CentOS 5 Server :: Tracing An Attack With A Wireshark Script
Jun 18, 2009
My data center informed me that my shared web hosting server is producing a massive attack. Attack against who? how? etc?... well.. other than "your server is generating an attack of over 150,000 UDP connections", they did not specify the target IP, nor the specific port. The attacks usually run for less than 5 minutes and pose a threat on the datacenter's firewall itself (from within).
I ran various searches on my server and came up with nothing. (over 300 websites with PHP in 25GB of data, database etc).
I do not allow any shell/bash other than myself, so no other logins are available. (I re-checked /etc/passwd for any bash).
I believe that there is probably some php fsckopen call or something to that degree that responds to a call from an external server. To make it easier to diagnose the problem and then stopping it, I need your assistance developing a simple tracing tool, methodology.
I have wireshark installed on the server.
My thoughts on how to capture this attack (which occurs at random) is as follow:
1. run a service that greps and count the UDP connections currently on the server and does this every 60 seconds. ( a simple one minute cron is enough).
netstat -a |grep UDP -cw
2. Currently the output shows: 0 (zero).
3. I do run a DNS server that can be queried, so I expect to see some UDP calls every so often. However, this is probably going to occur at < 50 entries.
4 . run this logic if no high loads on the server.
If servers load is < 3.00
{
If ( netstat -a |grep UDP -cw ) > 50
{
./tshark > wireshark.hacker.trace<timestamp>.txt;
email me an alert that "hey wireshark was triggered";
sleep (15)
killall -9 tshark
}
}
I have just configured Centos 5.5 LocalMailServer with fetchmail and sendmail , Proxy with Squid and FileServer with samba. Now my concern is security.. How can i protect my server with outside attack. Will I need to block some ports or I need special tools or script so no one from outside can attack my machine. My machine is working on intranet with local ip only.. No web server or static ip exists. Machine is connected with ADSL router to access internet.
I would like to trace a user's activity by monitoring system calls. Is there a way to use strace such that at startup it will begin tracing all system calls? Or is there any other method to automatically trace the system calls used during a user's session automatically without having to call strace manually?
The error is as follows: kernel: Uhhuh. NMI received for unknown reason 3c on CPU 0. kernel: Do you have a strange power saving mode enabled? kernel: Dazed and confused, but trying to continue
I went away from home for a few days, ... Now I am back at home and noticed, that my server is going out with 100% available bandwidth. The server is mainly Http / Ftp / Mail server, so I stopped all services, to see which one it is. ervices stopped, still 100Mbps go out like ants in the flood.
I updated the system, made a backup, installed IPtraf. It seems that I have something 'installed' and my server is running something to attack User computers. It seems to try to find something on random IP's random ports. I am a little bit confused now. As long as my sites are running, I'm ~OK~ but sooner or later I would like to have my bandwidth back. How could I try to hunt down which service/app/process got hacked?
It seems that the monetary system of our society got now more enemy's than friends. Capitalism seems to reach it's end. But my server is serving also ART! Sooner or later we will need to pay copyright even for our thoughts. I was reading today, that the French president wants to punish file sharing as his wife made 3 albums, and wants to get some money ..
My server and clients (NFS and NIS) are in continuous attack via ssh. Somebody is trying to guess password and login, and making port 22 busy.What are different ways to stop this attack?I am thinking to block this ip in iptable but I have no good idea because I have not done this before. Any special consideration do I have to take while doing this thing? How is it done and which file does it modify?
I ran across the above article, which described a DoS attack in which requests are sent very slowly to the Web server. I'm running lighttpd 1.4.28 on a Gentoo Linux server, and I'm wondering if there is anything I could do in preparation to defend against such an attack.
A bug report [url] seems to indicate that there was a patch in place already against this sort of attack, but I wanted to be sure that was the same thing and if there was anything else I needed to do.
I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow. i executed the following command on my ssh:
Last day i have faced an attack on Apache/2.2.14 (Ubuntu).A user shoots 53 hits within 20 seconds from same IP and as a result db connections to MySQL increased.
a.) Is there any way in Apache to block these type of requests
b.) how can we trace when this type of attack happened to Apache.
Also I have noticed an entry in Apache error log during attack period
I have some issues while installing wireshark-gnome. see the below logs. I am using Fedora 13. I am seeing some transaction error when I issue "yum install wireshark-gnome".
[root@Fedora-ipv6 ~]# yum install wireshark-gnome Loaded plugins: fastestmirror, presto, refresh-packagekit Loading mirror speeds from cached hostfile Setting up Install Process Resolving Dependencies --> Running transaction check
The Wireshark website specifically warns against running WireShark as Root....
Quote:
Administrator/root account not required!
Many Wireshark users think that Wireshark requires a root/Administrator account to work with.
That's not a good idea, as using a root account makes any exploit far more dangerous: a successful exploit will have immediate control of the whole system, compromising it completely.
First of all, most Wireshark functions can always be used with a (probably very limited) user account. In particular, the protocol dissectors which have shown most of the security related bugs do not need a root account!
Only capturing (and gathering capture interface information) may require a root account, but even that can usually be "circumvented", see CaptureSetup/CapturePrivileges for details how to do so.
I freshly installed Wireshark on my PC by running 'yum install wireshark'. Installation succeeded. But then I cannot find how to start Wireshark. I looked already in different folders by using locate ( and updatedb) but I cannot find the place where I should invoke the program. How I can start my program?
I am doing security stuff under linux... I've heard of Wireshark and Snort and dsniff and have been reading up on them on wikipedia pages but the big picture is not clear to me yet. Are things like Wireshard and Snort BASED on the functionality of iptables in Linux? I read that you have to be root to run iptables, but not to run Wireshark right? Yet Wireshark is dependent on iptables.
Ok, I have debated where to post this question. Should it be in Software? Networking? Security? Since I am going through a security class, I decided to post it here in hopes that other security gurus may have came accross the problem. Ok so, I am in a security class and they give you a wireshark capture file with RTP traffic and want you to dump the payloads into an audio file.
Pretty easy with wireshark: Telephony -> RTP -> Show all streams... Pick Stream -> Analyze Save Payload Format: RAW, Channels: BOTH -> OK
Ok so here is the problem when I do this I get: Can't save reversed direction in a file: Unsupported codec! At first I thought I was missing an audio codec it needs but I can't find it. I've searched the web and found one post that wasn't very helpful. If anyone can give me a hand that would be great.
The 605-page PDF document reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks. Of particular interest to me was the section on deception technologies, which discusses the use of honeynet technology to learn more about attackers� methods, as well as the potential legal and privacy aspects of using honeynets. Another section delves into the challenges of attributing the true origin(s) of a computer network attack.
I have implemented two machines one for honeypot(192.168.100.10) and another(192.168.100.20) to remotely log the honeypot log file using syslog. Inside honeypot I emulated another 3 machines with services on virtual IPs of that same block.Now honeypot is working and I can see the logs generating as I did a portscan(nmap) on those virtual IPs from .20 machine.All of the machines are running ubuntu.
But does anyone know any s/w or tools which originally attackers use so that I can get a clear picture of what happens from the logs. Having problems creating these attack scenarios.
I run into this error while trying to install wireshark. I am sure there is a quick fix. I can see the files are different I just don't know how to resolve the error.
Test Transaction Errors: file /usr/lib/python2.6/site-packages/wireshark_be.pyc from install of wireshark-1.2.6-2.fc12.x86_64 conflicts with file from package wireshark-1.2.6-2.fc12.i686 file /usr/lib/python2.6/site-packages/wireshark_be.pyo from install of wireshark-1.2.6-2.fc12.x86_64 conflicts with file from package wireshark-1.2.6-2.fc12.i686 file /usr/lib/python2.6/site-packages/wireshark_gen.pyc from install of wireshark-1.2.6-2.fc12.x86_64 conflicts with file from package wireshark-1.2.6-2.fc12.i686 file /usr/lib/python2.6/site-packages/wireshark_gen.pyo from install of wireshark-1.2.6-2.fc12.x86_64 conflicts with file from package wireshark-1.2.6-2.fc12.i686
I'm loving FC14, but I just find out that Wireshark is not working, as it was on FC13.Here is what's happening..... When running the application I get prompt for authentication, that was fine under FC13. I used to type my super user password, andthat was it. On FC14 I get nothing.Now when I skip the authentication the Wireshark Gui comes up, but it has no interfaces showing on my list.What I have!:
I've run into a sort of catch 22.I installed wireshark via apt-get on my Eee 1008HA, but when it is launched, it does not allow any capture interfaces. I think this is because the shortcut created in my applications paneldoes not start it as root.So I went into terminal, typed in "sudo wireshark" and it popped up, as root. I was then able to capture on my wireless interface. However, if I try and specify my home folder as the location for the capture to be saved, I get an error that permission was denied, which seems odd since the process is running as root and should be able to do pretty much whatever it wants. How can I get wireshark set up so I can both capture _and_ save the .pcap files I generate? I'm running karmic koala, the full output of uname -a is: Linux ruckus-laptop 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux.