Ticket #95 (closed bug: invalid)

Opened 1 year ago

Last modified 1 year ago

Running HoneyClient::Manager

Reported by: Devinder <devinbhullar@gmail.com> Assigned to: kindlund
Priority: normal Milestone: 0.9
Component: HoneyClient::Manager Version: 0.99
Severity: minor Keywords: starting, manager, compromised
Cc:

Description

Hi Darien

When i ran the test www.google.com Integrity check is OK

When i ran the test second time using just google.com it says VM has been compromised.

Regards Devinder

Attachments

Change History

09/12/07 02:13:23 changed by Devinder <devinbhullar@gmail.com>

'type' ⇒ 'application/octet-stream', 'md5' ⇒ 'a414347ca09f25ab4265d88be7fea290', 'size' ⇒ '114688'

}

}

],

'last_resource' ⇒ 'http://www.google.com/'

}

};

WARNING: VM HAS BEEN COMPROMISED! 2007-09-12 13:59:36 INFO [HoneyClient::Manager::runSession] (/usr/local/share/perl/5.8.8/HoneyClient/Manager.pm:710) - Calling suspendVM(config ⇒ /vm/clones/39c14c27e49ff67b7415627ef9/master.vmx). 2007-09-12 13:59:46 WARN [HoneyClient::Manager::runSession] (/usr/local/share/perl/5.8.8/HoneyClient/Manager.pm:717) - VM Compromised. Last Resource (http://www.google.com/) Fingerprint: $VAR1 = {

'lasturl' ⇒ 'http://www.google.com/', 'registry' ⇒ [

{

'status' ⇒ 2, 'entries' ⇒ [

09/12/07 02:29:02 changed by Devinder <devinbhullar@gmail.com>

  • severity changed from none to minor.

Hi Darien

I ran the test for the third time and still integrity checked failed for google.com

I have 5 clones in the VM Server. Should i delete the old ones?

09/12/07 02:41:24 changed by Devinder <devinbhullar@gmail.com>

Hi Darien

I ran the test with a different URL http://www.yahoo.com and integrity check is OK

i am puzzled as to why in the firs test google.com is OK and then compromised.

Devinder

09/12/07 03:00:07 changed by Devinder <devinbhullar@gmail.com>

hi

is there a log file that is get the status of each page like

google - OK yahoo - OK xyz - FAIL

09/12/07 04:19:53 changed by anonymous

Hi How do i view this log file when then clones are closed do i start them after the test has been finished.

Currently, an integrity report of what was compromised is currently written to the /tmp/changes.txt (aka. c:\cygwin\tmp\changes.txt) file within the Cygwin shell on the cloned honeyclient VM.

(follow-up: ↓ 7 ) 09/13/07 00:19:11 changed by kindlund

  • status changed from new to closed.
  • type changed from test to bug.
  • component changed from Installation to HoneyClient::Manager.
  • summary changed from StartUP to Running HoneyClient::Manager.
  • version changed from none to 0.99.
  • milestone set to 0.9.
  • keywords set to starting, manager, compromised.
  • resolution set to invalid.

That means you ran into some false positives. Email me directly the /tmp/changes.txt in each of the cloned VMs and we can try to troubleshoot this offline.

Basically, you have to review each of the cloned VMs and see if

Regards,

— Darien

(in reply to: ↑ 6 ) 09/13/07 08:50:10 changed by kindlund

Replying to kindlund:

Basically, you have to review each of the cloned VMs and see if

Sorry about that; I don't usually end mid-sentence.

To clarify, the detection system is not 100% perfect. When a cloned VM is suspended, you have to review each to see if there are any false positives. For more information about false positives, see:

http://en.wikipedia.org/wiki/False_positives#Malware

Your syslog should contain the URL history of where each cloned VM visited. You can then correlate those events to determine if there was in fact a compromise or not.

Regards,

— Darien

Add/Change #95 (Running HoneyClient::Manager)




Change Properties
Action