salawank

Nepenthes hands-on

Before nepenthes
p/s: this is using default settings with minor configuration.
—————————————————-

salax@zulfiqar:~$ nmap 192.168.2.10

Starting Nmap 4.53 ( http://insecure.org ) at 2010-01-09 00:11 MYT
Interesting ports on 192.168.2.10:
Not shown: 1711 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.075 seconds

———————————-

Firing up nepenthes:

salax@zulfiqar:~$ sudo /etc/init.d/nepenthes start
[sudo] password for salax:
Starting nepenthes: nepenthes.

——————————————————-

After nepenthes:

salax@zulfiqar:~$ nmap 192.168.2.10

Starting Nmap 4.53 ( http://insecure.org ) at 2010-01-09 00:11 MYT
Interesting ports on 192.168.2.10:
Not shown: 1690 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
220/tcp open imap3
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
1023/tcp open netvenuechat
1025/tcp open NFS-or-IIS
2105/tcp open eklogin
3372/tcp open msdtc
5000/tcp open UPnP
10000/tcp open snet-sensor-mgmt
17300/tcp open kuang2

Nmap done: 1 IP address (1 host up) scanned in 0.075 seconds

———————————————————————–

List open files shows as below :

salax@zulfiqar:/etc/nepenthes$ sudo lsof -i | grep nepenthes
[sudo] password for salax:
nepenthes 7246 nepenthes 6u IPv4 29655 TCP *:smtp (LISTEN)
nepenthes 7246 nepenthes 7u IPv4 29656 TCP *:pop3 (LISTEN)
nepenthes 7246 nepenthes 8u IPv4 29657 TCP *:imap2 (LISTEN)
nepenthes 7246 nepenthes 9u IPv4 29658 TCP *:imap3 (LISTEN)
nepenthes 7246 nepenthes 10u IPv4 29659 TCP *:ssmtp (LISTEN)
nepenthes 7246 nepenthes 11u IPv4 29660 TCP *:imaps (LISTEN)
nepenthes 7246 nepenthes 12u IPv4 29661 TCP *:pop3s (LISTEN)
nepenthes 7246 nepenthes 13u IPv4 29662 TCP *:2745 (LISTEN)
nepenthes 7246 nepenthes 14u IPv4 29663 TCP *:6129 (LISTEN)
nepenthes 7246 nepenthes 15u IPv4 29664 TCP *:loc-srv (LISTEN)
nepenthes 7246 nepenthes 16u IPv4 29665 TCP *:microsoft-ds (LISTEN)
nepenthes 7246 nepenthes 17u IPv4 29666 TCP *:1025 (LISTEN)
nepenthes 7246 nepenthes 18u IPv4 29667 TCP *:ftp (LISTEN)
nepenthes 7246 nepenthes 19u IPv4 29668 TCP *:https (LISTEN)
nepenthes 7246 nepenthes 20u IPv4 29669 TCP *:17300 (LISTEN)
nepenthes 7246 nepenthes 21u IPv4 29670 TCP *:2103 (LISTEN)
nepenthes 7246 nepenthes 22u IPv4 29671 TCP *:eklogin (LISTEN)
nepenthes 7246 nepenthes 23u IPv4 29672 TCP *:2107 (LISTEN)
nepenthes 7246 nepenthes 24u IPv4 29673 TCP *:3372 (LISTEN)
nepenthes 7246 nepenthes 25u IPv4 29674 UDP *:ms-sql-m
nepenthes 7246 nepenthes 26u IPv4 29675 TCP *:3127 (LISTEN)
nepenthes 7246 nepenthes 27u IPv4 29676 TCP *:netbios-ssn (LISTEN)
nepenthes 7246 nepenthes 28u IPv4 29677 TCP *:3140 (LISTEN)
nepenthes 7246 nepenthes 29u IPv4 29678 TCP *:5554 (LISTEN)
nepenthes 7246 nepenthes 30u IPv4 29679 TCP *:1023 (LISTEN)
nepenthes 7246 nepenthes 31u IPv4 29680 TCP *:27347 (LISTEN)
nepenthes 7246 nepenthes 32u IPv4 29681 TCP *:5000 (LISTEN)
nepenthes 7246 nepenthes 33u IPv4 29682 TCP *:webmin (LISTEN)
nepenthes 7246 nepenthes 34u IPv4 29683 TCP *:nameserver (LISTEN)
nepenthes 7246 nepenthes 35u IPv4 29684 TCP *:www (LISTEN)
nepenthes 7246 nepenthes 36u IPv4 29685 TCP *:10002 (LISTEN)

——————————————————————-

Take a look in /var/log/nepenthes/logged_downloads:

salax@zulfiqar:/var/log/nepenthes$ cat logged_downloads
[2010-01-08T03:21:15] 60.48.72.2 -> 192.168.2.10 link://60.48.72.2:11965/qcxYEw==
[2010-01-08T03:23:37] 60.48.98.64 -> 192.168.2.10 ftp://a:a@60.48.98.64:11460/Win15763.exe
[2010-01-08T22:27:49] 60.47.49.168 -> 192.168.2.10 link://60.47.49.168:29913/GDAo+A==
[2010-01-09T21:59:29] 60.48.196.174 -> 192.168.2.10 ftp://1:1@0.0.0.0:5895/wint.exe
[2010-01-09T22:20:08] 60.167.120.190 -> 192.168.2.10 ftp://1:1@60.167.120.190:9495/ssms.exe
[2010-01-09T22:26:00] 60.56.171.98 -> 192.168.2.10 tftp://0.0.0.0/ssms.exe
[2010-01-09T22:31:08] 60.47.211.135 -> 192.168.2.10 link://60.47.211.135:57271/46juBw==
[2010-01-09T22:54:40] 60.48.196.174 -> 192.168.2.10 ftp://1:1@0.0.0.0:5895/wint.exe
[2010-01-09T23:20:02] 60.48.206.249 -> 192.168.2.10 ftp://1:1@60.48.206.249:31018/wingate32.exe
[2010-01-09T23:23:05] 60.53.58.190 -> 192.168.2.10 ftp://1:1@0.0.0.0:15639/WinSec.exe
[2010-01-09T23:42:31] 60.48.206.249 -> 192.168.2.10 link://60.48.206.249:50408/EWYNew==
[2010-01-10T11:48:14] 60.44.18.223 -> 192.168.2.10 blink://60.44.18.223:40579/GLJK+A==
[2010-01-10T12:10:59] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:42750/GIAo+A==
[2010-01-10T12:21:05] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:33106/GIAo+A==
[2010-01-10T12:22:13] 69.207.61.212 -> 192.168.2.10 http://74.77.18.116:4662/x.exe
[2010-01-10T12:31:20] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:41373/GIAo+A==
[2010-01-10T13:13:55] 60.42.119.172 -> 192.168.2.10 blink://60.42.119.172:29703/mPKeAQ==
[2010-01-10T13:15:21] 60.43.40.208 -> 192.168.2.10 link://60.43.40.208:46158/OHwf/g==
[2010-01-11T00:36:28] 60.48.103.18 -> 192.168.2.10 ftp://1:1@60.48.103.18:62984/wingate32.exe
[2010-01-11T00:42:24] 60.36.30.127 -> 192.168.2.10 ftp://1:1@0.0.0.0:45513/ssms.exe
[2010-01-11T00:51:16] 60.48.221.25 -> 192.168.2.10 ftp://1:1@60.48.221.25:40959/wingate32.exe
[2010-01-11T00:56:31] 60.48.103.18 -> 192.168.2.10 ftp://1:1@60.48.103.18:62984/wingate32.exe
[2010-01-11T20:10:07] 60.48.245.153 -> 192.168.2.10 link://60.48.245.153:64395/EGYNAw==
[2010-01-11T20:15:19] 60.48.245.153 -> 192.168.2.10 ftp://1:1@0.0.0.0:44154/wingate32.exe
[2010-01-11T20:18:03] 60.249.204.192 -> 192.168.2.10 tftp://0.0.0.0/ssms.exe
[2010-01-11T20:24:11] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T21:22:43] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T21:37:35] 60.41.138.161 -> 192.168.2.10 link://60.41.138.161:35057/4/idCA==
[2010-01-11T21:51:23] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T21:51:35] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:00:17] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:10:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:24841/0
[2010-01-11T22:10:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:24841/0
[2010-01-11T22:14:19] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T22:16:52] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:17:08] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:17:41] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:27:00] 60.42.243.214 -> 192.168.2.10 link://60.42.243.214:48588/+RnAEQ==
[2010-01-11T22:35:05] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:52:24] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:52:29] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:54:18] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T23:01:11] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T23:07:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:13110/0
[2010-01-11T23:07:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:6464/0
[2010-01-11T23:15:04] 60.48.70.250 -> 192.168.2.10 ftp://1:1@60.48.70.250:23241/WinSec.exe
[2010-01-11T23:17:46] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T23:17:55] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T23:18:34] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T23:21:10] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-13T03:19:57] 60.48.98.181 -> 192.168.2.10 ftp://a:a@0.0.0.0:3987/igxdfdfds.com
[2010-01-13T03:27:39] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:28:57] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:30:20] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T03:32:24] 60.48.98.181 -> 192.168.2.10 ftp://a:a@60.48.98.181:4078/Win15763.exe
[2010-01-13T03:37:06] 60.48.98.181 -> 192.168.2.10 ftp://a:a@60.48.98.181:4078/Win15763.exe
[2010-01-13T03:37:54] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:40:13] 60.48.98.181 -> 192.168.2.10 ftp://1:1@0.0.0.0:12506/wingate32.exe
[2010-01-13T03:43:58] 60.48.98.181 -> 192.168.2.10 ftp://1:1@0.0.0.0:12506/wingate32.exe
[2010-01-13T03:50:13] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:50:21] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T03:54:50] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T04:02:31] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T04:59:55] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T05:07:36] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T05:34:57] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T05:48:38] 60.42.253.163 -> 192.168.2.10 link://60.42.253.163:54497/+BkAgw==
[2010-01-13T05:50:41] 60.48.89.89 -> 192.168.2.10 ftp://1:1@60.48.89.89:59451/wingate32.exe
[2010-01-13T05:57:08] 60.48.89.89 -> 192.168.2.10 tftp://60.48.89.89/runwin32.exe
[2010-01-13T05:57:30] 60.48.89.89 -> 192.168.2.10 ftp://1:1@60.48.89.89:59451/wingate32.exe
[2010-01-13T06:26:55] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T06:27:07] 60.48.89.89 -> 192.168.2.10 tftp://0.0.0.0/runwin32.exe
[2010-01-13T06:27:30] 60.48.89.89 -> 192.168.2.10 ftp://1:1@0.0.0.0:59451/wingate32.exe
[2010-01-15T22:13:10] 124.12.75.2 -> 192.168.2.10 tftp://124.12.75.2/ssms.exe

—————————————————————————————
Take a look also in /var/log/nepenthes/logged_submissions :

salax@zulfiqar:/var/log/nepenthes$ cat logged_submissions
[2010-01-08T22:28:05] 60.47.49.168 -> 192.168.2.10 link://60.47.49.168:29913/GDAo+A== a881dd13336137c7c0a346a0e95a28cb
[2010-01-09T22:26:53] 60.56.171.98 -> 192.168.2.10 tftp://60.56.171.98:69/ssms.exe 98eb0fdadf8a403c013a8b1882ec986d
[2010-01-09T23:42:44] 60.48.206.249 -> 192.168.2.10 link://60.48.206.249:50408/EWYNew== f6a0747f321da6905d7f117b1a0491bc
[2010-01-10T11:48:15] 60.44.18.223 -> 192.168.2.10 blink://60.44.18.223:40579/GLJK+A== cf39a0e99513d242b516facffcf0149a
[2010-01-10T12:11:16] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:42750/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T12:21:12] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:33106/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T12:31:35] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:41373/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T13:13:56] 60.42.119.172 -> 192.168.2.10 blink://60.42.119.172:29703/mPKeAQ== 6560050cb210e159c9cfb5a50fe6dd63
[2010-01-10T13:15:38] 60.43.40.208 -> 192.168.2.10 link://60.43.40.208:46158/OHwf/g== 714c1bf115fe97b19a4556d40de2fec1
[2010-01-11T20:18:48] 60.249.204.192 -> 192.168.2.10 tftp://60.249.204.192:69/ssms.exe fd28c5e1c38caa35bf5e1987e6167f4c
[2010-01-11T22:10:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4921 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T22:10:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4923 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T23:07:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4735 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T23:07:48] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:3297 7dc73bfa4d78284155dd5101991eeb34
[2010-01-13T06:22:38] 60.48.89.89 -> 192.168.2.10 tftp://60.48.89.89/runwin32.exe 1eb2ae9acb444fd275f4ff1d55f4a54c
[2010-01-15T22:14:52] 124.12.75.2 -> 192.168.2.10 tftp://124.12.75.2/ssms.exe 1f8a826b2ae94daa78f6542ad4ef173b

—————————————————————————————————————-

I looked into binaries files stored:

salax@zulfiqar:/var/lib/nepenthes/binaries$ ls
1eb2ae9acb444fd275f4ff1d55f4a54c 714c1bf115fe97b19a4556d40de2fec1 a881dd13336137c7c0a346a0e95a28cb fd0a67fb35667fabc7cba1be174a66a0
1f8a826b2ae94daa78f6542ad4ef173b 7dc73bfa4d78284155dd5101991eeb34 cf39a0e99513d242b516facffcf0149a fd28c5e1c38caa35bf5e1987e6167f4c
6560050cb210e159c9cfb5a50fe6dd63 98eb0fdadf8a403c013a8b1882ec986d f6a0747f321da6905d7f117b1a0491bc

——————————————————————————————
And i’ve got lots from hexdump :

salax@zulfiqar:/var/lib/nepenthes/hexdumps$ ls
03040d7e4a4b43a51e16e23e8db372cc.bin
03b7c83b1097ec2103457238292d2c64.bin
047508ec910bbdd22bbd5b57735653cc.bin
0970bdd79407182c9b4528ea09482766.bin
0b246cefe406d265e33336b5614f03b8.bin
0bdbf63d3280cc4148dc431ee8ff9e67.bin
0cfc77783bc087dfdbc93eb848434785.bin
0e260b4030f9e03af889964cf08f1c31.bin
2b3ae3f7588a4f5598c35ccf85c57038.bin
2bed2846c40be4d0b54bd8e6570f5d65.bin
f9dc4a724a268dc50f599d91414a25a8.bin
2f25328714f52ceeb150474f9bd41ca3.bin
fc5752c2b644cf41132beac523653d6f.bin
32389a3b6d15c6b658c8c0ad0869e617.bin
33103e04b2b192f40a1a78091bb7fe5a.bin
fff4bb5b930ca56719bea26e22152165.bin
34557adc8990ee198c75a6446916f9fc.bin
——8<------------------------------------8<---------------------cutted-----8<

————————————————————————————————————————
Then, scanning using ClamAV:

salax@zulfiqar:/var/lib/nepenthes$ clamscan binaries/
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON’T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
binaries/fd0a67fb35667fabc7cba1be174a66a0: OK
binaries/cf39a0e99513d242b516facffcf0149a: OK
binaries/714c1bf115fe97b19a4556d40de2fec1: W32.Virut.sa FOUND
binaries/7dc73bfa4d78284155dd5101991eeb34: Trojan.SdBot-730 FOUND
binaries/1f8a826b2ae94daa78f6542ad4ef173b: Trojan.SdBot-4763 FOUND
binaries/fd28c5e1c38caa35bf5e1987e6167f4c: Trojan.SdBot-4763 FOUND
binaries/f6a0747f321da6905d7f117b1a0491bc: OK
binaries/98eb0fdadf8a403c013a8b1882ec986d: Trojan.SdBot-4763 FOUND
binaries/a881dd13336137c7c0a346a0e95a28cb: W32.Virut-17 FOUND
binaries/1eb2ae9acb444fd275f4ff1d55f4a54c: OK
binaries/6560050cb210e159c9cfb5a50fe6dd63: OK
binaries/df51e3310ef609e908a6b487a28ac068: Trojan.SdBot-4763 FOUND

———– SCAN SUMMARY ———–
Known viruses: 572978
Engine version: 0.94.2
Scanned directories: 1
Scanned files: 12
Infected files: 7
Data scanned: 1.30 MB
Time: 2.564 sec (0 m 2 s)

to be continued….lot’s to learn here and also for dionae………

Uninstall nginx failed

Hi,

I’ve changed from nginx to stunnel for my webserver.. while issuing “apt-get remove nginx”, i’ve got these error :

Removing nginx …
Stopping nginx: invoke-rc.d: initscript nginx, action “stop” failed.
dpkg: error processing nginx (–remove):
subprocess pre-removal script returned error exit status 1
Errors were encountered while processing:
nginx
E: Sub-process /usr/bin/dpkg returned an error code (1)

to handle this, simply edited nginx script :

sudo nano /etc/init.d/nginx

and add ‘exit 0′ like below, after that save it :

#! /bin/sh

### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#add exit 0 below:
exit 0
DAEMON=/usr/sbin/nginx

Then, issue :

sudo apt-get remove nginx -yf

This will enable us to uninstall it :

The following packages will be REMOVED:
nginx
0 upgraded, 0 newly installed, 1 to remove and 73 not upgraded.
After this operation, 676kB disk space will be freed.
(Reading database … 19412 files and directories currently installed.)
Removing nginx …

source : http://www.peterbe.com/plog/how-to-uninstall-nginx-with-apt
: http://www.digitalsanctum.com/2007/11/07/uninstalling-nginx-via-apt-get-stopping-nginx-invoke-rcd-initscript-nginx-action-stop-failed/

Configure Virtual Switch in VMWare ESXi 4

Hi, today i’ve learned new thing regarding vmware esxi 4.

If we open the Vmware vSphere client, go to Home -> Inventory -> HOST (Vmware esxi 4 host) -> Configuration -> Networking, by default the network is set up in Virtual Switch : vSwitch0. There we can see our network adapter card (e.g vmnic1) attached with the network.

Screenshot

So here’s my problem statement,
I have one network using ip 192.x.x.x and another network using 10.x.x.x .. My esxi 4 machine is configured with IP 192.x.x.x. IP 192.x.x.x is segregate with IP 10.x.x.x. Which means both IP can’t “see” each other.

In the esxi, there are bundles of virtual machine running, and I want to set 1 virtual machine (ubuntu) that host a web server to be accessed via both network (192.x.x.x and 10.x.x.x).

Method,
To do this, I set up additional LAN cable to be attached with another physical adapters/network card (e.g vmnic2).

Then, in vSphere client, go to Add networking -> Virtual Machine -> Create a virtual switch and choose your second network interface. The output is as follow..

vswitch

Then next step is add another virtual network interface to the virtual machine. go to Edit settings and add another network adapter and choose Network connection -> network label.

network

network2

Finally, fire up the virtual machine, you will see new network card added (eth0, eth1). eth0 is for 192.x.x.x, eth1 for 10.x.x.x. Issue ifconfig -a | more

Make sure to check the mac address of eth1 with vmimage in the vSphere client. If it is match, we are good to go..

greetz yomuds, hafiz, athlon crazy

Message of the day

Yes, I’ve heard of it..And, what should we do as a Muslim?

Each day we are reminded
and each day we say
there’s not much that we can do
it seems so far away
So we live our lives in silence
pretending not to hear
the voices of our people
The cry is so so clear
Why do we stand by spectating
while our brothers cry jihad?
We are bound by one conviction:
we believe in Allah
Chorus:
Have you heard of Kosova, of Afghanistan?
Have you heard of Palestine [2nd chorus: Bosnia]
of Chechan?
Have you heard of all these people
persecuted in their land?
Do you know that all these people are dying for Islam?
Have you heard, have you heard
have you heard?
Each day is like another
Nothing seems to change
Today he’ll lose his brother
Tomorrow will be the same
Yet his faith makes him stronger
he’s come so so far
The pain in his heart is eased
by his love for Allah
O I envy you my brother
in adversity you pray
You know that heaven awaits you
at the end of this day
Chorus

OpenVPN hands-on

Trying to configure openvpn server and client via my home network thru internet

openvpn server is put in dynamic public ip, via router, in DMZ..

openvpn client is set up in another host and try to connect to openvpn server.

seems to have some misconfiguration, tls handshake failed.. need to look for this.. but not right now.. its 3 a.m. n need to go for work tomorrow..

*kepala dah mengantok ;p

Server

————————————————————————————————-

Jan 8 03:08:36 zulfiqar ovpn-server[8984]: MULTI: multi_create_instance called
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:55803 Re-using SSL/TLS context
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:55803 LZO compression initialized
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:55803 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:55803 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:55803 Local Options hash (VER=V4): ‘360696c5′
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:55803 Expected Remote Options hash (VER=V4): ‘13a273ba’
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:55803 TLS: Initial packet from 60.48.182.229:55803, sid=2f7af594 d7dd6de1
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:55803 Replay-window backtrack occurred [1]
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:56525 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:56525 TLS Error: TLS handshake failed
Jan 8 03:08:36 zulfiqar ovpn-server[8984]: 60.48.182.229:56525 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 8 03:08:38 zulfiqar ovpn-server[8984]: 60.48.182.229:60028 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 8 03:08:38 zulfiqar ovpn-server[8984]: 60.48.182.229:60028 TLS Error: TLS handshake failed
Jan 8 03:08:38 zulfiqar ovpn-server[8984]: 60.48.182.229:60028 SIGUSR1[soft,tls-error] received, client-instance restarting

————————————————

Client

Fri Jan 8 03:10:48 2010 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=MS/ST=CA/L=KL/O=Salax/CN=Salax_CA/emailAddress=salasm86[at]gmail.com
Fri Jan 8 03:10:48 2010 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Jan 8 03:10:48 2010 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 8 03:10:48 2010 TLS Error: TLS handshake failed
Fri Jan 8 03:10:48 2010 TCP/UDP: Closing socket
Fri Jan 8 03:10:48 2010 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 8 03:10:48 2010 Restart pause, 2 second(s)
Fri Jan 8 03:10:50 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Jan 8 03:10:50 2010 Re-using SSL/TLS context
Fri Jan 8 03:10:50 2010 LZO compression initialized
Fri Jan 8 03:10:50 2010 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Jan 8 03:10:50 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Jan 8 03:10:50 2010 Local Options hash (VER=V4): ‘13a273ba’
Fri Jan 8 03:10:50 2010 Expected Remote Options hash (VER=V4): ‘360696c5′
Fri Jan 8 03:10:50 2010 Socket Buffers: R=[112640->131072] S=[112640->131072]
Fri Jan 8 03:10:50 2010 UDPv4 link local: [undef]
Fri Jan 8 03:10:50 2010 UDPv4 link remote: 60.48.182.229:1194
Fri Jan 8 03:10:50 2010 TLS: Initial packet from 60.48.182.229:1194, sid=5a38586b cca57bee
Fri Jan 8 03:10:50 2010 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=MS/ST=CA/L=KL/O=Salax/CN=Salax_CA/emailAddress=salasm86[at]gmail.com
Fri Jan 8 03:10:50 2010 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Jan 8 03:10:50 2010 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 8 03:10:50 2010 TLS Error: TLS handshake failed
Fri Jan 8 03:10:50 2010 TCP/UDP: Closing socket
Fri Jan 8 03:10:50 2010 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 8 03:10:50 2010 Restart pause, 2 second(s)

Cleaning up my workstation

Fuhh.. lots of dusts inside the box :-p

Somehow, I feel the need to clean up my pc. It’s been a while, I think it is about a year.. huh

100_0660

Open up my toolbox and start to clean.. yah

100_0661

Hope to make it every 2-3 months… happy cleaning

Login to guest OS hosted on VMWare ESXi 4 on gnu/Linux

Hi and salam,

Recently, I’ve posted my starting project / work on configuring / installing / managing VMWare ESXi 4 . Prior to my knowledge, I don’t know / maybe not enough search / any client based such as vSphere Client that is used on Windows platform, that can be used on gnu/linux base. What I know is using the vSphere Remote Command Line (RCLI) on gnu/linux, and that is quite tedious compare to the GUI – application vSphere Client. This post is about VMware Remote console plug-in, that is quite cool for me

While finding the way to install Vmware Server 2.0.2 x86_64 on Ubuntu 9.10 64bit, I’ve stumbled upon a bash script vmware-client-start.sh that is used to login into vmware server.. Maybe this is something that Vmware expert already knows, for a newb like me, I just know that script can also be used to login into an ESXi 4 server. It stated in the login popup that this can also be used to login into Vmware ESX 3.0, Vmware VirtualCenter 2.0, Vmware Server 2.0 or any later version of this products.

Bash script (Not by me) :

#!/bin/bash
################################################## ##############################
# Call VMWare Server’s Remote Console in a clean GTK setup.
################################################## ##############################

# Clean GTK setup for VMWare

export VMWARE_USE_SHIPPED_GTK=yes
export GDK_NATIVE_WINDOWS=true

# Find console executable in Firefox plugins.
vmrc=”$(find “$HOME/.mozilla/firefox” -name vmware-vmrc -type f -perm -111 | tail -1)”
[ -x "$vmrc" ] || exit 1

VMLIB=$(dirname “$vmrc”)
VMLIB=$(dirname “$VMLIB”)/lib

export LD_LIBRARY_PATH=$VMLIB/libexpat.so.0:$VMLIB/libsexymm.so.2:$VMLIB/libview.so.2:$VMLIB/libvmwarebase.so.0:$VMLIB/libvmwareui.so.0:$VMLIB/libgvmomi.so.0

set -x
cd “$(dirname “$vmrc”)” && “$vmrc” -h 192.168.1.2:8333

We can change the IP address for our own IP addresses / servers.

The script / plug in can also initiate multi login , to multi OSs and multi servers. Some of the screenshots:

Snapshot below is for guest OS hosted in VMWare ESXi 4:

freekingawesome

Multi login different server:

multilogin

##P/S : VMware Remote console plug-in is not a VMWare vSphere Client.

##PP/S: This script does not support Vmware Server 1.xxx version

Install VMware-Server-2.0.2-xxx.x86_64 on Ubuntu 9.10 64bit

Hi there,

Recently, I wanna try to install the new release of Vmware Server on gnu/linux base which is Vmware Server 2.0.2 64bit on Ubuntu 9.10 x86_64
After download and extract it from the Vmware site , I’ve got several error
while issuing ./vmware-install.pl as below :

make[2]: *** [/tmp/vmware-config3/vmmon-only/linux/driver.o] Error 1
make[1]: *** [_module_/tmp/vmware-config3/vmmon-only] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-2.6.31-14-generic’
make: *** [vmmon.ko] Error 2
make: Leaving directory `/tmp/vmware-config3/vmmon-only’
Unable to build the vmmon module.

For more information on how to troubleshoot module-related problems, please
visit our Web site at “http://www.vmware.com/go/unsup-linux-products” and
“http://www.vmware.com/go/unsup-linux-tools”.

Execution aborted.

This seems to happen for the 64bit version of Ubuntu 9.10 (or is it the vmware server itself?), I don’t know for other brand of gnu/linux out there whose based on 64bit arch.
After googling for a while, I’ve found solution on one of the blog here .
But the tuto or the solution is for Vmware server version 2.0.1 ,and I desperately in need of a VM server in my workplace for some testing, so I downloaded the Fix from the site here .

After download, extract and put it into vmware-server-distrib (the one we have extracted from Vmware-Server 2.0.2 version) directory.
Go into the directory “vmware-server.2.0.1_x64-modules-2.6.30.4-fix” and run the command:

sudo ./vmware-server.2.0.1_x64-modules-2.6.30.4-fix.sh

Just leave it run… until it finish.

Then as usual, open our browser, https://127.0.0.1:8333/

If you have any problem(s) with mouse / keyboard etc2.. just simply use this VMware Client. It’s easy, input the IP:Port (127.0.0.1:8333) and username / password.

In conclusion, this fix works also for the Vmware Server 2.0.2 x86_64.

Making social engineering a part time job

“You might say there are two specialties within the job classification of con artist. Somebody who swindles and cheats people out of their money belongs to one sub-specialty, the grifter. Somebody who uses deception, influence, and persuasion against businesses, usually targeting their information, belongs to the other sub-specialty, the social engineer.” -Kevin Mitnik

Avira Antivir Version: 3.0.5-12

==Install==

salax@salax-laptop:~/Downloads$ wget http://dlpe.antivir.com/package/wks_avira/unix/en/pers/antivir_workstation-pers.tar.gz
salax@salax-laptop:~/Downloads/antivir-workstation-pers-3.0.5-12$ sudo ./install

Starting AVIRA AntiVir Workstation (UNIX) 3.0.5-12 installation…

Before installing this software, you must agree to the terms
of the license.

Use the arrow keys to scroll through the license. When you
are finished reading, press ‘q’ to exit the viewer.

Press <ENTER> to view the license.

Licence agreement Avira AntiVir Personal – Free AntiVirus
===============================================================
Please read through the following software licence agreement. By installing the
software, you explicitly agree to be bound by the conditions of this agreement.
If you do not accept the conditions of this agreement, you may not use the softw
are.

———–8<———–8<—————————–cutted

Do you agree to the license terms? [n] y

creating /usr/lib/AntiVir … done
copying AV_WKS_PERS to /usr/lib/AntiVir/ … done
copying LICENSE to /usr/lib/AntiVir/LICENSE-workstation … done

1) installing AntiVir Core Components (Engine, Savapi and Avupdate)
copying uninstall to /usr/lib/AntiVir/ … done
copying uninstall_smcplugin.sh to /usr/lib/AntiVir/ … done
copying etc/file_list to /usr/lib/AntiVir/ … done
copying etc/dir_list to /usr/lib/AntiVir/ … done
copying etc/run.inf to /usr/lib/AntiVir/ … done

———-8<—————–8<—————-cutted

installation of AntiVir Core Components (Engine, Savapi and Avupdate) complete

2) Configuring updates
An internet updater is available with version 3.0.5-12 of
AVIRA AntiVir Workstation (UNIX). It will ensure that you always have the latest
virus signatures and engine updates.
In order to trigger an update you will need to run the command:

/usr/lib/AntiVir/avupdate –product=Guard

Please read the README file for more information about updating and
which method best suits you.

Would you like to create a link in /usr/sbin for avupdate ? [y]
linking /usr/sbin/avupdate to /usr/lib/AntiVir/avupdate … done

Would you like to setup Engine and Signature updates as cron task ? [y]
Please specify the interval to check.
Recommended values are daily or 2 hours.

available options: d [2] 5
creating Engine/Signature update cronjob … done

Would you like to check for Guard updates once a week ? [n]

setup internet updater complete

3) installing main program
copying doc/avserver_en.pdf to /usr/lib/AntiVir/ … done
stop running AVIRA AntiVir Workstation (UNIX) … done
copying bin/linux_glibc22/libdazuko2.so to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/libdazuko3compat2.so to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avguard-ondemand-mgmt to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avguard-scanner to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avscan to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avsavapi-super to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avguard.bin to /usr/lib/AntiVir/ … done
Dazukofs module is loaded

linking /usr/lib/AntiVir/libdazuko.so to /usr/lib/AntiVir/libdazuko3compat2.so … done

Guard will automatically protect all directories
which are mounted upon dazukofs filesystem.

Please specify at least one directory to be protected
by Guard to add in /etc/fstab : [/home]
The following directories will be protected by Guard:
/home

If you want to remove or include more directories
you will need to edit your /etc/fstab file and remount dazukofs.

backup original /etc/fstab to /etc/fstab.orig
adding DazukoFS IncludePath /home to /etc/fstab … done
Mounting /home as dazukofs…

copying etc/avscan.conf to /etc/avira/ … done
copying etc/avscan.conf to /etc/avira/avscan.conf.default … done
copying script/avira_start.sh.template to /usr/lib/AntiVir/avguard … done
copying script/avguard_start.sh to /usr/lib/AntiVir/ … done
copying script/avguard_restart.sh to /usr/lib/AntiVir/ … done
copying script/avguard_stop.sh to /usr/lib/AntiVir/ … done
copying script/avguard_post.sh to /usr/lib/AntiVir/ … done
copying script/avguardkey_post.sh to /usr/lib/AntiVir/ … done
creating /home/quarantine … already exists

Would you like to install the AVIRA Guard GNOME plugin ? [n] y
installing AVIRA Guard GNOME plugin …
*** Installing pre-compiled applet
done
linking /usr/bin/avscan to /usr/lib/AntiVir/avscan … done
linking /usr/bin/scan to /usr/lib/AntiVir/avscan … done

Would you like to create a link in /usr/sbin for avguard ? [y]
linking /usr/sbin/avguard to /usr/lib/AntiVir/avguard … done

Please specify if boot scripts should be set up.
Set up boot scripts [y]:
setting up boot script … done

installation of AVIRA Guard complete

4) activate SMC support
If you are going to use AVIRA Security Management Center (SMC)
to manage this software remotely you need this

Would you like to activate SMC support? [y] n

SMC will NOT be activated
checking for existing /etc/avira/avguard.conf … not found
copying etc/avguard.conf to /etc/avira/ … done
copying etc/avguard.conf to /etc/avira/avguard.conf.default … done
checking for existing /etc/avira/avguard-scanner.conf … not found
copying etc/avguard-scanner.conf to /etc/avira/ … done

————8<————————–8<—————cutted

Would you like to start AVIRA Guard now? [y] y
Starting AVIRA AntiVir Workstation Personal …
Starting: avguard.bin

Installation of the following features complete:
AntiVir Core Components (Engine, Savapi and Avupdate)
AVIRA Internet Updater
AVIRA Guard

***********************************************************
Configuration files:
/etc/avira/avguard.conf              (AVIRA Guard main config)
/etc/avira/avscan.conf               (AVIRA Guard avscan config)
/etc/avira/avguard-scanner.conf      (AVIRA Guard scanner config)
/etc/avira/avupdate.conf             (AVIRA Avupdate options)
***********************************************************

Note: It is highly recommended that you perform an update now to
ensure up-to-date protection. This can be done by running:

/usr/lib/AntiVir/avupdate –product=Guard

Be sure to read the README file for additional information.
Thank you for your interest in AVIRA AntiVir Workstation (UNIX).

Then, I reboot and check the process:

root@salax-laptop:~# ps auxwww|grep avira
root 6259 0.5 1.9 45736 39756 pts/0 S 16:04 0:03 /usr/lib/AntiVir/savapi –config=/etc/avira/avguard-scanner.conf –pid-dir=/var/run/avguard/ –temp=/var/run/avguard/savinst-vNPLDw/ -N –allow-remote-shutdown –socket-file=/var/run/avguard/savinst-vNPLDw/scanner
root 6260 5.2 1.9 46292 39932 pts/0 S 16:04 0:34 /usr/lib/AntiVir/savapi –config=/etc/avira/avguard-scanner.conf –pid-dir=/var/run/avguard/ –temp=/var/run/avguard/savinst-vNPLDw/ -N –allow-remote-shutdown –socket-file=/var/run/avguard/savinst-vNPLDw/scanner
root 6300 4.8 1.9 46296 39968 pts/0 S 16:08 0:20 /usr/lib/AntiVir/savapi –config=/etc/avira/avguard-scanner.conf –pid-dir=/var/run/avguard/ –temp=/var/run/avguard/savinst-vNPLDw/ -N –allow-remote-shutdown –socket-file=/var/run/avguard/savinst-vNPLDw/scanner
root 6301 7.7 1.9 46300 39856 pts/0 S 16:08 0:33 /usr/lib/AntiVir/savapi –config=/etc/avira/avguard-scanner.conf –pid-dir=/var/run/avguard/ –temp=/var/run/avguard/savinst-vNPLDw/ -N –allow-remote-shutdown –socket-file=/var/run/avguard/savinst-vNPLDw/scanner
root 6628 0.0 0.0 3336 804 pts/0 S+ 16:15 0:00 grep avira

Uninstall? Simply :

salax@salax-laptop:~/Downloads/antivir-workstation-pers-3.0.5-12$ sudo ./uninstall
[sudo] password for salax:
uninstall [--product=productname] [--no-interactive] [--force] [--version] [--help]

installed products:
Guard
Scanner
salax@salax-laptop:~/Downloads/antivir-workstation-pers-3.0.5-12$ sudo ./uninstall –product=Guard

ANYTHING represented in this blog is solely my own personal opinion. Any comments by the readers are accredited to them .This blogger reserves the right to moderate comment suitability in support of respecting any sensitivities, and in order to protect the rights of each commentor where available. Any tools, scripts, codes, configurations, (if any) that you download, use, applied. installed, are at your own risk. The author will not be responsible if any of those brings harm to you or others. This blog is for education purposes. You have been warned.

salawank

Search

Calendar

Recent Comments

Akismet

Meta