Thank you shoeboxblog !

Arpalert has been quite useful tool for me nowadays. It is simple, easy and its light weight in terms of processing. It enables me to keep track on whats happening in the ARP table/MAC address of the networks.

As quoted from the Arpalert site:

“This software is used for monitoring ethernet networks.
It listens on a network interface (without using ‘promiscuous’ mode) and catches all conversations of MAC address to IP request. It then compares the mac addresses it detected with a pre-configured list of authorized MAC addresses. If the MAC is not in list, arpalert launches a pre-defined user script with the MAC address and IP address as parameters.”

I’ve installed it in my Ubuntu 8.04.2 for the past 6 months, reside within my network. Any changes on the ARP table, any new comer, will be logged. Below are some snippet from the log file (/var/log/arpalert.log) :

root@Server:/etc/arpalert# tail -f /var/log/arpalert.log
Aug  12 14:52:07 arpalert: seq=1346329, mac=00:03:47:24:e1:49, ip=192.168.7.126, type=new, dev=eth2, vendor=”Intel Corporation”
Aug  13 09:11:05 arpalert: seq=1368035, mac=00:0c:29:54:34:e9, ip=192.168.1.77, reference=192.168.7.125, type=ip_change, dev=eth2, vendor=”VMware, Inc.”
Aug  13 09:19:34 arpalert: seq=1368218, mac=00:0c:29:54:34:e9, ip=192.168.7.125, reference=192.168.1.77, type=ip_change, dev=eth2, vendor=”VMware, Inc.”
Aug  13 09:51:34 arpalert: seq=1368810, mac=f8:1e:df:da:9d:60, ip=192.168.7.151, reference=192.168.7.150, type=ip_change, dev=eth2, vendor=”(null)”
Aug  13 11:28:32 arpalert: seq=1370763, mac=00:25:bc:3d:1f:64, ip=192.168.1.5, reference=192.168.7.127, type=ip_change, dev=eth2, vendor=”(null)”
Aug  13 11:32:09 arpalert: seq=1370837, mac=00:25:bc:3d:1f:64, ip=192.168.7.127, reference=192.168.1.5, type=ip_change, dev=eth2, vendor=”(null)”
Aug  13 12:28:26 arpalert: seq=1372032, mac=00:0c:29:54:34:e9, ip=169.254.170.164, reference=192.168.7.125, type=ip_change, dev=eth2, vendor=”VMware, Inc.”
Aug  13 12:32:17 arpalert: seq=1372136, mac=00:0c:29:54:34:e9, ip=192.168.7.125, reference=169.254.170.164, type=ip_change, dev=eth2, vendor=”VMware, Inc.”
Aug  13 19:23:34 arpalert: seq=1382330, mac=00:60:e0:47:0d:db, ip=192.168.7.48, type=new, dev=eth2, vendor=”AXIOM TECHNOLOGY CO., LTD.”
Aug  13 19:23:48 arpalert: seq=1382338, mac=00:1a:a0:89:6a:cd, ip=192.168.7.48, reference=, type=mac_change, dev=eth2, vendor=”Dell Inc”

If you consider on ARP poisoning, IP stealing, MITM attack, this could be one of the tool that is useful to be implemented. The important elements are “dev”, “mac”, “type”, “ip”, “vendor” and the time stamp. If you’re using Ubuntu/Debian based, this can be installed via apt-get:

root@Server:/etc/arpalert# apt-cache search arpalert
arpalert – Monitor ARP changes in ethernet networks

Next step is installing it with apt-get install arpalert. Configurations and config file resides within:

root@Server:/etc/arpalert# ls -lah /etc/arpalert/
total 1.6M
drwxr-xr-x  2 root root 4.0K 2010-03-19 11:36 .
drwxr-xr-x 81 root root 4.0K 2010-08-13 11:20 ..
-rw-r–r–  1 root root 4.7K 2010-03-19 11:45 arpalert.conf
-rw-r–r–  1 root root    0 2007-11-22 08:06 maclist.allow
-rw-r–r–  1 root root    0 2007-11-22 08:06 maclist.deny
-rw-r–r–  1 root root 1.6M 2007-11-22 08:06 oui.txt

Here, we can set our configurations and setting to meet with our requirements and needs. The “oui.txt” files contains information from vendor with the hex and base 16 values. Main configuration files is in “arpalert.conf” and I think it is just straight forward on how to set it.

For example, I want to convert a VM server image, using VMware Converter standalone, and i’ve got error. What i did to resolve this is to remove two lines from the virtual machine config file (.vmx):

checkpoint.vmState = “dgrand-vm.vmss”
extendedConfigFile = “dgrand-vm.vmxf”

and try to convert again, now this should settled the problems.

P/s:

To download VMware Converter, simply go to the download link . if already have vmware account, download it and install.

Loading and converting :

Convert to target destination:

$ /usr/local/sbin/portupgrade < port name >

e.g.

$ /usr/local/sbin/portupgrade snort

p/s : use with cautions.. this may deleted the previous settings of the package

Usually, when we are in a server, we don’t really know if we are in physical or virtualized environment (except we already know).

This is to detect whether we’re in virtualized environment or not :

salawank@ubuntu:~$ ( dmesg; lsmod; prtdiag; modinfo -0; sysdef; ) | grep -i vmware
[ 0.000000] ACPI: SRAT 0000000041ef07f6 00080 (v02 VMWARE MEMPLUG 06040000 VMW 00000001)
[ 1.470135] ata1.00: ATAPI: VMware Virtual IDE CDROM Drive, 00000001, max UDMA/33
[ 1.510687] scsi 0:0:0:0: CD-ROM NECVMWar VMware IDE CDR00 1.00 PQ: 0 ANSI: 5
[ 3.420736] scsi 2:0:0:0: Direct-Access VMware Virtual disk 1.0 PQ: 0 ANSI: 2
[ 3.421765] scsi 2:0:1:0: Direct-Access VMware Virtual disk 1.0 PQ: 0 ANSI: 2

or just simply :

$dmesg | grep -i vmware
$dmesg | grep -i virtual

or :

salawank@ubuntu:~# dmidecode | egrep -i ‘manufacturer|product’
Manufacturer: VMware, Inc.
Product Name: VMware Virtual Platform
Manufacturer: Intel Corporation
Product Name: 440BX Desktop Reference Platform
Manufacturer: No Enclosure
Manufacturer: GenuineIntel
Manufacturer: GenuineIntel

or :

salawank@ubuntu:~# dmidecode | egrep -i ‘vmware|virtual’
Manufacturer: VMware, Inc.
Product Name: VMware Virtual Platform
Serial Number: VMware-56 4d a7 a1 10 59 2a e7-76 16 97 8a 38 5d 6e 1c
VME (Virtual mode extension)
VME (Virtual mode extension)
Description: VMware SVGA II
String 2: Welcome to the Virtual Machine

or;

salawank@ubuntu:~# cat /proc/scsi/scsi
Attached devices:
Host: scsi0 Channel: 00 Id: 00 Lun: 00
Vendor: NECVMWar Model: VMware IDE CDR00 Rev: 1.00
Type: CD-ROM ANSI SCSI revision: 05
Host: scsi2 Channel: 00 Id: 00 Lun: 00
Vendor: VMware Model: Virtual disk Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
Host: scsi2 Channel: 00 Id: 01 Lun: 00
Vendor: VMware Model: Virtual disk Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02

there are many other ways, this is some of it.

AMD® AM2(Windsor F3 or Brisbane) Overclocking Guide

1. Introduction
FSB Definition:
When you are overclocking you should raise the value of FSB in your motherboard it is called HTT in most AM2 I’ve seen, but what is FSB?!
Front Side Bus: Links the memory and all of the other devices on your motherboard to the CPU. The speed of the FSB is expressed in frequency. Raising the FSB is core to overclocking.

LDT multiplier:
It is the multiplier for the Hyper Transport bus. When you are purchasing an Amd64 processor “AM2″ it is written that hyper transport frequency = 2000 “AM2″,
LTD is calculated like this: FSB x LTD multiplier == LTD Frequency.
For AM2, the value shouldn’t be exceeding 1000 in the calculations “bios appearing calculations”, other than that system instability will be experienced after new clocks are set up, making this whole post pointless as what is the use of a fast unstable system?!, but there some overclockers from Lowyat.net that manage to hit “1600” with maximum Northbridge and Southbridge voltage.

Memory Divider Explanation:
When you are raising FSB not only the CPU frequency is changing, memory frequency is being pushed higher as well. Memory in general got rated speeds like 533/667/800, when you are at stock and your memory “usually” is pc-6400 you are running DDR2-800. FSB is set to 200, when you begin raising it to 210 then your memory are running DDR2-840, if FSB=250 then DDR2-1000, so probably if your memory isn’t manufactured to run at these very high speeds, your system will crash/wont boot. There is something called memory Divider within your bios. Memory divider got different options to choose from. For example, AMD X2 3800+ with DDR2-800 memory module:

There are 5 option available; auto, 400,533,667,800

Auto: nothing to explain here, but when you are overclocking you don’t want to set anything to auto that is related to overclocking, the memory module will run at 400mhz(DDR2-800)

800: same as above@400mhz

667: running lower than stock(400 MHz),ram frequency runs at 333 MHz(DDR2-667)

533: running lower than stock(400 MHz),ram frequency runs at 266 MHz(DDR2-533)
—> The best divider for starter.

400: the lowest of them all.

2. Getting Started
I. Lock PCI frequency at 66 MHz and PCI-E at 100 MHz
II. Disable ‘Cool n Quiet’, Spread Spectrum and other optimization tools;eg:Ai in Asus mobo.(you need to Google this first as different mobo got different things to disable)
III. Phase 1: Searching for highest FSB
a) Find HTT Speed and lower it to either 4x or 3x.
b) Lower the RAM speed to DDR2-533.(or lower)
c) Increase your CPU FSB slowly, 5MHZ at a time, until it either won’t boot.
d) Increase CPU voltage by one notch and try again until it boot. Then, repeat step (C)
e) Don’t increase voltage over 1.45 V.
f) Note down the highest FSB you achieve.

Phase 2: Searching for highest RAM frequency
a) Increase RAM speed to default.
b) Reduce FSB to default also, but leave Vcore at current setting.
c) Increase your CPU FSB slowly, 5MHZ at a time until it wont boot.
d) Increase Vdimm till the system boot. Repeat step (C) till the system won’t boot. Don’t ever increase Vdimm over 2.2V for normal value ram, the value for maximum Vdimm depend on ram chip and RAM module.
e) Note down the highest memory frequency achieved.

For Example:
AMD X2 3800+(2.0Ghz), Biostar Tforce TA690G, 2 x 1 Gb Mushkin Enhanced Basic DDR2-800
Highest FSB achieved: 320
Highest Memory Frequency: 500 Mhz
For this setting, highest core speed we can get is : 320 X 10 = 3.2Ghz,and for this speed, the memory frequency will run at 3200 ÷ 5 = 640Mhz (DDR2-1280);. The ram module can’t run at this blazing speed, so we need to reduce the memory divider. 667 divider will set the memory frequency run at 3200 ÷ 6 = 533 MHz (DDR2-1066).The highest memory frequency we achieved is 500 MHz, so this setting will not work. 533 divider will set the memory frequency run at 3200 ÷ 8 = 400Mhz.So this is the ideal divider as the memory frequency run lower than the maximum.

Phase 3: Finalizing

Once we get the calculation, set the FSB to default. Set the divider the suitable one. Then, Increase your CPU FSB slowly; 5MHZ until the core speed reach 3.2 GHz. The result should be like this:
Core Speed: 3.2 GHz
Memory Frequency: 400 MHz (DDR2-800)
Test for stability by using Orthos for 12 hours or superPI. Monitor the temperature during this test, the temperature is the temperature at full load, if it is over 55°C, then you need to reduce Vcore.

*This is just a basic guide; it doesn’t cover memory timing tweaking. Just set the timing to 5-5-5-15 or default

Let say we have 2 different network,

network A = 192.x.x.x network

network B = 10.x.x.x network

vSwitch can be considered as physical layer 2 switch. Hence, how you isolate those two network, depends on your vSwitch.

However, since vSwitch is layer 2 switch, it’s clearly only can do network isolate via ip address instead software layer like vlan & etc which require layer 3 switch.

So, do u need another vSwitch for 10.x.x.x network?

First, no need if 10.x.x.x is only for virtual machine network and 192.x.x.x network sharing same physical layer 2 switch

Second, yes u need, if you need to manage your ESXi from both network (192.x.x.x and 10.x.x.x)

Not only vSwitch, but also secondary service console for management purposes via vi-client

greetz athlon_crazy

Steps:

Directory:
/usr/local/zenoss/zenoss/Products/ZenWidgets/skins/zenui

file to change :

logo.png

upload your preferred logo/pics and rename/remove current zenoss logo

$mv logo.png logo1.png

rename your uploaded file to logo.png

$mv newlogo.png logo.png

chmod it:

$chmod 664 logo.png

then restart zenoss

$sudo /etc/init.d/zenoss-stack restart

Login again into zenoss dashboard and refresh the browser.

sorry, i’m a ubuntu/debian person:
using (1)elinks, or (2)lynx:

$ sudo apt-get install elinks
$ elinks www.google.com

or Lynx (gonna be asked for allowing cookies)
$ sudo apt-get install lynx
$ lynx www.google.com

Any other useful text based WWW browser? fill me in.

salax@zulfiqar:~$ nmap 192.168.2.10

Starting Nmap 4.53 ( http://insecure.org ) at 2010-01-09 00:11 MYT
Interesting ports on 192.168.2.10:
Not shown: 1711 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.075 seconds

———————————-

Firing up nepenthes:

salax@zulfiqar:~$ sudo /etc/init.d/nepenthes start
[sudo] password for salax:
Starting nepenthes: nepenthes.

——————————————————-

After nepenthes:

salax@zulfiqar:~$ nmap 192.168.2.10

Starting Nmap 4.53 ( http://insecure.org ) at 2010-01-09 00:11 MYT
Interesting ports on 192.168.2.10:
Not shown: 1690 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
220/tcp open imap3
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
1023/tcp open netvenuechat
1025/tcp open NFS-or-IIS
2105/tcp open eklogin
3372/tcp open msdtc
5000/tcp open UPnP
10000/tcp open snet-sensor-mgmt
17300/tcp open kuang2

Nmap done: 1 IP address (1 host up) scanned in 0.075 seconds

———————————————————————–

List open files shows as below :

salax@zulfiqar:/etc/nepenthes$ sudo lsof -i | grep nepenthes
[sudo] password for salax:
nepenthes 7246 nepenthes 6u IPv4 29655 TCP *:smtp (LISTEN)
nepenthes 7246 nepenthes 7u IPv4 29656 TCP *:pop3 (LISTEN)
nepenthes 7246 nepenthes 8u IPv4 29657 TCP *:imap2 (LISTEN)
nepenthes 7246 nepenthes 9u IPv4 29658 TCP *:imap3 (LISTEN)
nepenthes 7246 nepenthes 10u IPv4 29659 TCP *:ssmtp (LISTEN)
nepenthes 7246 nepenthes 11u IPv4 29660 TCP *:imaps (LISTEN)
nepenthes 7246 nepenthes 12u IPv4 29661 TCP *:pop3s (LISTEN)
nepenthes 7246 nepenthes 13u IPv4 29662 TCP *:2745 (LISTEN)
nepenthes 7246 nepenthes 14u IPv4 29663 TCP *:6129 (LISTEN)
nepenthes 7246 nepenthes 15u IPv4 29664 TCP *:loc-srv (LISTEN)
nepenthes 7246 nepenthes 16u IPv4 29665 TCP *:microsoft-ds (LISTEN)
nepenthes 7246 nepenthes 17u IPv4 29666 TCP *:1025 (LISTEN)
nepenthes 7246 nepenthes 18u IPv4 29667 TCP *:ftp (LISTEN)
nepenthes 7246 nepenthes 19u IPv4 29668 TCP *:https (LISTEN)
nepenthes 7246 nepenthes 20u IPv4 29669 TCP *:17300 (LISTEN)
nepenthes 7246 nepenthes 21u IPv4 29670 TCP *:2103 (LISTEN)
nepenthes 7246 nepenthes 22u IPv4 29671 TCP *:eklogin (LISTEN)
nepenthes 7246 nepenthes 23u IPv4 29672 TCP *:2107 (LISTEN)
nepenthes 7246 nepenthes 24u IPv4 29673 TCP *:3372 (LISTEN)
nepenthes 7246 nepenthes 25u IPv4 29674 UDP *:ms-sql-m
nepenthes 7246 nepenthes 26u IPv4 29675 TCP *:3127 (LISTEN)
nepenthes 7246 nepenthes 27u IPv4 29676 TCP *:netbios-ssn (LISTEN)
nepenthes 7246 nepenthes 28u IPv4 29677 TCP *:3140 (LISTEN)
nepenthes 7246 nepenthes 29u IPv4 29678 TCP *:5554 (LISTEN)
nepenthes 7246 nepenthes 30u IPv4 29679 TCP *:1023 (LISTEN)
nepenthes 7246 nepenthes 31u IPv4 29680 TCP *:27347 (LISTEN)
nepenthes 7246 nepenthes 32u IPv4 29681 TCP *:5000 (LISTEN)
nepenthes 7246 nepenthes 33u IPv4 29682 TCP *:webmin (LISTEN)
nepenthes 7246 nepenthes 34u IPv4 29683 TCP *:nameserver (LISTEN)
nepenthes 7246 nepenthes 35u IPv4 29684 TCP *:www (LISTEN)
nepenthes 7246 nepenthes 36u IPv4 29685 TCP *:10002 (LISTEN)

——————————————————————-

Take a look in /var/log/nepenthes/logged_downloads:

salax@zulfiqar:/var/log/nepenthes$ cat logged_downloads
[2010-01-08T03:21:15] 60.48.72.2 -> 192.168.2.10 link://60.48.72.2:11965/qcxYEw==
[2010-01-08T03:23:37] 60.48.98.64 -> 192.168.2.10 ftp://a:a@60.48.98.64:11460/Win15763.exe
[2010-01-08T22:27:49] 60.47.49.168 -> 192.168.2.10 link://60.47.49.168:29913/GDAo+A==
[2010-01-09T21:59:29] 60.48.196.174 -> 192.168.2.10 ftp://1:1@0.0.0.0:5895/wint.exe
[2010-01-09T22:20:08] 60.167.120.190 -> 192.168.2.10 ftp://1:1@60.167.120.190:9495/ssms.exe
[2010-01-09T22:26:00] 60.56.171.98 -> 192.168.2.10 tftp://0.0.0.0/ssms.exe
[2010-01-09T22:31:08] 60.47.211.135 -> 192.168.2.10 link://60.47.211.135:57271/46juBw==
[2010-01-09T22:54:40] 60.48.196.174 -> 192.168.2.10 ftp://1:1@0.0.0.0:5895/wint.exe
[2010-01-09T23:20:02] 60.48.206.249 -> 192.168.2.10 ftp://1:1@60.48.206.249:31018/wingate32.exe
[2010-01-09T23:23:05] 60.53.58.190 -> 192.168.2.10 ftp://1:1@0.0.0.0:15639/WinSec.exe
[2010-01-09T23:42:31] 60.48.206.249 -> 192.168.2.10 link://60.48.206.249:50408/EWYNew==
[2010-01-10T11:48:14] 60.44.18.223 -> 192.168.2.10 blink://60.44.18.223:40579/GLJK+A==
[2010-01-10T12:10:59] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:42750/GIAo+A==
[2010-01-10T12:21:05] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:33106/GIAo+A==
[2010-01-10T12:22:13] 69.207.61.212 -> 192.168.2.10 http://74.77.18.116:4662/x.exe
[2010-01-10T12:31:20] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:41373/GIAo+A==
[2010-01-10T13:13:55] 60.42.119.172 -> 192.168.2.10 blink://60.42.119.172:29703/mPKeAQ==
[2010-01-10T13:15:21] 60.43.40.208 -> 192.168.2.10 link://60.43.40.208:46158/OHwf/g==
[2010-01-11T00:36:28] 60.48.103.18 -> 192.168.2.10 ftp://1:1@60.48.103.18:62984/wingate32.exe
[2010-01-11T00:42:24] 60.36.30.127 -> 192.168.2.10 ftp://1:1@0.0.0.0:45513/ssms.exe
[2010-01-11T00:51:16] 60.48.221.25 -> 192.168.2.10 ftp://1:1@60.48.221.25:40959/wingate32.exe
[2010-01-11T00:56:31] 60.48.103.18 -> 192.168.2.10 ftp://1:1@60.48.103.18:62984/wingate32.exe
[2010-01-11T20:10:07] 60.48.245.153 -> 192.168.2.10 link://60.48.245.153:64395/EGYNAw==
[2010-01-11T20:15:19] 60.48.245.153 -> 192.168.2.10 ftp://1:1@0.0.0.0:44154/wingate32.exe
[2010-01-11T20:18:03] 60.249.204.192 -> 192.168.2.10 tftp://0.0.0.0/ssms.exe
[2010-01-11T20:24:11] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T21:22:43] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T21:37:35] 60.41.138.161 -> 192.168.2.10 link://60.41.138.161:35057/4/idCA==
[2010-01-11T21:51:23] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T21:51:35] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:00:17] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:10:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:24841/0
[2010-01-11T22:10:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:24841/0
[2010-01-11T22:14:19] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T22:16:52] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:17:08] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:17:41] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:27:00] 60.42.243.214 -> 192.168.2.10 link://60.42.243.214:48588/+RnAEQ==
[2010-01-11T22:35:05] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:52:24] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:52:29] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:54:18] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T23:01:11] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T23:07:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:13110/0
[2010-01-11T23:07:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:6464/0
[2010-01-11T23:15:04] 60.48.70.250 -> 192.168.2.10 ftp://1:1@60.48.70.250:23241/WinSec.exe
[2010-01-11T23:17:46] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T23:17:55] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T23:18:34] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T23:21:10] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-13T03:19:57] 60.48.98.181 -> 192.168.2.10 ftp://a:a@0.0.0.0:3987/igxdfdfds.com
[2010-01-13T03:27:39] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:28:57] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:30:20] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T03:32:24] 60.48.98.181 -> 192.168.2.10 ftp://a:a@60.48.98.181:4078/Win15763.exe
[2010-01-13T03:37:06] 60.48.98.181 -> 192.168.2.10 ftp://a:a@60.48.98.181:4078/Win15763.exe
[2010-01-13T03:37:54] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:40:13] 60.48.98.181 -> 192.168.2.10 ftp://1:1@0.0.0.0:12506/wingate32.exe
[2010-01-13T03:43:58] 60.48.98.181 -> 192.168.2.10 ftp://1:1@0.0.0.0:12506/wingate32.exe
[2010-01-13T03:50:13] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:50:21] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T03:54:50] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T04:02:31] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T04:59:55] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T05:07:36] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T05:34:57] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T05:48:38] 60.42.253.163 -> 192.168.2.10 link://60.42.253.163:54497/+BkAgw==
[2010-01-13T05:50:41] 60.48.89.89 -> 192.168.2.10 ftp://1:1@60.48.89.89:59451/wingate32.exe
[2010-01-13T05:57:08] 60.48.89.89 -> 192.168.2.10 tftp://60.48.89.89/runwin32.exe
[2010-01-13T05:57:30] 60.48.89.89 -> 192.168.2.10 ftp://1:1@60.48.89.89:59451/wingate32.exe
[2010-01-13T06:26:55] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T06:27:07] 60.48.89.89 -> 192.168.2.10 tftp://0.0.0.0/runwin32.exe
[2010-01-13T06:27:30] 60.48.89.89 -> 192.168.2.10 ftp://1:1@0.0.0.0:59451/wingate32.exe
[2010-01-15T22:13:10] 124.12.75.2 -> 192.168.2.10 tftp://124.12.75.2/ssms.exe

—————————————————————————————
Take a look also in /var/log/nepenthes/logged_submissions :

salax@zulfiqar:/var/log/nepenthes$ cat logged_submissions
[2010-01-08T22:28:05] 60.47.49.168 -> 192.168.2.10 link://60.47.49.168:29913/GDAo+A== a881dd13336137c7c0a346a0e95a28cb
[2010-01-09T22:26:53] 60.56.171.98 -> 192.168.2.10 tftp://60.56.171.98:69/ssms.exe 98eb0fdadf8a403c013a8b1882ec986d
[2010-01-09T23:42:44] 60.48.206.249 -> 192.168.2.10 link://60.48.206.249:50408/EWYNew== f6a0747f321da6905d7f117b1a0491bc
[2010-01-10T11:48:15] 60.44.18.223 -> 192.168.2.10 blink://60.44.18.223:40579/GLJK+A== cf39a0e99513d242b516facffcf0149a
[2010-01-10T12:11:16] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:42750/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T12:21:12] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:33106/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T12:31:35] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:41373/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T13:13:56] 60.42.119.172 -> 192.168.2.10 blink://60.42.119.172:29703/mPKeAQ== 6560050cb210e159c9cfb5a50fe6dd63
[2010-01-10T13:15:38] 60.43.40.208 -> 192.168.2.10 link://60.43.40.208:46158/OHwf/g== 714c1bf115fe97b19a4556d40de2fec1
[2010-01-11T20:18:48] 60.249.204.192 -> 192.168.2.10 tftp://60.249.204.192:69/ssms.exe fd28c5e1c38caa35bf5e1987e6167f4c
[2010-01-11T22:10:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4921 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T22:10:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4923 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T23:07:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4735 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T23:07:48] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:3297 7dc73bfa4d78284155dd5101991eeb34
[2010-01-13T06:22:38] 60.48.89.89 -> 192.168.2.10 tftp://60.48.89.89/runwin32.exe 1eb2ae9acb444fd275f4ff1d55f4a54c
[2010-01-15T22:14:52] 124.12.75.2 -> 192.168.2.10 tftp://124.12.75.2/ssms.exe 1f8a826b2ae94daa78f6542ad4ef173b

—————————————————————————————————————-

I looked into binaries files stored:

salax@zulfiqar:/var/lib/nepenthes/binaries$ ls
1eb2ae9acb444fd275f4ff1d55f4a54c 714c1bf115fe97b19a4556d40de2fec1 a881dd13336137c7c0a346a0e95a28cb fd0a67fb35667fabc7cba1be174a66a0
1f8a826b2ae94daa78f6542ad4ef173b 7dc73bfa4d78284155dd5101991eeb34 cf39a0e99513d242b516facffcf0149a fd28c5e1c38caa35bf5e1987e6167f4c
6560050cb210e159c9cfb5a50fe6dd63 98eb0fdadf8a403c013a8b1882ec986d f6a0747f321da6905d7f117b1a0491bc

——————————————————————————————
And i’ve got lots from hexdump :

salax@zulfiqar:/var/lib/nepenthes/hexdumps$ ls
03040d7e4a4b43a51e16e23e8db372cc.bin
03b7c83b1097ec2103457238292d2c64.bin
047508ec910bbdd22bbd5b57735653cc.bin
0970bdd79407182c9b4528ea09482766.bin
0b246cefe406d265e33336b5614f03b8.bin
0bdbf63d3280cc4148dc431ee8ff9e67.bin
0cfc77783bc087dfdbc93eb848434785.bin
0e260b4030f9e03af889964cf08f1c31.bin
2b3ae3f7588a4f5598c35ccf85c57038.bin
2bed2846c40be4d0b54bd8e6570f5d65.bin
f9dc4a724a268dc50f599d91414a25a8.bin
2f25328714f52ceeb150474f9bd41ca3.bin
fc5752c2b644cf41132beac523653d6f.bin
32389a3b6d15c6b658c8c0ad0869e617.bin
33103e04b2b192f40a1a78091bb7fe5a.bin
fff4bb5b930ca56719bea26e22152165.bin
34557adc8990ee198c75a6446916f9fc.bin
——8<------------------------------------8<---------------------cutted-----8<

————————————————————————————————————————
Then, scanning using ClamAV:

salax@zulfiqar:/var/lib/nepenthes$ clamscan binaries/
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON’T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
binaries/fd0a67fb35667fabc7cba1be174a66a0: OK
binaries/cf39a0e99513d242b516facffcf0149a: OK
binaries/714c1bf115fe97b19a4556d40de2fec1: W32.Virut.sa FOUND
binaries/7dc73bfa4d78284155dd5101991eeb34: Trojan.SdBot-730 FOUND
binaries/1f8a826b2ae94daa78f6542ad4ef173b: Trojan.SdBot-4763 FOUND
binaries/fd28c5e1c38caa35bf5e1987e6167f4c: Trojan.SdBot-4763 FOUND
binaries/f6a0747f321da6905d7f117b1a0491bc: OK
binaries/98eb0fdadf8a403c013a8b1882ec986d: Trojan.SdBot-4763 FOUND
binaries/a881dd13336137c7c0a346a0e95a28cb: W32.Virut-17 FOUND
binaries/1eb2ae9acb444fd275f4ff1d55f4a54c: OK
binaries/6560050cb210e159c9cfb5a50fe6dd63: OK
binaries/df51e3310ef609e908a6b487a28ac068: Trojan.SdBot-4763 FOUND

———– SCAN SUMMARY ———–
Known viruses: 572978
Engine version: 0.94.2
Scanned directories: 1
Scanned files: 12
Infected files: 7
Data scanned: 1.30 MB
Time: 2.564 sec (0 m 2 s)

to be continued….lot’s to learn here and also for dionae………