Scan of the month 29


The National Digital certification Agency - Tunisia

Agence Nationale de Certification Electronique - Tunisie

ANCE submission


Network Security Team :

Table of Content


Preliminary tasks


The Challenge :

On August 10, 2003 a Linu Red Hat 7.2 system was compromised. Your mission is to analyze the compromised system. What makes this challenge unique is you are to analyze a live system. The image in question was ran within VMware. Once compromised, we suspended the image. The challenge to you is to download the suspended image, run it within VMware (you will get a console to the system with root access), and respond to the incident. When responding to the incident, you may do a live analysis of the system or you can first verify that the system has been compromised and then take it down for a dead analysis (or a combination of both). In either case, you will be expected to explain the impact you had on the evidence. Fortunately, this system was prepared for an incident and MD5 hashes were calculated for all files before the system was deployed.


  1. Describe the process you used to confirm that the live host was compromised while reducing the impact to the running system and minimizing your trust in the system.
  2. Explain the impact that your actions had on the running system.
  3. List the PID(s) of the process(es) that had a suspect port(s) open (i.e. non Red Hat 7.2 default ports).
  4. Were there any active network connections? If so, what address(es) was the other end and what service(s) was it for?
  5. How many instances of an SSH server were installed and at what times?
  6. Which instances of the SSH servers from question 5 were run?
  7. Did any of the SSH servers identified in question 5 appear to have been modified to collect unique information? If so, was any information collected?
  8. Which system executables (if any) were trojaned and what configuration files did they use?
  9. How and from where was the system likely compromised?

Bonus Questions

      What nationality do you believe the attacker(s) to be, and why?