On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the
intruder. The honeynet is VMware based and uses a modified bash to log to
syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP
been replaced). The compromised system has an IP of 192.168.1.102. After
successfully breaking into the box, the attacker ended up using 3 modes of
connecting and running commands (some of which is encrypted). The attacker
also tried to hide some of his edits from the MAC times.
scan19.tar.gz, MD5 =11e0be295d138df14111796a7733a5d2
scan19.zip, MD5 = c065797b3c2ddfad3396e3d4542ed8a7
- Which vulnerability did the intruder exploit?
- What ways, and in what order, did the intruder use to connect and
run commands on the system?
- How did the intruder try to hide his edits from the MAC times?
- The intruder downloaded rootkits, what were they called? Are they
- Recover (tell how you did it too) the rootkits from the snort
- What does the rootkit do to hide the presence of the attacker on
- What did you learn from this exercise?
- How long did this challenge take you?
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include
evidence or logs that you feel important.
Writeup from the Honeynet Project members.
Writeup from Honeynet Project member Mike Clark
Writeup from the Security Community
Orlando F. S. Bordoni
Ricci Ieong and Vincent Ip
Matthew M. Shannon