spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 22

This month's challenge is to analyze the attacker from the Reverse Challenge in May 2002). All submissions are due no later then 23:00 EST, Friday, August 23. Results will be released Friday, August 30.

Skill Level: Intermediate

The Challenge:
After penetrating the Linux system using the WU-FTPD vulnerability, the attacker deployed a backdoor binary and then proceeded to use the system for certain nefarious activity. Your mission, should you choose to accept it, is to determine what the activity was and how it was accomplished. All the necessary evidence is contained in this snort binary capture file. The IP address of the honeypot is Using the snort binary capture answer the following questions. Send all submissions to [email protected] Points will be given for answer correctness, depth of analysis and creativity as well. Please, make sure to support the conclusions you reach with available facts. Do check previous challenges (especially top entries) to get an idea of the "ideal write-up".

[email protected] MD5 = 6d0056c385f4d312f731d9506e217314 ( [email protected])


  1. What is the attacker's IP address?
  2. What is the attacker doing first? What do you think is his/her motivation for doing this?
  3. Why there is some readable text in packets #17-#25 (and some others), but not in packets #15-#16 (and several others)? What differentiates these groups of packets from each other?
  4. What is the purpose of 'foo'? Can you provide more insights about the internal workings of 'foo'? Do you think that 'foo' was coded by a good programmer or by an amateur?
  5. What is the purpose of './ttserve ; rm -rf /tmp/ttserve' as done by the attacker?
  6. How do you think the attacker will use the results of his activity involving 'foo'?
  7. Bonus Question:

  8. If you administer a network, would you have caught such NVP backdoor communication? If yes, how? If you do not administer a network, what do you think is the best way to prevent such communication from happening and/or detect it?

Traffic decoder, if you need it, is available here as either source code, or precompiled Linux binary".

The Results:
This months challenge questions, judging and team write-up are done by the Honeynet Research Alliance, specifically netForensics Honeynet Research team led by Anton Chuvakin.

Writeup from the Honeynet Project / Honeynet Research Alliance

Writeup by netForensics Honeynet Research Anton Chuvakin, netForensics Honeynet Team

Writeup from the Security Community

Top Three Entries

Remaining Top Eleven Entries

Remaining Entries

Back to Top