if the hackers were doing bad stuff
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.