Security :: Detecting Infected Hosts - Honeypots - Wireshark - Nepenthes

Sep 2, 2010

Is there a 'plugin' for wireshark to analyze traffic and spot infected (windows) hosts? I have been using nepenthes with no luck. (and doubt all hosts are clean) is there some better way (other than using antivirus on each host)?

View 10 Replies


ADVERTISEMENT

Fedora Security :: Always Failing - Clam Found 9 Infected Notes Infected With: "Worm.Allaple-319"

Nov 10, 2010

I Clam-scanned a bunch of old CD's.. Clam found 9 infected notes infected with: "Worm.Allaple-319"... I wonders if this was my problem with Ubuntu always failing..? These are some of my best notes.. Is it possible to clean the bugs out of them with Fedora..?

View 8 Replies View Related

Security :: Attackers Now Using Honeypots To Trap Researchers?

Nov 5, 2010

Quote: Attackers are constantly changing their tactics and adapting to what the security community and researchers are doing, and it's not unusual for the bad guys to adopt techniques used by their adversaries. The latest example of this is a malware gang that has deployed what amounts to a honeypot designed to monitor the activity of researchers or other attackers who try to access a command-and-control server.

View 1 Replies View Related

Ubuntu Security :: Nepenthes Configuration Files Missing

Dec 7, 2010

I am doing a honeypot project, and after I install nepenthes: $ sudo apt-get install nepenthes

$ nepenthes

I find that there are no configuration files in /etc/nepenthes/, and only a signatures document.

I searched in the internet, all the install guides do not mention this problme, just say that if updating the nepenthes, the /etc/nepenthes/*.conf will not automaticly update.

View 2 Replies View Related

Security :: Low Interaction Honeypot (based On Nepenthes) Worm Infection?

May 19, 2010

I have snipped part of my log i captured on the my honey pot need recommendation on what is going o? The infected computers is located at address ${ADDRESS}. A quick check of my low interaction Honeypot (based on nepenthes) gives the following data: i know its a worm but what is going on thanks in advance

linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log
<snip>
[18032007 02:26:03 info module] 76 4
[18032007 02:26:03 info module] SMB Session Request 76
H CKFDENECFDEFFCFGEFFCCACACACACACA
code....

View 2 Replies View Related

Security :: Use Current /etc/hosts File To Do An Ssh-keyscan Instead Of Making A Special List Of Hosts?

May 2, 2011

I'm trying to use ssh-keyscan to get some known_host file population going on, but I have a ton of hosts I want to scan, all with multiple aliases in /etc/hosts. Is there a way to use my current /etc/hosts file to do an ssh-keyscan instead of making a special list of hosts that (from what I've read) ssh-keyscan needs?

View 2 Replies View Related

Ubuntu Security :: Wireshark Security Root Privileges?

Mar 25, 2010

Having read on the forums about some of the dangers of running Wireshark as root, I would like to know if anyone can suggest some alternative packet sniffers/network analyzers which will offer similar results but without the security issues. I am using Karmic Koala on a Fujitsu Siemens laptop with wireless router (firewall enabled)

View 7 Replies View Related

Security :: Computer Is INFECTED According To ClamAV?

Apr 11, 2010

I recently ran a virus scan on my CentOS server using ClamAV's "clamscan" command to scan my entire system for virus. After the scan was complete it says that I have 1 infected file on my computer. I COMPLETELY FREAKED OUT! Is there some kind of log that I should read to see where the infected files are? Also does ClamAV just scan your system for virus or does it scan and remove the virus on the computer.If you know of an alternative open source security software,

View 3 Replies View Related

Security :: Computer Has Been Infected With Trojans?

Jan 7, 2010

I'm now running Ubuntu 9.04. There are 2 accounts on this computer, one is linux, the other is ubuntu. Before New year, everything had been fine. But after new year, I came back and found that the password of this account linux has been changed. So I fixed using my rescue disk. But since that day on, it seems that this password changes everyday somehow. Everyday when I'm trying to log into my Ubuntu System using the account linux, it says login failed. However, i can still login using the account ubuntu. I'm really confused. Why is this? I checked the date of expiry. Everything seems to be fine.

View 14 Replies View Related

Ubuntu Security :: ISP Keeps Complaining About Infected Computer

Feb 27, 2011

For a while my ISP has been sending me emails regarding an infected computer or computers on my local network. There are 4 computers running linux and 3 running windows on said network (3x ubuntu, gentoo, 2x windows server 2003 and windows 7).Now, I haven't used Windows in oh so many years and am not responsible for those computers on this network. Does it seem like this is a virus on a Windows host or should I research and adjust my iptables settings on the router? The applied anti-virus software (I don't know which one) apparently does not find any infections. On my workstation I'm using spotify and win32 office through wine, both obtained from legal and trusted sources, and would thus not consider my wine environment a threat.

View 4 Replies View Related

Security :: LAN Hacked - How To Find Infected Machine

Jul 3, 2009

I have LAN with 20 machines. I see that one of them is infected. Its sending a lot of packets to the internet. My internet connection at this momment is realy slow. What should I do? How to detect which machine is infected? I'm using hardware firewall. Fortigate... Its hard to configure there nice logs. Any good software. I don't want to switch off network cable from each machine and check.

View 10 Replies View Related

Security :: Detect Infected PC In LAN (Sending Packets To Internet)

Jul 17, 2009

In my network I have 25 workstations and some serves. Everything working in local LAN with firewall. The problem is that on one machine (I dont know which one) is installed software which sending data to the internet. Actually I dont know what it is. Last time as I remember was trojan which can create new network interfaces in windows and send some data to the internet. The half speed of my network connection is used by this infected machine. How can I detect which machine it is? How can I listen/capture some traffic and analyze from which machine I have more connections.

Please take a look on this time. Instead of 141-150ms should be 4-5ms.

64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=1 ttl=249 time=141 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=2 ttl=249 time=135 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=3 ttl=249 time=147 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=4 ttl=249 time=127 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=5 ttl=249 time=156 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=6 ttl=249 time=129 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=7 ttl=249 time=188 ms

How can I detect which machine is infected using only linux and keyboard ?

View 5 Replies View Related

Security :: Compromised Systems Notify Hacker They Are Infected

Dec 4, 2010

I have a server connected to the internet placed in a DMZ that was running ProFTPD. A couple of weeks ago there was a security threat uncovered that would grant access to external users through a buffer overflow. Of course I patched my ProFTPD quite often after that to secure my server. Now my problem is that the servers of ProFTPD were compromised and that source code with a back-door was released. To make matters worse compromised systems notify the hacker they are infected. is there any way to ensure I don't have a root-kit installed short of reinstalling the system?

View 4 Replies View Related

Security :: Server Infected With Scanssh - Pscan2 - ./sshf

Jul 31, 2010

I am facing a security issue on my server. I can see many process like pscan2, scanssh and ./sshf processing on 'top'. The owner of these processes is non root account. Can anybody let me know what can be the extent of loss due to these suspicious scripts? How can I permanently remove these scripts from my server. Please note that I am using CentOS 5.5 (64bit).

View 4 Replies View Related

Ubuntu Security :: How To Repair Virus Infected Files With ClamAV

Mar 29, 2011

I have seen that we can scan for viruses and also virus infected files with ClamAV but is there any possibility that ClamAV can repair virus infected files.

View 1 Replies View Related

Ubuntu Security :: WireShark - Do Not Run As Root

Nov 7, 2010

The Wireshark website specifically warns against running WireShark as Root....

Quote:

Administrator/root account not required!

Many Wireshark users think that Wireshark requires a root/Administrator account to work with.

That's not a good idea, as using a root account makes any exploit far more dangerous: a successful exploit will have immediate control of the whole system, compromising it completely.

First of all, most Wireshark functions can always be used with a (probably very limited) user account. In particular, the protocol dissectors which have shown most of the security related bugs do not need a root account!

Only capturing (and gathering capture interface information) may require a root account, but even that can usually be "circumvented", see CaptureSetup/CapturePrivileges for details how to do so.

View 3 Replies View Related

Security :: Wireshark Is Dependent On Iptables?

Oct 29, 2010

I am doing security stuff under linux... I've heard of Wireshark and Snort and dsniff and have been reading up on them on wikipedia pages but the big picture is not clear to me yet. Are things like Wireshard and Snort BASED on the functionality of iptables in Linux? I read that you have to be root to run iptables, but not to run Wireshark right? Yet Wireshark is dependent on iptables.

View 3 Replies View Related

Ubuntu Security :: Run A Program That Is Infected With A Trojan / Virus In Wine Will Effect It

May 2, 2010

if i run a program that is infected with a trojan/virus in Wine will it effect Ubuntu?

View 9 Replies View Related

Ubuntu Security :: Safe To Transfer Files From Infected Windows Partition?

Sep 2, 2010

My Windows XP Pro laptop has been attacked! Windows will no longer update and Microsoft Security Essentials will not update either. I've been trying to resolve the issue for over two weeks with Microsoft support, but it's just taking too long. I also tried some rescue CD options (all running some form of Linux, obviously):

- BitDefender Rescue CD (removed infections, now detects nothing),
- Kaspersky Rescue CD 10 (removed infections, now detects nothing),
- Trinity Rescue CD (won't load AV Engine, so can't use it to do anything).

Malwarebytes cleaned a bunch of stuff, but will not clean the final threat detected (it's supposed to get deleted on reboot, but never does). Hijack.FolderOptions is stuck in the accursed registry, and it keeps causing Windows Explorer to crash. I cannot rename files or work with them or everything just crashes.

So I'm ready to reinstall XP from scratch, and add a dual boot with Xubuntu & LXDE, which I'm already running on a much older laptop.

Question: I want to rescue the files I need. My idea was:

1) Install Xubuntu with dual boot.
2) Copy over files from Windows XP partition using Xubuntu.
3) Back up files to an external drive using Xubuntu.
4) Reinstall XP Pro and format hard drive.
5) Reinstall Xubuntu with dual boot.
6) Use Xubuntu for daily use.
7) Only use XP for those tasks that require it (TomTom updates ...)

Should I be concerned about the security risk from copying files from the Windows partition to the Xubuntu partition, and from there onto an external hard drive?

Is this the way to do it, or is there a better way? I just want my laptop back in working order. Right now I can't use it for anything.

View 8 Replies View Related

Ubuntu Security :: Running WireShark As Root?

Oct 11, 2010

I'm running behind a 2wire NAT Router with only have smtp, www, pop3 open routing to my ubuntu VM server. Network also includes three other ubuntu VM server's and a Desktop. I'm the only one on the network so my question is, what security risk is there running WireShark as root? Because running it under dumpcap is horrible after you quit. It hogs up all the resource to remove the dump.

View 7 Replies View Related

Ubuntu Security :: Wireshark Not Capturing Properly?

Jan 23, 2011

Was trying to use wireshark to pen test my network and I can't get it to work properly.When capturing on my main wireless card wlan0 atheros ath9k the program freezes after a short while and I can't even access the web anymore. Not to mention it stops capturing. I have to disconnect and reconnect to get back on the web. Not sure what is going on here. I get the following output in terminal:

(wireshark:2240): GLib-GObject-WARNING **: /build/buildd/glib2.0-2.26.0/gobject/gsignal.c:3081: signal name `depressed' is invalid for instance `0x2142cb68'

[code]....

View 1 Replies View Related

Ubuntu Security :: Clam Antivirus Does Not Prompt There Is A Virus When Opened The Infected File Or Link?

Aug 5, 2010

does it effective using ClamAV as Privoxy antivirus? I have actually configure it but it does not seem to come into any effect.Why?I test it with Eicar(test virus) online and it does not even prompt there is a problem unless i have scanned.Beside that,i have installed ClamAV daemon along with it. [URL]

[Code]....

Issue :How come the Clam Antivirus does not prompt there is a virus when i opened the file or problem link?Does it work difference as Window OS antivirus which prompt when there is a virus detected?

View 9 Replies View Related

Security :: Ipsec Not Working Between Two Hosts?

Nov 3, 2010

I've set up two security associations(in and out) on two hosts, and then set up two policies per host that should filter traffic to those SA's. Yet when I try to ping one host from the other I get no response, meaning that the filters on one side work and drop unprotected packets, but both hosts are configured to communicate using ipsec. Can anyone point me in the right direction?

Code:
ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)"

[code]...

View 1 Replies View Related

Ubuntu Security :: Vnc/ssh Server Behind Nat - Detecting Real Ip?

May 29, 2010

broadband cable -> Linksys RTP300 router -> Firestarter -> Ubuntu 10.04 Desktop

sshd and vnc installed and working fine when enabled but the only way is to add my routers ip as a trusted address or add individual port entries for 192.168.15.1... on the linksys i, of course, have the appropriate ports forwarded to the Ubuntu static ip, so basically anyone can try to connect... how can i make the router forward the internet ip of the person trying to connect, so I can lock it down better?

View 8 Replies View Related

Ubuntu Security :: Allow Foreign IP Address In Hosts?

May 30, 2011

I found this IP address in my hosts.allowQuote:ALL: 119.42.68.232I cannot find any other evidence of intrusion.

View 4 Replies View Related

Security :: Configure Deny.hosts For Opensuse 11.1?

Sep 7, 2010

I just downloaded the DenyHosts2.6python2.5.rpm for deny.hosts from sourceforge and would like to set it up. I normally use fish://, smb:// and ftp:// on the boxes on my lan. I already have files called hosts.allow and hosts.deny in the /etc folder. Will the rpm configure hosts.deny when first run?

View 1 Replies View Related

Ubuntu Security :: Sshd And Hosts.deny Not Always Observed?

Jan 18, 2010

I'm having troubles trying to understand this problem:my homeserver until yesterday had a public IP, staying on network, with sshd running and all was fine;this evening I changed the IP, giving it a local lan address, and what happened if I tried to connect to it by ssh?I got an error about "Connection closed by remote host". Google helped me finding that was regarded to hosts.deny file, that was actually containing a lineALL:ALLthat I commented, and all was fine.My question is: why the hosts.deny (that has never changed) was observed only with the local IP?I tried to switch back to the public IP and leaving ALL:ALL, and it did connect without any problem

View 1 Replies View Related

Ubuntu Security :: OSSEC Detecting Trojaned /bin/login On Lucid?

Apr 29, 2010

OSSEC is detecting a trojaned version of /bin/login on a Lucid clean install.[FAILED]: Trojaned version of file '/bin/login' detected. Signature used:bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|s ukasuk' (Generic).

View 1 Replies View Related

Ubuntu Security :: Deny Hosts Removing An Ip And Checking Tcpwrappers?

Oct 21, 2010

I could not find any where the documentation the only best which I got was [URL]

My question is the following blog says to remove an IP from /etc/hosts.deny which denyhost has blocked

[URL] you need to have a directory /usr/share/denyhosts/data I do not find any such directory

Also when I tried to check tcp wrapper configuration as given here

[URL]

tcpdchk -v Cannot find your inetd.conf or tlid.conf file. Please specify its location.

what does the above output mean? How do I make sure denyhosts is doing its job?

View 2 Replies View Related

Security :: Hosts.Allow Vs. SSH / Sending Message Connection Closed By Remote Host?

May 29, 2010

I have set up SSH and redirected the ssh server to listen on another port other than 22 for a bit of added security.

Now in hosts.deny I have:

ALL : ALL

In hosts.allow I have:

SSH : ip_address_of_client

I can no longer connect. I get the message: ssh_exchange_identification: Connection closed by remote host.

When I change hosts.allow to read:

ALL : ip_address_of_client

I can successfully connect the server.

However, I only want to allow SSH access in hosts.allow. What is the correct syntax?

I have tried and failed with each one of these:

SSH : ip_address:port_number
SSH2 : ipaddress
sshfwd-portnumber : ip_address_of_client

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved