On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was
download to the / partition and then deleted from the system. Your mission is to find
and recover the deleted rootkit. If you are not sure where to begin on conducting
this forensic analysis and recover the rootkit, we highly reccommend you start with the
Forensic Challenge. The steps you
will have to follow for the rootkit recovery are similar to the steps discussed there.
We have posted only the / partion for download to keep this challenge simple.
The compressed image is 13MB, (honeynet.tar.gz)
MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped
the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.
Show step by step how you identify and recover the deleted rootkit
from the / partition.
What files make up the deleted rootkit?
Was the rootkit ever actually installed on the system? How do you know?
This has been the most difficult challenge to judge so far. We received forty outstanding
submissions. Almost all of the submissions answered all three questions and were technically
correct. We then based our decisions on how easy the submissions were to read and understand,
did the writeup demonstrate all the methods used, and the detail of analysis and information.
We did notice some common mistakes. The most common mistake was failing to mount
the drive images using the 'noexec' and 'nodev' options. 'noexec' is critical, it prevents
the execution of any binaries, including the rootkits or attack tools of the blackhat
Writeups from the Honeynet Project members.
For this month's writeup, we are trying something different. Instead of having Honeynet
members develop a solution, we asked the top three winners from the
Forensic Challenge to submit writeups.
All three were more then happy to help, you can find their solutions below.
Writeup from the Security Community
The writeups for this month were outstanding. So, we broke the results into categories as
follows. We have the Top Five(18 out of 18 points), the Top Seventeen(16 or 17 points out
of 18), and then all the remaining submissions(15 points or less). The entries were extremely
close, often the only difference was a more indepth explanation or the format was easier to read.
Congrats to everyone on a job well done!
Remaining Twenty-Five entries