traffic monitoring

Mon Aug 11 12:38:24 CDT 2008

Dear All,

After a lot of time on linux, i found that my server is hacked :). this is strange but it is fact. i found this via "iptsate" command. i got that my system is generating traffic to  "france's IP" and session is established on 22 port and sending some data "not found what is being send via ssh ". 

even though i blocked network address on router. but still my system is trying to send the data. 
how do i know what is being send and which daemon is hacked, should i reinstall OS? or is there any tool to check it . 

thanks . 

> Date: Thu, 7 Aug 2008 11:33:47 -0700
> From: bbice at sgi.com
> To: mammadshah at hotmail.com
> CC: linux-poweredge at dell.com
> Subject: Re: traffic monitoring
> 
> ammad shah wrote:
> > how do i find; the workstation on lan uploading/downloading from 
> > internet real time using "iptraf" or some other software. All traffic is 
> > passing through "linux (squid and iptables masquerade).
> 
>     There's a tool called etherape that is similar to the old 
> Solaris-only etherman/interman tools. It shows you a graphical map of 
> the traffic it sees and can give you an idea of what different systems 
> are transmitting/receiving.  You'd run this on the linux firewall 
> through which all your traffic is passing.
> 
>     If your linux gateway is headless or if you don't have all the 
> requisite graphics libraries to run it remotely via ssh/X11 tunneling, 
> then you can run tcpdump -w /tmp/something.pcap -s 0 -i eth0   (or 
> whatever interface you want it to monitor), let it run for a few 
> minutes, then kill it with Ctrl-C and copy the /tmp/something.pcap file 
> over to a machine where you do have etherape installed. Then you can 
> tell etherape to read that file and replay it and get a graphical view 
> of that traffic.
> 
>     This is ok in the short-term.  In the long-term, what you probably 
> ought to do is set up a monitoring system (perhaps this is a good 
> opportunity to set up a network intrusion detection system like snort) 
> and then set up a SPAN port in your switch. That way you can have your 
> monitoring system see all the traffic to/from your firewall's inside 
> interface or perhaps all the traffic to/from a specific VLAN.  Even 
> better, have your monitoring system have several different interfaces 
> jacked into different SPAN ports and then your monitoring system can 
> watch multiple things.
> 
>     For instance, at my last job, I used to monitor all traffic hitting 
> the outside of the firewall interface (so I could see trends and watch 
> what ports were being hit the most this week), all the traffic on the 
> inside interface of the firewall (I ran a snort NIDS sensor here to look 
> at what got inside the firewall and what was going out), and another 
> interface watching ALL traffic to any port in the DMZ lan segment (so I 
> could watch both for people trying to compromise a machine or for 
> possible malicious traffic between machines in the DMZ segment). The 
> nice thing about this was that at a moment's notice I could also run 
> etherape or tcpdump on any of these SPANned interfaces and see just what 
> was going on in my networks.
> 
>     'Hope this helps...
> 
> Brent

_________________________________________________________________
Reveal your inner athlete and share it with friends on Windows Live.
http://revealyourinnerathlete.windowslive.com?locale=en-us&ocid=TXT_TAGLM_WLYIA_whichathlete_us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.us.dell.com/pipermail/linux-poweredge/attachments/20080811/fd78b0bf/attachment.htm 