The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Network monitoring tool to find which internal node is hacked?

Discussion in 'Security' started by eurorocco, Feb 24, 2014.

  1. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Hi!

    I have a customer with a local network that is sending garbage to the main server IP website, thus the firewall blocks the customer again and again.

    I wonder if you guys can recommend a free network monitoring tool software to see packets filtered by the destination IP, which is the IP of the server. I understand the software sets the network card in promiscuous mode and listens to any packets it sees through the network segment, that a filter can be setup to see packets only going to such destination, in a way to find out which computer in the local network is sending those packets.

    I see free network monitoring tools out there, but I thought maybe someone out there has had this issue, uses this sort of tool and can recommend one or two.

    Thanks!

    ER
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I'd recommend either snort or wireshark. Those are just what I've worked with, there may be better tools for the job. Wireshark should have the sorting that you'd need. You would need to get a tap or span port set up to route the traffic to a promiscious nic in a server/PC that is on site at the customers office.

    It's a fair amount of work to set up a tap or span port if you've never done it before. I assume you've had them run virus scans and such before you go through the trouble of doing this?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The following thread, while primarily intended for troubleshooting high loads, does goes a little bit into capturing packets with utilities such as wireshark:

    Troubleshooting High Load On Linux Systems

    Thank you.
     
  4. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Thanks you both quizknows and cPanelMichael for the info!

    Yes, full scan of each computer was asked from the customer for the sake of their own security.

    I will have a look at both Snort and WireShark.

    I should have pasted some of the lines we found in /usr/local/apache/logs/access_log

    > A.B.C.D - - [21/Feb/2014:18:45:42 -0600] "\x16\x03\x01" 404 -
    > A.B.C.D - - [21/Feb/2014:18:45:42 -0600] "\x16\x03\x01" 404 -
    > A.B.C.D - - [21/Feb/2014:18:45:43 -0600] "\x16\x03" 404 -
    > A.B.C.D - - [21/Feb/2014:18:45:43 -0600] "\x16\x03" 404 -
    > A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x03" 404 -
    > A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x03" 404 -
    > A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x01" 404 -
    > A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x01" 404 -
    > A.B.C.D - - [21/Feb/2014:18:57:01 -0600] "\x16\x03" 404 -
    > A.B.C.D - - [21/Feb/2014:18:57:01 -0600] "\x16\x03" 404 -

    Where A.B.C.D was the IP of the customer poking http on the primary IP of the server (not the customer's domain).

    With mod_security (default rules, WHM, mod_security, click Default) and csf running this gets the customer blocked again and again.

    Thanks!

    ER
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Not much more info, but usually hex encoded requests like that are seen from port scans/probes.
     
  6. ivo_yordanov

    ivo_yordanov Registered

    Joined:
    Mar 11, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello

    Network monitoring depends a lot on what you want to monitor.
    It depends on what kind of architecture. If you have devices supporting Netflow, this could be very handy to identify bottlenecks or missues. There are just a few good tools for netflow under a low budget, try solarwinds or Pandora FMS.

    For SNMP monitoring, probably the most common case, most tools do a good job: cacti, zabbix, pandora fms or nagios. OpenNMS and Pandora FMS have the best management of Traps, and only a few manage v3 properly.

    For a mixed scope on monitoring: server, apps and networking, you have less tools, we use Pandora FMS for that reason, can manage netflow, snmp, wmi (for remote server monitoring) and agent based monitoring for unix & windows server.
     
Loading...
Similar Threads - Network monitoring tool
  1. asajay
    Replies:
    4
    Views:
    102

Share This Page