spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 29

This month's challenge is unique. Your mission is to conduct incident response and analyze a live image of a compromised Linux Red Hat 7.2 system. Because of the amount of work involved for this challenge, we will give you an entire month. Submissions are due no later then 23:00 GMT, Monday 29 September. Results will be released a month later, Friday, 31 October. Find the rules and suggestions for submissions at the SotM Home Page.

Skill Level: Intermediate to Advance

The Challenge:
On August 10, 2003 a Linu Red Hat 7.2 system was compromised. Your mission is to analyze the compromised system. What makes this challenge unique is you are to analyze a live system. The image in question was ran within VMware. Once compromised, we suspended the image. The challenge to you is to download the suspended image, run it within VMware (you will get a console to the system with root access), and respond to the incident. When responding to the incident, you may do a live analysis of the system or you can first verify that the system has been compromised and then take it down for a dead analysis (or a combination of both). In either case, you will be expected to explain the impact you had on the evidence. Fortunately, this system was prepared for an incident and MD5 hashes were calculated for all files before the system was deployed. Note, this image was recovered from VMware Workstation 4.0, it will not work in older versions. You can download an evaluation copy.

*WARNING* This image may have malicious code on it (including viruses) and maybe running malicious processes. Care must be taken to ensure that you do not infect your own system and that the compromised image does not make network connections to external systems. It is recommended that you perform this challenge on a closed network with secured hosts.

*NOTE* The Project in no way endorses the use of VMWare. We are utilizing its capabilities as it gives the community the chance to analyze a live, hacked system.

Download the Images
Suspended image (106MB) MD5 = d95a8c351e048bd7d5596d6fc49b6d72
MD5 of all files of the system *before* it was compromised.


  1. Describe the process you used to confirm that the live host was compromised while reducing the impact to the running system and minimizing your trust in the system.
  2. Explain the impact that your actions had on the running system.
  3. List the PID(s) of the process(es) that had a suspect port(s) open (i.e. non Red Hat 7.2 default ports).
  4. Were there any active network connections? If so, what address(es) was the other end and what service(s) was it for?
  5. How many instances of an SSH server were installed and at what times?
  6. Which instances of the SSH servers from question 5 were run?
  7. Did any of the SSH servers identified in question 5 appear to have been modified to collect unique information? If so, was any information collected?
  8. Which system executables (if any) were trojaned and what configuration files did they use?
  9. How and from where was the system likely compromised?

Bonus Question:
What nationality do you believe the attacker(s) to be, and why?

The Results:
This months challenge image and questions are combined effort of Bill McCarty, Patrcik McCarty and Brian Carrier. Team writeup was done by Brian Carrier.

Writeup from the Security Community

Top 5

Next 10

Next 10

Back to Top