spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 18

Scan 15 challenge was to recover a deleted rootkit from a compromised Linux partition. This month's scan it to decode and analyze the Snort binary capture of that same attack. All submissions are due no later then 17:00 CST, Friday, 21 September. Results will be released Monday, 24 September.

The Challenge:
The Scan of the Month for Scan 15 was to recovered a deleted rootkit. Since then, people have asked us a variety of questions about the attack, such as how did the attackers get in, who were they, and where did they come from. Instead of us presenting the answers, we challenge you to determine the answers yourself. You are presented with the binary snort capture for the day of March 15. Armed with this log file, and the knowledge that the system in question is, you should be able to answer the following. (Note, the Honeynet Project has been quoted as saying "The expected life expectancy of a default RedHat 6.2 server is less then 72 hours. The last time we attempted to confirm that the system was compromised in less then 8 hours". This is the system that was compromised in under 8 hours.

snort-0315@0005.log.tar.gz, MD5 = 9b68e8ffade74bbf5ce0296a1977d111, MD5 = 8150645db3afa8286af31c6309825f25

  1. The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster?
  2. What system/country did the badguys come in from?
  3. What nationality are the badguys, and how were you able to determine this?
  4. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using?
  5. What did you learn from this challenge?
  6. How long did this challenge take you?
Bonus Question:
Can you recover the blackhat's rootkit from the Snort binary log file? If so, how?

The Results:

Writeup from the Honeynet Project members.

Writeup from the Security Community
For this month's challenge we received 26 submissions. It was extremelly difficult determining the Top Three as many of the submissions were outstanding. What made this challenge so interesting was all of the different ways people conducted their analysis. For those of you who spents hours attempting to recover the rootkit from the log file, you are going to kick yourselves. Also, to save disk space, we deleted the rootkit from everyone's submission, the same file listed 20 times fills drive space. You can download the recovered rootkit from the teams writeup, linked above. We hope everyone had fun, great job!

Top Ten

Remaining Sixteen

Back to Top