The Challenge:
On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was download to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB, (honeynet.tar.gz) MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.

1. Show step by step how you identify and recover the deleted rootkit from the / partition.
2. What files make up the deleted rootkit?

Bonus Question:
Was the rootkit ever actually installed on the system? How do you know?

The Results:
This has been the most difficult challenge to judge so far. We received forty outstanding submissions. Almost all of the submissions answered all three questions and were technically correct. We then based our decisions on how easy the submissions were to read and understand, did the writeup demonstrate all the methods used, and the detail of analysis and information. We did notice some common mistakes. The most common mistake was failing to mount the drive images using the 'noexec' and 'nodev' options. 'noexec' is critical, it prevents the execution of any binaries, including the rootkits or attack tools of the blackhat arsenal.

Writeups from the Honeynet Project members.
For this month's writeup, we are trying something different. Instead of having Honeynet members develop a solution, we asked the top three winners from the Forensic Challenge to submit writeups. All three were more then happy to help, you can find their solutions below.

• Thomas Roessler
• Brian Carrier
• Peter Kosinar

Writeup from the Security Community
The writeups for this month were outstanding. So, we broke the results into categories as follows. We have the Top Five(18 out of 18 points), the Top Seventeen(16 or 17 points out of 18), and then all the remaining submissions(15 points or less). The entries were extremely close, often the only difference was a more indepth explanation or the format was easier to read. Congrats to everyone on a job well done!

Top Seventeen

• Matt Borland - Top Five
• Marlon Jabbur - Top Five
• Andreas Schuster - Top Five
• Jason Lee - Top Five
• Albert Bendicho
- Top Five
• Michael Bishop
• Guillaume Filion
• Can Erkin Acar
• Ethan Miller
• Marcin Dawcewicz
• Nicholas Brawn
• Mike Kvasnak
• Ed Schmollinger
• Owen Crow
• Jeremiah J. Shirk
• Stephen W. Thompson
• Gene Meltser

Remaining Twenty-Five entries

• John K. Riggleman, Jr.
• Alex Butcher
• Burak Dayioglu
• Matt Fiddler
• Majid Almassari
• alterego
• Fernando Amatte
• Benjamin Morin
• Eric Severance
• John Berkers
• Niels Heinen
• Kenneth Zhao
• Ronny Vaningh
• Mike Johnson
• Wolfgang Berbig
• pingouin
• Matthew Rench
• Jeff Sapp
• Jonathan Benson
• John Edward Scott
• Jim Gray
• Kapil Bhalla