On August 10, 2003 a Linu Red Hat 7.2 system was compromised. Your mission
is to analyze the compromised system. What makes this challenge unique
is you are to analyze a live system. The image in question was ran
within VMware. Once compromised, we suspended the image. The challenge
to you is to download the suspended image, run it within VMware (you will
get a console to the system with root access), and
respond to the incident. When responding to the incident, you may do a
live analysis of the system or you can first verify that the system has
been compromised and then take it down for a dead analysis (or a combination
of both). In either case, you will be expected to explain the impact you had
on the evidence. Fortunately, this system was prepared for an incident and
MD5 hashes were calculated for all files before the system was deployed.
Note, this image was recovered from VMware Workstation 4.0, it will not work
in older versions. You can download an
*WARNING* This image may have malicious code on it (including viruses)
and maybe running malicious processes. Care must be taken to ensure
that you do not infect your own system and that the compromised image does
not make network connections to external systems. It is recommended
that you perform this challenge on a closed network with secured hosts.
*NOTE* The Project in no way endorses the use of VMWare. We are utilizing
its capabilities as it gives the community the chance to analyze a live,
Download the Images
Suspended image (106MB) MD5 = d95a8c351e048bd7d5596d6fc49b6d72
MD5 of all files of the system *before* it was compromised.
- Describe the process you used to confirm that the live host was
compromised while reducing the impact to the running system and
minimizing your trust in the system.
- Explain the impact that your actions had on the running system.
- List the PID(s) of the process(es) that had a suspect port(s) open
(i.e. non Red Hat 7.2 default ports).
- Were there any active network connections? If so, what
address(es) was the other end and what service(s) was it for?
- How many instances of an SSH server were installed and at what
- Which instances of the SSH servers from question 5 were run?
- Did any of the SSH servers identified in question 5 appear to
have been modified to collect unique information? If so, was
any information collected?
- Which system executables (if any) were trojaned and what
configuration files did they use?
- How and from where was the system likely compromised?
What nationality do you believe the attacker(s) to be, and why?
This months challenge image and questions are combined effort of
Bill McCarty, Patrcik McCarty and Brian Carrier. Team writeup was
done by Brian Carrier.
Writeup from the Security Community