hello,

i am new to linux, have rented a dedicated server with suse and plesk 7.5, and got some serious problems now.

i think someone hacked my server, because there is a traffic of about 45 GB a day on the machine. netstat statistic below!!!

also there is a lot of diskspace used, which also seems a little strange to me.

Filesystem Size Used Avail Use% Mounted on
/dev/hda1 510M 83M 402M 18% /
tmpfs 10M 0 10M 0% /dev/shm
/dev/hda5 4.9G 1.2G 3.7G 25% /usr
/dev/hda6 4.9G 958M 4.0G 20% /var
/dev/hda7 63G 48G 15G 77% /home
none 502M 208K 502M 1% /tmp

how can i check wo is accessing which files and which size my directorys have at /home ???

thanks for your help!


Netstat shows me this here:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 p15191353.pureser:59083 p15191353.pureser:mysql ESTABLISHED
tcp 0 0 p15191353.pureserve:ssh chello212186127:phrelay ESTABLISHED
tcp 0 106552 p15191353.pure:www-http chello08010909322:64405 ESTABLISHED
tcp 0 0 p15191353.pureser:54904 p15191353.pureser:mysql ESTABLISHED
tcp 0 0 p15191353.pureser:54905 p15191353.pureser:mysql ESTABLISHED
tcp 0 21900 p15191353.pureser:34427 rbackup6.onlineho:55450 ESTABLISHED
tcp 0 0 p15191353.pureserve:ssh chello212186127152:4688 ESTABLISHED
tcp 0 0 p15191353.pureserv:smtp 213.150.0.88:52021 TIME_WAIT
tcp 0 0 p15191353.pureser:35700 p15191353.pureser:mysql ESTABLISHED
tcp 0 0 p15191353.pureser:47179 spf7.us4.outblaze.:smtp ESTABLISHED
tcp 0 1 p15191353.pureser:56841 georgia.vdtimes.co:smtp SYN_SENT
tcp 0 0 p15191353.pureser:mysql p15191353.pureser:54904 ESTABLISHED
tcp 0 212 p15191353.pureserve:ssh host5.planetsocie:23705 ESTABLISHED
tcp 0 0 p15191353.pureser:mysql p15191353.pureser:54905 ESTABLISHED
tcp 0 0 p15191353.pureser:mysql p15191353.pureser:35700 ESTABLISHED
tcp 0 1 p15191353.pureser:41063 ejl151.neoplus.ads:auth SYN_SENT
tcp 0 0 p15191353.pureserv:smtp 236.31.broadband4.:3962 ESTABLISHED
tcp 0 0 p15191353.pureserv:pop3 host5.planetsocie:23915 TIME_WAIT
tcp 0 1 p15191353.pureser:41064 mail.the-link-grou:auth SYN_SENT
tcp 0 0 p15191353.pureser:53473 spf4.us4.outblaze.:smtp ESTABLISHED
tcp 0 23 p15191353.pureserv:smtp 124.165.54.146:sis-emt FIN_WAIT1
tcp 0 4380 p15191353.pureser:58787 rbackup6.onlinehom:7293 ESTABLISHED
tcp 0 0 p15191353.pureser:35988 rbackup6.onlinehome:ftp ESTABLISHED
tcp 0 0 p15191353.pureserv:smtp mail.the-link-gro:45954 ESTABLISHED
tcp 0 0 p15191353.pureser:mysql p15191353.pureser:59083 ESTABLISHED
tcp 0 0 p15191353.pureserv:pop3 chello062178:globmsgsvc TIME_WAIT
tcp 0 0 p15191353.pureserv:smtp ejl151.neoplus.ads:rcst ESTABLISHED
tcp 0 0 p15191353.pureser:38621 rbackup6.onlinehome:ftp ESTABLISHED
tcp 0 1 p15191353.pureser:47790 mail.bonustree.com:smtp SYN_SENT
udp 0 0 localhost.l:filenet-rpc localhost.l:filenet-rpc ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 1837 /var/lib/ntp/dev/log
unix 17 [ ] DGRAM 1834 /dev/log
unix 2 [ ] DGRAM 1836 /var/lib/named/dev/log
unix 3 [ ] STREAM CONNECTED 467962 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 467961
unix 3 [ ] STREAM CONNECTED 464956 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 464955
unix 3 [ ] STREAM CONNECTED 461736 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 461735
unix 3 [ ] STREAM CONNECTED 460360 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 460359
unix 3 [ ] STREAM CONNECTED 460307 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 460306
unix 3 [ ] STREAM CONNECTED 460276 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 460275
unix 3 [ ] STREAM CONNECTED 460231 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 460230
unix 3 [ ] STREAM CONNECTED 457114 /var/lib/mysql/mysql.sock
unix 3 [ ] STREAM CONNECTED 457113
unix 2 [ ] DGRAM 305104
unix 2 [ ] DGRAM 3429
unix 2 [ ] DGRAM 2966
unix 2 [ ] DGRAM 2956
unix 2 [ ] DGRAM 2856
unix 2 [ ] DGRAM 2708
unix 2 [ ] DGRAM 2699
unix 2 [ ] DGRAM 2671
unix 2 [ ] DGRAM 2538
unix 2 [ ] DGRAM 2419
unix 2 [ ] DGRAM 1968
unix 2 [ ] DGRAM 1954
unix 2 [ ] DGRAM 1940
unix 2 [ ] DGRAM 1926
unix 2 [ ] DGRAM 1858

But directory sizes can be seen using
I think. Some versions of du have a -h option that displays megabytes etc. instead of bytes..and to see just the size of a certain dir, you could use
EDIT: "du" comes from "disk usage" I think..just an idea, to make it easier to remember.

EDIT II: "who's using this file" - one way is using fuser, it displays the processes (and users running those processes) that use certain files:

Code:

fuser -u /home/somefile

I'm not sure if that's what you were looking for..to see the processes, use

Code:

ps -ef | grep processnumber

where processnumber is a number of some process that you got using fuser, for example.

this helps me a little, to understand where to search!

so i have this problems:
1. someone creates a amount of traffic which does not come from the httpd or ftp server, i stopped both processes, but still there is traffic created!!! i have installed the tool "vnstat" which tells me that, also the provider tool shows me traffic!!!
where could i search for this traffic creator`???

2. diskspace is used:
df -h tells me /dev/hda7 /home has used 77% of his space 63G in total!
But this is impossible because i just have 12 webspaces which are all limited to 1GB, so there should be used a max of 12 GB used!
with the "du" command i also have the impression that there is just used as little as 10Gigs on the /home drive

any ideas???