Scan of the month 27


The National Digital certification Agency - Tunisia

Agence Nationale de Certification Electronique - Tunisie

ANCE submission


Network Security Team :

Table of Content



Technical Analysis

The Challenge:

In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a succesful attack, the honeypot was joined to a large botnet. During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. The challenge is based on logs from five days of honeypot operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file. Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent.

Beginning Questions

  1. What is IRC?
  2. What message is sent by an IRC client when it asks to join an IRC network?
  3. What is a botnet?
  4. What are botnets commonly used for?
  5. What TCP ports does IRC generally use?
  6. What is a binary log file and how is one created?
  7. What IRC servers did the honeypot, which has the IP address, communicate with?
  8. During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address
  9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

Intermediate Questions

  1. What IP source addresses were used in attacking the honeypot?
  2. What vulnerabilities did attackers attempt to exploit?
  3. Which attacks were successful?

General Questions (not judged)

  1. What did you learn about analysis as a result of studying this scan?
  2. How do you anticipate being able to apply your new knowledge and skills?
  3. How can we improve the SotM challenge? What would you like to see added? What would you like to see done differently?