I have identified an issue with high bandwidth usage on our server, and I require assistance in resolving it. The traffic appears to be originating from the following AWS server:
This server is consuming a significant portion of our bandwidth, which is impacting the performance of other critical services.
Actions Taken So Far:
Traffic Monitoring: I have confirmed that this server is responsible for a substantial amount of outgoing traffic.
Analysis: The purpose of this traffic is unclear. It could be legitimate application usage or potential malicious activity.
Request for Assistance:
1- If this traffic is unnecessary or malicious, please advise on steps to block or limit it effectively.
2. If this issue involves a misconfiguration or compromise, kindly provide guidance on securing the server and resolving the problem.
I would greatly appreciate a prompt response, as this issue is affecting our network resources. Please let me know if additional details or logs are required.
You could stick a Cloudflare proxy out in front and block them there, perhaps turning on Bot Fight mode? (This improves the odds of failed attempts not counting against your bandwidth.)
What did your VPS host say when you asked them for help? Why do they think it is a Ghost problem?
Actions Taken So Far:
Analysis: The purpose of this traffic is unclear. It could be legitimate application usage or potential malicious activity.
OK, so what does your analysis show? Your post says “Actions taken so far”, right? What tool did you use to analyze, and why are the results unclear? If the traffic is ongoing, you should minimally be able to figure out what port it is going to. (And if it isn’t going to Ghost, then why are you posting it here? If it is going to Ghost, what are they doing? Are they just loading your biggest images over and over in a bandwidth exhaustion attack, or are they actually exploiting something?)
You might ask whatever AI you’re using to write these posts what tool you should use, rather than posting AI content that claims you’ve done steps you haven’t actually done.
I received the only respond shows on the picture
I block the IP, Run malware scan everytime I received new IP use the bandwith
I run all the command and tests and found that’s the issue realted to port ghost usage using NGINX file. I insert block server IP on the server, UFW block the IP but the problem appear every time I install Ghot even tried to use diffrent LINUX version
I use AI to write and correct the information since I don’t have a good background in terms using Servers and Bandwith link to ports, that’s why I need to investigate the issue with the last Ghost update.
May be Hackers use some breachers in your Ghost setup ?
Believe me, I tried all AI solutions to search for or find the issue. I don’t like writing content with errors, which is why I use some online tools to correct mistakes or help me with technical issues
Can you show that? I’m sure that the Ghost dev team will be very interested to hear about any security issue, but there’s nothing in what you’ve posted that shows this is Ghost-related.
The screenshots you’re posting look like iftop, I think? If so, run with a -p flag to get the ports involved. IF that shows that we’re looking at a Ghost issue, take a look at your Ghost logs to see what requests it is logging.
Cheers! Yeah, it’s not about the iptables part. It’s about editing the /etc/hosts file which governs how traffic is parsed on the local machine. If the onliner is added to that file, the server sends traffic to the malicious domain to its local IP. In effect terminating the traffic .
Assuming the data transfer is originating on the server, not in response to an external request, and that the transfer is using the domain name, not the IP, ok, sure.
I’m not at all sure that’s the case here. Jasosn hasn’t really provided enough detail to be able to tell. We might just be looking at a web scraper behaving badly and requesting big files repeatedly…
I think hackers use your breachs to consume users bandwith. I reinstall wordpress or other server panel! found now issues. please aware. choose your hosting.
All the pcitures show the security breach to start consume the bandwith. please check the Ghost CMS confi and Mysql server
You have provided zero evidence of any foul play or vulnerabilities in the Ghost software.
Please get in touch with security@ghost.org if you have any such evidence or suggestions that are more specific than what you’ve presented in this thread.
l
Every time the bot choose random IP to access into your server from MYSQL.
I don’t know How they did it but it seems they depend on the security of the hosting provider. I install Ghost on other VPS provider. No issue. all picture above show the bandwith. I test Mysql and found there are some issue on Ghost-cli you need to update some mysql and ngnix configuration.
What you are describing is a common practice amongst bad actors on the internet. They frequently scan all IPs of known VPS instances for vulnerabilities.
It’s a common advice to always harden/secure the new server as priority one. The first two actions are thus to lock down SSH access to only allow known keys with passwords and to enable a firewall blocking all ports and protocols except TCP/22 for SSH.
What you are describing seems to me like a regular bot attack. I suppose that is why AWS Support said it’s nothing on their end.
What I suggest is that you wipe the server. Start a new instance, harden it using a good guide and then try and install Ghost again (or any other software you want to run).
.