spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 19

This month's scan is to investigate a compromise of a linux box. You will have a snort binary capture of all the data. You will also have another snort binary which contains all the remote syslog entries. This challenge will draw from lessons learned in previous months scans as well add new challenges. All submissions are due no later then 17:00 EST, Monday, 22 October. Results will be released Monday, 29 October.

NOTE: There was a problem with newdat2.log. When I edited out the IP address of my remote syslog server I ended up messing the packet length up. This made the rest of the file unreadable. The problem was fixed by replacing the IP address with 0's corresponding exactly to the amount of digits in the IP address ( = If you have already downloaded the files you will need to again Sorry for the trouble.

The Challenge:
On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the same intruder. The honeynet is VMware based and uses a modified bash to log to syslog. Syslog is remotly logging to (remote syslog server IP has been replaced). The compromised system has an IP of After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of which is encrypted). The attacker also tried to hide some of his edits from the MAC times.

scan19.tar.gz, MD5 =11e0be295d138df14111796a7733a5d2, MD5 = c065797b3c2ddfad3396e3d4542ed8a7

  1. Which vulnerability did the intruder exploit?
  2. What ways, and in what order, did the intruder use to connect and run commands on the system?
  3. How did the intruder try to hide his edits from the MAC times?
  4. The intruder downloaded rootkits, what were they called? Are they new/custom rootkits?
  5. Recover (tell how you did it too) the rootkits from the snort binary capture
  6. What does the rootkit do to hide the presence of the attacker on the system?
  7. What did you learn from this exercise?
  8. How long did this challenge take you?

Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include any evidence or logs that you feel important.

The Results:

Writeup from the Honeynet Project members.

Writeup from Honeynet Project member Mike Clark

Writeup from the Security Community

Top Three

Stuart Fox
Quentin Giorgi
Orlando F. S. Bordoni

Neil Desai

Top Ten

Ian Stefanison
Luke Butcher
Christopher Lee
Jason Testart
Ricci Ieong and Vincent Ip
Edwin Chan

Remaining submissions

Matthew M. Shannon
Tyler Hudak
Sven Carstens
Jerome Poggi
Tom Lyne
Joe Stewart
Iftach Amit
Michael Carter
Jason Prost
Rohit Nand

Back to Top