The Scan of the Month for Scan 15
was to recovered a deleted rootkit. Since then, people have asked us a variety
of questions about the attack, such as how did the attackers get in, who were they,
and where did they come from. Instead of us presenting the answers, we challenge
you to determine the answers yourself. You are presented with the binary snort
capture for the day of March 15. Armed with this log file, and the knowledge
that the system in question is 172.16.1.108, you should be able to answer the
following. (Note, the Honeynet Project has been quoted as saying "The expected
life expectancy of a default RedHat 6.2 server is less then 72 hours. The last
time we attempted to confirm that the system was compromised in less then 8 hours".
This is the system that was compromised in under 8 hours.
firstname.lastname@example.org, MD5 = 9b68e8ffade74bbf5ce0296a1977d111
email@example.com, MD5 = 8150645db3afa8286af31c6309825f25
- The attackers used rpc.statd attack to get into the system. What
modifications did they make to the break in process to both automate
and make the process faster?
- What system/country did the badguys come in from?
- What nationality are the badguys, and how were you able to determine this?
- What do the answers to questions #1 and #2 tell us about the tactics the
badguys are using?
- What did you learn from this challenge?
- How long did this challenge take you?
Can you recover the blackhat's rootkit from the Snort binary log file? If so,
Writeup from the Honeynet Project members.
Writeup from the Security Community
For this month's challenge we received 26 submissions. It was extremelly
difficult determining the Top Three as many of the submissions were outstanding.
What made this challenge so interesting was all of the different ways
people conducted their analysis. For those of you who spents hours
attempting to recover the rootkit from the log file, you are going to
kick yourselves. Also, to save disk space, we deleted the rootkit from
everyone's submission, the same file listed 20 times fills drive space.
You can download the recovered rootkit from the teams writeup, linked above.
We hope everyone had fun, great job!