LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-06-2012, 09:54 AM   #1
lee_can
Member
 
Registered: Mar 2011
Posts: 118

Rep: Reputation: 1
How to collect malwares by using nepenthes


Hi,
I ran nepenthes on a debian O.S installed on virtual machine.
Code:
e33@debian:~$ sudo service nepenthes start
[sudo] password for e33: 
Starting nepenthes: nepenthes.
PHP Code:
e33@debian:~$ sudo netstat -ntlp grep nepenthes
tcp        0      0 0.0.0.0
:42              0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:139             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:3372            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:110             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:143             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:80              0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:10000           0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:6129            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:465             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:5554            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:27347           0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:17300           0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:21              0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:3127            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:2103            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:2105            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:2745            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:25              0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:2107            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:443             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:220             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:445             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:1023            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:1025            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:993             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:995             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:3140            0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:135             0.0.0.0:*               LISTEN      840/nepenthes   
tcp        0      0 0.0.0.0
:5000            0.0.0.0:*               LISTEN      840/nepenthes 
I kept nepenthes running for couple of hours, and when I checked:
Code:
e33@debian:~$ tail /var/log/nepenthes/logged_downloads
e33@debian:~$
The logged_downloads which suppose to contains all the downloads attempts and what malware the attacking system are trying to distribute is still empty, which mean the nepenthes still not working properly in order to start capturing malware.
 
Old 07-06-2012, 11:07 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,010
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Quote:
Originally Posted by lee_can View Post
The logged_downloads which suppose to contains all the downloads attempts and what malware the attacking system are trying to distribute is still empty, which mean the nepenthes still not working properly in order to start capturing malware.
...or it means nobody tried anything. Did you configure Nephentes? Do the logs show any errors?
*BTW Nephentes was succeeded by Dionaea and besides that there are a few more honeypots (Honeyd, Amun, Kippo, Artillery) you could use depending on your requirements. If you would like to try Nephentes a different way you could also search for the Mercury Live CD (announcement was made here and the DVD also contains Honeyd and Dionaea), search for "mercury-i386-dvd.iso".
**Do correct me if I'm wrong but as far as I'm aware only Dionea, Kippo and Artillery are current / maintained.
 
1 members found this post helpful.
Old 07-06-2012, 11:36 AM   #3
lee_can
Member
 
Registered: Mar 2011
Posts: 118

Original Poster
Rep: Reputation: 1
Thanks a lot unSpwan for your prompt and useful reply.

Quote:
Originally Posted by unSpawn View Post
...or it means nobody tried anything. Did you configure Nephentes? Do the logs show any errors?
Yes, I configured as it should be, but I am not sure about receiving connections on the ports which I mentioned above.
I am not sure if I have to use iptables -I INPUT -p tcp --dport <ports mentioned in the first post> -j ACCEPT (for the all ports)?
Did you see any useful book for the subject?

Quote:
Originally Posted by unSpawn View Post
...
*BTW Nephentes was succeeded by Dionaea
You are right, and even on the nepenthes website, admin are declaring Nepenthes is outdated Do not use Nepenthes, use Dionaea instead.

I just want to get familiar with nepenthes before moving Dionea, etc,,

I will start looking for mercury-i386-dvd.iso to see how it works.
Appreciate and thanks for your help
 
Old 07-08-2012, 07:29 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,010
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Quote:
Originally Posted by lee_can View Post
I am not sure if I have to use iptables -I INPUT -p tcp --dport <ports mentioned in the first post> -j ACCEPT (for the all ports)?
That depends on your firewall default INPUT chain policy and rules but generally speaking, yes, you should allow traffic in you want to capture.


Quote:
Originally Posted by lee_can View Post
Did you see any useful book for the subject?
Honeypots: Tracking Hackers, (Spitzner, 2002)
Honeypots: A New Paradigm to Information Security, (Joshi and Sardana, 2011)
Virtual Honeypots: From Botnet Tracking to Intrusion Detection (Provos and Holz, 2007)
If it's useful I don't know: you decide.


Quote:
Originally Posted by lee_can View Post
You are right, and even on the nepenthes website, admin are declaring Nepenthes is outdated Do not use Nepenthes, use Dionaea instead. I just want to get familiar with nepenthes before moving Dionea, etc,,
Well "etc,," don't. Wasted time. Just head for http://dionaea.carnivore.it/ I'd say.
 
1 members found this post helpful.
Old 07-08-2012, 12:58 PM   #5
lee_can
Member
 
Registered: Mar 2011
Posts: 118

Original Poster
Rep: Reputation: 1
Thanks a lot unSpawn for your guides.
 
  


Reply

Tags
malware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nepenthes configuration files missing geminihzh Linux - Software 0 12-07-2010 02:51 AM
Nepenthes installation error ababil151 Linux - Newbie 1 09-24-2010 02:21 PM
Nepenthes: low interaction honeypots glg Linux - Security 3 08-19-2009 04:03 AM
Nepenthes: low interaction honeypots OlRoy Linux - Security 8 03-18-2007 04:25 PM


All times are GMT -5. The time now is 03:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration