Network monitoring tool to find which internal node is hacked?

eurorocco

Well-Known Member
Jun 23, 2003
99
0
156
Hi!

I have a customer with a local network that is sending garbage to the main server IP website, thus the firewall blocks the customer again and again.

I wonder if you guys can recommend a free network monitoring tool software to see packets filtered by the destination IP, which is the IP of the server. I understand the software sets the network card in promiscuous mode and listens to any packets it sees through the network segment, that a filter can be setup to see packets only going to such destination, in a way to find out which computer in the local network is sending those packets.

I see free network monitoring tools out there, but I thought maybe someone out there has had this issue, uses this sort of tool and can recommend one or two.

Thanks!

ER
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I'd recommend either snort or wireshark. Those are just what I've worked with, there may be better tools for the job. Wireshark should have the sorting that you'd need. You would need to get a tap or span port set up to route the traffic to a promiscious nic in a server/PC that is on site at the customers office.

It's a fair amount of work to set up a tap or span port if you've never done it before. I assume you've had them run virus scans and such before you go through the trouble of doing this?
 

eurorocco

Well-Known Member
Jun 23, 2003
99
0
156
Thanks you both quizknows and cPanelMichael for the info!

Yes, full scan of each computer was asked from the customer for the sake of their own security.

I will have a look at both Snort and WireShark.

I should have pasted some of the lines we found in /usr/local/apache/logs/access_log

> A.B.C.D - - [21/Feb/2014:18:45:42 -0600] "\x16\x03\x01" 404 -
> A.B.C.D - - [21/Feb/2014:18:45:42 -0600] "\x16\x03\x01" 404 -
> A.B.C.D - - [21/Feb/2014:18:45:43 -0600] "\x16\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:45:43 -0600] "\x16\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x01" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x01" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:01 -0600] "\x16\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:01 -0600] "\x16\x03" 404 -

Where A.B.C.D was the IP of the customer poking http on the primary IP of the server (not the customer's domain).

With mod_security (default rules, WHM, mod_security, click Default) and csf running this gets the customer blocked again and again.

Thanks!

ER
 

ivo_yordanov

Registered
Mar 11, 2014
1
0
1
cPanel Access Level
Website Owner
Hello

Network monitoring depends a lot on what you want to monitor.
It depends on what kind of architecture. If you have devices supporting Netflow, this could be very handy to identify bottlenecks or missues. There are just a few good tools for netflow under a low budget, try solarwinds or Pandora FMS.

For SNMP monitoring, probably the most common case, most tools do a good job: cacti, zabbix, pandora fms or nagios. OpenNMS and Pandora FMS have the best management of Traps, and only a few manage v3 properly.

For a mixed scope on monitoring: server, apps and networking, you have less tools, we use Pandora FMS for that reason, can manage netflow, snmp, wmi (for remote server monitoring) and agent based monitoring for unix & windows server.