[[documentation:tools:phpxmlrpc_server]]
 
Trace: home » documentation » documentation:tools » phpxmlrpc_server
Table of Contents

PHP XMLRPC Server for Nepenthes

What it does in short words ...

  1. It makes use of apache, php, emixmlrpc and mysql to
    1. accept connections from submit-xmlrpc
    2. check if the file offerd by submit-xmlrpc is already known (storing the hash in mysql)
      1. accept new files, and store them on disk
      2. reject known files and store the attacker information in sql
    3. it is capable to store even offerd geolocation information about the attacker nepenthes retrieved itself using the geolocation modules

Requirements

  • apache with php support
  • mysql database
  • php
    • with epi xmlrpc support, verify uing phpinfo()
    • with mysql support, verify uing phpinfo()
  • nepenthes running submit-xmlrpc

Installation

php scripts

Get the scripts.
documentation:tools:phpxmlrpc_server:phpxmlrpc_server_rev_2187.tar.bz2

nepenthes_xmlrpc_server whereever you want it

modify the scripts

you will want to change the path to save the file in server.php line 116 

                $f = fopen("/my/storage/".$hash,"wb");
                fwrite($f,$binary->scalar);
                fclose($f);

mysql

create the tables 

-- phpMyAdmin SQL Dump
-- version 2.6.4-pl3
-- http://www.phpmyadmin.net
-- 
-- Host: pr-db2
-- Generation Time: Nov 03, 2005 at 01:39 PM
-- Server version: 4.1.12
-- PHP Version: 4.3.9
-- 
-- Database: `nepenthes`
-- 
CREATE DATABASE `nepenthes` DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;
USE nepenthes;
 
-- --------------------------------------------------------
 
-- 
-- Table structure for table `Hit`
-- 
 
CREATE TABLE `Hit` (
  `HitID` int(10) UNSIGNED NOT NULL AUTO_INCREMENT,
  `Hash` varchar(32) NOT NULL DEFAULT '',
  `SeenDate` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `Url` tinytext NOT NULL,
  `AttackerIP` int(10) NOT NULL DEFAULT '0',
  `AttackerLat` float NOT NULL DEFAULT '0',
  `AttackerLng` float NOT NULL DEFAULT '0',
  `AttackerCountry` varchar(64) NOT NULL DEFAULT '',
  `AttackerCountryShort` char(3) NOT NULL DEFAULT '',
  `AttackerCity` varchar(64) NOT NULL DEFAULT '',
  PRIMARY KEY  (`HitID`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=215357 ;
 
-- --------------------------------------------------------
 
-- 
-- Table structure for table `Malware`
-- 
 
CREATE TABLE `Malware` (
  `Hash` varchar(32) NOT NULL DEFAULT '',
  `FirstSeenDate` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `LastSeenDate` int(10) UNSIGNED NOT NULL DEFAULT '0',
  `HitCount` int(10) UNSIGNED NOT NULL DEFAULT '0',
  PRIMARY KEY  (`Hash`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Configure mysql credentials

edit config.inc.php to fit your needs, format is stolen from phpmyadmin.

verify the path exists

using

set the path in submit-xmlrpc 

submit-xmlrpc
{
    server    "<url_to_server>";
    pipeline  "0";
};

see it working

in the wild

once a file gets downloaded by nepenthes you can see him trying to upload the file to the server.

debug

to debug this so you dont have to wait for a attacker ... we will:

  • accept all downloaded files, without checking for filetype
  • enable a example module so we can ‘download’ files from /dev/urandom

disable strictfiletype in nepenthes.conf

debug config changes 

...
    submitmanager
    {
        strictfiletype              "0";
        ...

enable the x-2 and x-3 module in nepenthes.conf x-2 will offer a download shell, x-3 will register a handler that allows us to download files from /dev/urandom 

// eXample modules for testing - disabled by default
//  "x1.so",                       "x-1.conf",                     "",
  "x2.so",                       "x-2.conf",                     "",
  "x3.so",                       "",                     "",

running debug

start nepenthes

connect the x-2 module and start a download from /dev/urandom 

telnet localhost 10002
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Welcome to dong Shell
download file://localhost:53421//dev/urandom

nepenthes debug console will look like this 

[ crit module ] Downloading file from "file://localhost:53421//dev/urandom"
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[ spam handler event module ] <in virtual uint32_t nepenthes::LogDownload::handleEvent(nepenthes::Event*)>
[ spam down mgr ] Checking Host localhost for locality
[ info down mgr ] Handler urandom download handler will download file://localhost:53421//dev/urandom
[ debug spam fixme ] <in nepenthes::FILESocket::FILESocket(nepenthes::Nepenthes*, char*, int32_t)>
[ debug spam fixme ] <in virtual bool nepenthes::FILESocket::Init()>
[ spam net handler ] <in virtual bool nepenthes::TCPSocket::doRespond(char*, uint32_t)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doWrite(char*, uint32_t)>
[ debug spam fixme ] <in virtual int32_t nepenthes::FILESocket::doRecv()>
[ debug info fixme ] read 2048 bytes from /dev/urandom
[ debug net handler ] giving data to X2Dialogue
[ debug net handler ] sended 24 from 24 bytes
[ spam net handler ] done sending 24 bytes
[ debug spam fixme ] <in virtual int32_t nepenthes::FILESocket::doRecv()>
...
[ debug spam fixme ] <in virtual int32_t nepenthes::FILESocket::doRecv()>
[ debug info fixme ] read 2048 bytes from /dev/urandom
[ spam mgr submit ] Download has flags 0
[ info mgr submit ] File 2c38667e71af3923ceee8313458a0cff has type data
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[ spam handler event module ] <in virtual uint32_t nepenthes::LogDownload::handleEvent(nepenthes::Event*)>
[ debug handler submit ] wrote file var/binaries/2c38667e71af3923ceee8313458a0cff 55296 to disk
[ debug net mgr ] Deleting Socket UKN  (accept) 0.0.0.0:0 -> 0.0.0.0:0 due to closed connection

then the submit-xmlrpc modules will kick in. 

[ debug spam fixme ] <in virtual void nepenthes::SubmitXMLRPC::Submit(nepenthes::Download*)>
State is 0
[ info down mgr ] Handler  will upload http://nepenthes.sourceforge.net/playground_epixmlrpc/sample/server.php

resolving your servers domain 

[ debug spam fixme ] addDNS: Adding DNS nepenthes.sourceforge.net for ()
[ debug spam fixme ] <in virtual bool nepenthes::DNSResolverADNS::resolveDNS(nepenthes::DNSQuery*)>
[ debug spam fixme ] <in virtual uint32_t nepenthes::DNSResolverADNS::handleEvent(nepenthes::Event*)>
[ debug spam fixme ] 1 DNS Resolves in Queue
[ debug net mgr ] Deleting Socket UKN  (accept) 0.0.0.0:0 -> 0.0.0.0:0 due to closed connection
[ debug spam fixme ] <in virtual uint32_t nepenthes::DNSResolverADNS::handleEvent(nepenthes::Event*)>
[ debug spam fixme ] 1 DNS Resolves in Queue
[ debug fixme ] resolved dns nepenthes.sourceforge.net (0 left)
[ debug spam fixme ]  1 resolves
[ debug spam fixme ] result '0 66.35.250.209
[ debug fixme ] url nepenthes.sourceforge.net resolved 1 for 8095750

connecting the server 

[ spam net mgr ] <in virtual nepenthes::Socket* nepenthes::SocketManager::connectTCPHost(uint32_t, uint32_t, uint16_t, time_t)>
[ debug net handler ] Connecting 0.0.0.0 -> 66.35.250.209:80
[ spam net handler ] <in virtual void nepenthes::TCPSocket::setStatus(socket_state)>

send the session question 

[ spam net handler ] <in virtual bool nepenthes::TCPSocket::doRespond(char*, uint32_t)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doWrite(char*, uint32_t)>
[ spam net handler ] <in virtual bool nepenthes::TCPSocket::doRespond(char*, uint32_t)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doWrite(char*, uint32_t)>
[ spam down mgr ] SENDING POST /playground_epixmlrpc/sample/server.php HTTP/1.0
Host: nepenthes.sourceforge.net
Accept: */*
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close
Content-Length: 392

<methodCall><methodName>init_session</methodName><params><param><value><string>md</string></value></param><param><value><string>test</string></value></param><param><value><dateTime.iso8601>20050816T05:22:17</dateTime.iso8601></value></param><struct><member><name>clientsoftware</name><value><string>Nepenthes submit-xmlrpc $Rev: 2078 $</string></value></member></struct></params></methodCall>
[ debug net handler ] giving data to
[ debug net handler ] sended 233 from 233 bytes
[ debug net handler ] giving data to
[ debug net handler ] sended 392 from 392 bytes
[ spam net handler ] done sending 625 bytes

receive the answer 

[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doRecv()>
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[ spam net handler ] doRecv() 341
[ spam down mgr ] <in virtual nepenthes::ConsumeLevel nepenthes::HTTPUPDialogue::incomingData(nepenthes::Message*)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doRecv()>
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[ spam net handler ] doRecv() 0
[ spam down mgr ] <in virtual nepenthes::ConsumeLevel nepenthes::HTTPUPDialogue::connectionShutdown(nepenthes::Message*)>
[ debug net handler ] Dialogue  inactive, returned CL_DROP
[ debug net handler ] Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42382
 has no active Dialogues left, closing
[ debug net handler ] Connection Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42382 CLOSED
[ debug net mgr ] Deleting Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42382 due to closed connection
[ spam net handler ] <in virtual nepenthes::TCPSocket::~TCPSocket()>
[ spam net handler ] Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42382 clearing DialogueList (1 entries)
[ spam net handler ]    Removing Dialog ""
[ spam down mgr ] FOUND HEADER (size 165)
[ spam down mgr ] HTTP/1.1 200 OK
Date: Wed, 30 Nov 2005 14:27:01 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.10
X-Powered-By: PHP/4.3.10
Connection: close
Content-Type: text/html
[ debug spam fixme ] <in virtual void nepenthes::SubmitXMLRPC::uploadSuccess(nepenthes::UploadResult*)>
[ debug spam fixme ] CS_INIT_SESSION (174 bytes)
<?xml version="1.0" encoding="iso-8859-1"?>
<methodResponse>
<params>
 <param>
  <value>
   <string>XXXSessionIDXXX</string>
  </value>
 </param>
</params>
</methodResponse>

offer the malware 

[ info down mgr ] Handler  will upload http://nepenthes.sourceforge.net/playground_epixmlrpc/sample/server.php
[ debug spam fixme ] addDNS: Adding DNS nepenthes.sourceforge.net for ()
[ debug spam fixme ] <in virtual bool nepenthes::DNSResolverADNS::resolveDNS(nepenthes::DNSQuery*)>
[ debug spam fixme ] <in virtual nepenthes::DownloadUrl::~DownloadUrl()>
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[ debug spam fixme ] <in virtual uint32_t nepenthes::DNSResolverADNS::handleEvent(nepenthes::Event*)>
[ debug spam fixme ] 1 DNS Resolves in Queue
[ debug fixme ] resolved dns nepenthes.sourceforge.net (0 left)
[ debug spam fixme ]  1 resolves
[ debug spam fixme ] result '0 66.35.250.209
[ debug fixme ] url nepenthes.sourceforge.net resolved 1 for 8093c38
[ spam net mgr ] <in virtual nepenthes::Socket* nepenthes::SocketManager::connectTCPHost(uint32_t, uint32_t, uint16_t, time_t)>
[ debug net handler ] Connecting 0.0.0.0 -> 66.35.250.209:80
[ spam net handler ] <in virtual void nepenthes::TCPSocket::setStatus(socket_state)>
[ spam net handler ] <in virtual bool nepenthes::TCPSocket::doRespond(char*, uint32_t)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doWrite(char*, uint32_t)>
[ spam net handler ] <in virtual bool nepenthes::TCPSocket::doRespond(char*, uint32_t)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doWrite(char*, uint32_t)>
[ spam down mgr ] SENDING POST /playground_epixmlrpc/sample/server.php HTTP/1.0
Host: nepenthes.sourceforge.net
Accept: */*
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close
Content-Length: 529

<methodCall><methodName>offer_malware</methodName><params><param><value><string>(not found)</string></value></param><param><value><string>b3e63bcc91b79b462a40ddc33a786bbe</string></value></param><param><value><dateTime.iso8601>20050816T05:22:17</dateTime.iso8601></value></param><param><value><struct><member><name>AttackerIP</name><value><string>127.0.0.1</string></value></member><member><name>Url</name><value><string>file://localhost:53421//dev/urandom</string></value></member></struct></value></param></params></methodCall>
[ debug net handler ] giving data to
[ debug net handler ] sended 233 from 233 bytes
[ debug net handler ] giving data to
[ debug net handler ] sended 529 from 529 bytes
[ spam net handler ] done sending 762 bytes
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doRecv()>
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>

recv the offer response 

[ spam net handler ] doRecv() 329
[ spam down mgr ] <in virtual nepenthes::ConsumeLevel nepenthes::HTTPUPDialogue::incomingData(nepenthes::Message*)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doRecv()>
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[ spam net handler ] doRecv() 0
[ spam down mgr ] <in virtual nepenthes::ConsumeLevel nepenthes::HTTPUPDialogue::connectionShutdown(nepenthes::Message*)>
[ debug net handler ] Dialogue  inactive, returned CL_DROP
[ debug net handler ] Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42383
 has no active Dialogues left, closing
[ debug net handler ] Connection Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42383 CLOSED
[ debug net mgr ] Deleting Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42383 due to closed connection
[ spam net handler ] <in virtual nepenthes::TCPSocket::~TCPSocket()>
[ spam net handler ] Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42383 clearing DialogueList (1 entries)
[ spam net handler ]    Removing Dialog ""
[ spam down mgr ] FOUND HEADER (size 165)
[ spam down mgr ] HTTP/1.1 200 OK
Date: Wed, 30 Nov 2005 14:27:05 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.10
X-Powered-By: PHP/4.3.10
Connection: close
Content-Type: text/html
[ debug spam fixme ] <in virtual void nepenthes::SubmitXMLRPC::uploadSuccess(nepenthes::UploadResult*)>
[ debug spam fixme ] CS_OFFER_MALWARE (162 bytes)
<?xml version="1.0" encoding="iso-8859-1"?>
<methodResponse>
<params>
 <param>
  <value>
   <boolean>1</boolean>
  </value>
 </param>
</params>
</methodResponse>

upload the malware 

[ info down mgr ] Handler  will upload http://nepenthes.sourceforge.net/playground_epixmlrpc/sample/server.php
[ debug spam fixme ] addDNS: Adding DNS nepenthes.sourceforge.net for ()
[ debug spam fixme ] <in virtual bool nepenthes::DNSResolverADNS::resolveDNS(nepenthes::DNSQuery*)>
[ debug spam fixme ] <in virtual nepenthes::DownloadUrl::~DownloadUrl()>
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[ debug spam fixme ] <in virtual uint32_t nepenthes::DNSResolverADNS::handleEvent(nepenthes::Event*)>
[ debug spam fixme ] 1 DNS Resolves in Queue
[ debug fixme ] resolved dns nepenthes.sourceforge.net (0 left)
[ debug spam fixme ]  1 resolves
[ debug spam fixme ] result '0 66.35.250.209
[ debug fixme ] url nepenthes.sourceforge.net resolved 1 for 8095750
[ spam net mgr ] <in virtual nepenthes::Socket* nepenthes::SocketManager::connectTCPHost(uint32_t, uint32_t, uint16_t, time_t)>
[ debug net handler ] Connecting 0.0.0.0 -> 66.35.250.209:80
[ spam net handler ] <in virtual void nepenthes::TCPSocket::setStatus(socket_state)>
[ spam net handler ] <in virtual bool nepenthes::TCPSocket::doRespond(char*, uint32_t)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doWrite(char*, uint32_t)>
[ spam net handler ] <in virtual bool nepenthes::TCPSocket::doRespond(char*, uint32_t)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doWrite(char*, uint32_t)>
[ spam down mgr ] SENDING POST /playground_epixmlrpc/sample/server.php HTTP/1.0
Host: nepenthes.sourceforge.net
Accept: */*
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close
Content-Length: 74223

REMOVED THIS dueto size

[ debug net handler ] giving data to
[ debug net handler ] sended 235 from 235 bytes
[ debug net handler ] giving data to
[ debug net handler ] sended 11584 from 74223 bytes
[ debug net handler ] cutted packet has size 62639
[ spam net handler ] done sending 11819 bytes
[ debug net handler ] giving data to
[ debug net handler ] sended 23032 from 62639 bytes
[ debug net handler ] cutted packet has size 39607
[ spam net handler ] done sending 23032 bytes
[ debug net handler ] giving data to
[ debug net handler ] sended 30240 from 39607 bytes
[ debug net handler ] cutted packet has size 9367
[ spam net handler ] done sending 30240 bytes
[ debug net handler ] giving data to
[ debug net handler ] sended 9367 from 9367 bytes
[ spam net handler ] done sending 9367 bytes
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doRecv()>
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>

recv the upload response to see if the upload was successfull 

[ spam net handler ] doRecv() 328
[ spam down mgr ] <in virtual nepenthes::ConsumeLevel nepenthes::HTTPUPDialogue::incomingData(nepenthes::Message*)>
[ spam net handler ] <in virtual int32_t nepenthes::TCPSocket::doRecv()>
[ spam mgr event ] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[ spam net handler ] doRecv() 0
[ spam down mgr ] <in virtual nepenthes::ConsumeLevel nepenthes::HTTPUPDialogue::connectionShutdown(nepenthes::Message*)>
[ debug net handler ] Dialogue  inactive, returned CL_DROP
[ debug net handler ] Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42384
 has no active Dialogues left, closing
[ debug net handler ] Connection Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42384 CLOSED
[ debug net mgr ] Deleting Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42384 due to closed connection
[ spam net handler ] <in virtual nepenthes::TCPSocket::~TCPSocket()>
[ spam net handler ] Socket TCP  (connect) 66.35.250.209:80 -> 0.0.0.0:42384 clearing DialogueList (1 entries)
[ spam net handler ]    Removing Dialog ""
[ spam down mgr ] FOUND HEADER (size 165)
[ spam down mgr ] HTTP/1.1 200 OK
Date: Wed, 30 Nov 2005 14:27:09 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.10
X-Powered-By: PHP/4.3.10
Connection: close
Content-Type: text/html
[ debug spam fixme ] <in virtual void nepenthes::SubmitXMLRPC::uploadSuccess(nepenthes::UploadResult*)>
[ debug spam fixme ] CS_SEND_MALWARE (161 bytes)
<?xml version="1.0" encoding="iso-8859-1"?>
<methodResponse>
<params>
 <param>
  <value>
   <string>Ok</string>
  </value>
 </param>
</params>
</methodResponse>


[ debug fixme ] Submit-XMLRPC was Ok
 
documentation/tools/phpxmlrpc_server.txt · Last modified: 2006/02/17 14:01
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki