<div>
Commonly, a log should exist that identifies the binary and its source.<br />
<br />
If this is what you deployed, <a href="http://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html" rel="ugc">http://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html</a><br />
/data/EWS <br />
<br />
Seems to be the log location.<br />
<br />
Not sure whether detection/reporting is configurable ......
</div>


Commonly, a log should exist that identifies the binary and its source.

If this is what you deployed, http://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html [http://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html]
/data/EWS

Seems to be the log location.

Not sure whether detection/reporting is configurable ......

<div>
Thanks arnold,<br />
<br />
But I could not find out detecting src ip from binary filename(MD5).
</div>


Thanks arnold,

But I could not find out detecting src ip from binary filename(MD5).

<div>
Hello arnold,<br />
<br />
Thank you for the hints.<br />
<br />
I got src ip from sqlite log like following SQL..<br />
<br />
select connections.connection_tim<wbr />estamp,con<wbr />nections.r<wbr />emote_host<wbr />,connectio<wbr />ns.local_p<wbr />ort,downlo<wbr />ads.downlo<wbr />ad_md5_has<wbr />h from connections,downloads where connections.connection=dow<wbr />nloads.con<wbr />nection and connections.local_port='44<wbr />5';<br />
<br />
This case should be closed.
</div>


Hello arnold,

Thank you for the hints.

I got src ip from sqlite log like following SQL..

select connections.connection_timestamp,connections.remote_host,connections.local_port,downloads.download_md5_hash from connections,downloads where connections.connection=downloads.connection and connections.local_port='445';

This case should be closed.

<div>
<div class="content wysiwyg-content">
Hello,<br />
<br />
I am trying to catch malware using T-Pot.<br />
I caught some malware in /data/dionaea/binaries, but I don't know which IP did they come from.<br />
<br />
Please let me know how to determine src ip of each malware(file name is MD5 hash).<br />
<br />
regards,<br />
Nobuo Miwa
</div>
</div>


Hello,

I am trying to catch malware using T-Pot.
I caught some malware in /data/dionaea/binaries, but I don't know which IP did they come from.

Please let me know how to determine src ip of each malware(file name is MD5 hash).

regards,
Nobuo Miwa

T-Pot : how to determine src IP of caught binaries

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

Windows OS

The cyber security specialization covers the fundamental concepts underlying the construction of secure systems, from the hardware to the software to the human-computer interface, with the use of cryptography to secure interactions. Cyber security refers to the protection of personal or organizational information or information resources from unauthorized access, attacks, theft, or data damage. This includes controlling physical access to the hardware, as well as protecting against the harm that may come via network access, data and code injection, and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.