In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a succesful attack, the honeypot was joined to a large botnet. During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. The challenge is based on logs from five days of honeypot operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file. Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent. Your mission is to analyze the log file in order to answer the questions below. Be sure you review the submission rules at the SotM challenge page before submitting your results.
Tools You Can Use in
Learn about tcpdump and libpcap.
Snort, network intrusion
Ethereal, a packet capture
tool for reading binary logs files or just sniffing packets off the network. Has
a very nice graphical interface.
Note: We received reports of people failing the MD5
Checksum. Be sure you check the binary BEFORE decompressing it. The MD5 checksum
shown below is show while the file is compressed.
MD5 (sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9
- What is IRC?
- What message is sent by an IRC client when it asks to join an IRC network?
- What is a botnet?
- What are botnets commonly used for?
- What TCP ports does IRC generally use?
- What is a binary log file and how is one created?
- What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?
- During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 126.96.36.199?
- Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?
- What IP source addresses were used in attacking the honeypot?
- What vulnerabilities did attackers attempt to exploit?
- Which attacks were successful?
General Questions (not judged)
- What did you learn about analysis as a result of studying this scan?
- How do you anticipate being able to apply your new knowledge and skills?
- How can we improve the SotM challenge? What would you like to see added?
What would you like to see done differently?
This month's challenge questions, judging, and team
write-up are done by the Azusa Pacific University Honeynet
Project, operated by Bill McCarty, Chris Banescu, and Patrick McCarty. You
can find their detailed writeup here.
We would like to thank the folks that submitted their detailed analysis for this
challenge. SotM 27 was a little different, as individuals could submit entries
for either the 'beginners' group or 'intermediate' group. There were a total of
four submissions for beginner, and a total 15 submissions for intermediate.
Top Four Beginning Submissions
Top Ten Intermediate Submissions
Other Intermediate Submissions