Network monitoring tool to find which internal node is hacked?

[eurorocco]

Hi!

I have a customer with a local network that is sending garbage to the main server IP website, thus the firewall blocks the customer again and again.

I wonder if you guys can recommend a free network monitoring tool software to see packets filtered by the destination IP, which is the IP of the server. I understand the software sets the network card in promiscuous mode and listens to any packets it sees through the network segment, that a filter can be setup to see packets only going to such destination, in a way to find out which computer in the local network is sending those packets.

I see free network monitoring tools out there, but I thought maybe someone out there has had this issue, uses this sort of tool and can recommend one or two.

Thanks!

ER

 

[quizknows]

I'd recommend either snort or wireshark. Those are just what I've worked with, there may be better tools for the job. Wireshark should have the sorting that you'd need. You would need to get a tap or span port set up to route the traffic to a promiscious nic in a server/PC that is on site at the customers office.

It's a fair amount of work to set up a tap or span port if you've never done it before. I assume you've had them run virus scans and such before you go through the trouble of doing this?

 

[cPanelMichael]

Hello

The following thread, while primarily intended for troubleshooting high loads, does goes a little bit into capturing packets with utilities such as wireshark:

Troubleshooting High Load On Linux Systems

Thank you.

 

[eurorocco]

Thanks you both quizknows and cPanelMichael for the info!

Yes, full scan of each computer was asked from the customer for the sake of their own security.

I will have a look at both Snort and WireShark.

I should have pasted some of the lines we found in /usr/local/apache/logs/access_log

> A.B.C.D - - [21/Feb/2014:18:45:42 -0600] "\x16\x03\x01" 404 -
> A.B.C.D - - [21/Feb/2014:18:45:42 -0600] "\x16\x03\x01" 404 -
> A.B.C.D - - [21/Feb/2014:18:45:43 -0600] "\x16\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:45:43 -0600] "\x16\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x01" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:00 -0600] "\x16\x03\x01" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:01 -0600] "\x16\x03" 404 -
> A.B.C.D - - [21/Feb/2014:18:57:01 -0600] "\x16\x03" 404 -

Where A.B.C.D was the IP of the customer poking http on the primary IP of the server (not the customer's domain).

With mod_security (default rules, WHM, mod_security, click Default) and csf running this gets the customer blocked again and again.

Thanks!

ER

 

[quizknows]

Not much more info, but usually hex encoded requests like that are seen from port scans/probes.

 

[ivo_yordanov]

Hello

Network monitoring depends a lot on what you want to monitor.
It depends on what kind of architecture. If you have devices supporting Netflow, this could be very handy to identify bottlenecks or missues. There are just a few good tools for netflow under a low budget, try solarwinds or Pandora FMS.

For SNMP monitoring, probably the most common case, most tools do a good job: cacti, zabbix, pandora fms or nagios. OpenNMS and Pandora FMS have the best management of Traps, and only a few manage v3 properly.

For a mixed scope on monitoring: server, apps and networking, you have less tools, we use Pandora FMS for that reason, can manage netflow, snmp, wmi (for remote server monitoring) and agent based monitoring for unix & windows server.