Scan of the month 27
The National Digital certification Agency - Tunisia
Agence Nationale de Certification Electronique - Tunisie
Network Security Team :
- Haikel MEJRI
- Slim REKHIS
- Yacine DJEMAIEL
- Walid HAJALI
Table of Content
In early March 2003, the Azusa Pacific University Honeynet
Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative
password. During its first week of operation, the honeypot was repeatedly compromised
by attackers and worms exploiting several distinct vulnerabilities. Subsequent
to a succesful attack, the honeypot was joined to a large botnet. During operation
of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet.
The challenge is based on logs from five days of honeypot operation, collected
using Snort. The logs have been edited to remove irrelevant traffic and combined
into a single file. Also, IP addresses and certain other information have been
obfuscated so that the identity of the honeynet is not readily apparent.
- What is IRC?
- What message is sent by an IRC client when it asks to join an IRC network?
- What is a botnet?
- What are botnets commonly used for?
- What TCP ports does IRC generally use?
- What is a binary log file and how is one created?
- What IRC servers did the honeypot, which has the IP address 172.16.134.191,
- During the observation period, how many distinct hosts accessed the botnet
associated with the server having IP address 220.127.116.11?
- Assuming that each botnet host has a 56 kbps network link, what is the
aggregate bandwidth of the botnet?
- What IP source addresses were used in attacking the honeypot?
- What vulnerabilities did attackers attempt to exploit?
- Which attacks were successful?
General Questions (not judged)
- What did you learn about analysis as a result of studying this scan?
- How do you anticipate being able to apply your new knowledge and skills?
- How can we improve the SotM challenge? What would you like to see added?
What would you like to see done differently?