traffic monitoring

Brent Bice bbice at sgi.com
Tue Aug 12 12:58:37 CDT 2008 

Aaron wrote:
> It is best to rebuild and restore your configuration after you figure 
> out how they got in.  There are plenty of tools to look for rootkits.  
> There are all indexed on Google.  You may wish to boot up on a 
> stand-alone ram based linux distro such as knoppix or backtrack.  While 
> this is OT from dell, I wish the best of luck to you.  :-)

    Yeah, what Aaron said. Any time a machine gets compromised (and this 
is true no matter what OS it is running) the only way you can guarantee 
that it's clean again is to start over, re-install it and recover (DATA 
ONLY) from backups. It's just too easy to hide rootkits and backdoors 
and no matter what any product says, scraping a machine clean just can't 
be guaranteed.

    In addition to knoppix, you can look at some of the Forensics 
distros if you haven't wiped the machine already. I happen to like Helix 
myself.

    Also, you mentioned the suspect traffic being port 22 (ssh). There 
was a recent exploit for ssh on Debian-based distros having to do with 
weak ssh keys being generated. When rebuilding the system, if it's a 
debian based distro be sure to get the latest patches and if you don't 
know how to verify that your keys are strong, don't recover them from 
tape and/or regenerate new ones AFTER the patch/es are applied.

    'Course it could just be that after being compromised ssh was being 
used by the hacker to log in (or to send data back to the hacker, etc.)

Brent

> ammad shah wrote:
>> Dear All,
>>
>> After a lot of time on linux, i found that my server is hacked :). 
>> this is strange but it is fact. i found this via "iptsate" command. i 
>> got that my system is generating traffic to  "france's IP" and session 
>> is established on 22 port and sending some data "not found what is 
>> being send via ssh ".
>>
>> even though i blocked network address on router. but still my system 
>> is trying to send the data.
>> how do i know what is being send and which daemon is hacked, should i 
>> reinstall OS? or is there any tool to check it .
>>
>>
>> thanks .
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>> Date: Thu, 7 Aug 2008 11:33:47 -0700
>>> From: bbice at sgi.com
>>> To: mammadshah at hotmail.com
>>> CC: linux-poweredge at dell.com
>>> Subject: Re: traffic monitoring
>>>
>>> ammad shah wrote:
>>>> how do i find; the workstation on lan uploading/downloading from
>>>> internet real time using "iptraf" or some other software. All 
>> traffic is
>>>> passing through "linux (squid and iptables masquerade).
>>> There's a tool called etherape that is similar to the old
>>> Solaris-only etherman/interman tools. It shows you a graphical map of
>>> the traffic it sees and can give you an idea of what different systems
>>> are transmitting/receiving. You'd run this on the linux firewall
>>> through which all your traffic is passing.
>>>
>>> If your linux gateway is headless or if you don't have all the
>>> requisite graphics libraries to run it remotely via ssh/X11 tunneling,
>>> then you can run tcpdump -w /tmp/something.pcap -s 0 -i eth0 (or
>>> whatever interface you want it to monitor), let it run for a few
>>> minutes, then kill it with Ctrl-C and copy the /tmp/something.pcap file
>>> over to a machine where you do have etherape installed. Then you can
>>> tell etherape to read that file and replay it and get a graphical view
>>> of that traffic.
>>>
>>> This is ok in the short-term. In the long-term, what you probably
>>> ought to do is set up a monitoring system (perhaps this is a good
>>> opportunity to set up a network intrusion detection system like snort)
>>> and then set up a SPAN port in your switch. That way you can have your
>>> monitoring system see all the traffic to/from your firewall's inside
>>> interface or perhaps all the traffic to/from a specific VLAN. Even
>>> better, have your monitoring system have several different interfaces
>>> jacked into different SPAN ports and then your monitoring system can
>>> watch multiple things.
>>>
>>> For instance, at my last job, I used to monitor all traffic hitting
>>> the outside of the firewall interface (so I could see trends and watch
>>> what ports were being hit the most this week), all the traffic on the
>>> inside interface of the firewall (I ran a snort NIDS sensor here to 
>> look
>>> at what got inside the firewall and what was going out), and another
>>> interface watching ALL traffic to any port in the DMZ lan segment (so I
>>> could watch both for people trying to compromise a machine or for
>>> possible malicious traffic between machines in the DMZ segment). The
>>> nice thing about this was that at a moment's notice I could also run
>>> etherape or tcpdump on any of these SPANned interfaces and see just 
>> what
>>> was going on in my networks.
>>>
>>> 'Hope this helps...
>>>
>>> Brent
>> ------------------------------------------------------------------------
>> Reveal your inner athlete and share it with friends on Windows Live. 
>> Share now! 
>> <http://revealyourinnerathlete.windowslive.com?locale=en-us&ocid=TXT_TAGLM_WLYIA_whichathlete_us> 
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Linux-PowerEdge mailing list
>> Linux-PowerEdge at dell.com
>> http://lists.us.dell.com/mailman/listinfo/linux-poweredge
>> Please read the FAQ at http://lists.us.dell.com/faq
> 
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> http://lists.us.dell.com/mailman/listinfo/linux-poweredge
> Please read the FAQ at http://lists.us.dell.com/faq

More information about the Linux-PowerEdge mailing list