spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 15

The scan for May, 2001. The purpose of this months challenge is introduce beginners to the world of forensics, specifically file recovery. All submissions are due no later then 17:00 CST, 25 May.

The Challenge:
On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was download to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB, (honeynet.tar.gz) MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.

  1. Show step by step how you identify and recover the deleted rootkit from the / partition.
  2. What files make up the deleted rootkit?

Bonus Question:
Was the rootkit ever actually installed on the system? How do you know?

The Results:
This has been the most difficult challenge to judge so far. We received forty outstanding submissions. Almost all of the submissions answered all three questions and were technically correct. We then based our decisions on how easy the submissions were to read and understand, did the writeup demonstrate all the methods used, and the detail of analysis and information. We did notice some common mistakes. The most common mistake was failing to mount the drive images using the 'noexec' and 'nodev' options. 'noexec' is critical, it prevents the execution of any binaries, including the rootkits or attack tools of the blackhat arsenal.

Writeups from the Honeynet Project members.
For this month's writeup, we are trying something different. Instead of having Honeynet members develop a solution, we asked the top three winners from the Forensic Challenge to submit writeups. All three were more then happy to help, you can find their solutions below.

Writeup from the Security Community
The writeups for this month were outstanding. So, we broke the results into categories as follows. We have the Top Five(18 out of 18 points), the Top Seventeen(16 or 17 points out of 18), and then all the remaining submissions(15 points or less). The entries were extremely close, often the only difference was a more indepth explanation or the format was easier to read. Congrats to everyone on a job well done!

Top Seventeen

Remaining Twenty-Five entries

Back to Top