The attackers used rpc.statd attack to get into the system. What modifications did they make to the break in process to both automate and make the process faster? They had a TCP scanner looking for port 111. When the scanner finds port 111 open it sends an rpcinfo request specifically looking for the rpc service number 100024. If it finds this application running on the server then it will send the exploit to the server. Before it sends the exploit it looks at the port that the rpc service is listening on. If the rpc service is listening on port UDP port 931 then it will send three seperate packets, one for each of the RedHat versions listed in the "statdx" code from ron1n. If the application is not listening on port UDP port 931 then it sends and exploit that I was unable to identify. When it finds an rpc service listening on UDP port 931 and it has sent it's three exploit packets then it connects to port TCP port 39168 on the remote server. If the exploit is successful then the attacker will have access to a shell on port 39168. From here the attacker gains some more information about the comprimised server and then from the remote shell the attackers script ftp's to "ftp.home.ro" and downloads the file "lk.tgz". Once the file is downloaded the attackers scipt then runs the command "tar -zxvf lk.tar". The attackers script then runs "cd last" to go to the directory that was created from the untared file. Then it runs "./install". After the rootkit is done installing it emails "bidi_damn@yahoo.com" with information about the compromised host. What system/country did the badguys come in from? The system that the attackers came in from (211.185.125.124 ) is from Korea. What nationality are the badguys, and how were you able to determine this? I believe that the attackers are Brazilian. Even though the FTP site that was used to get the rootkit was Romainian the output of the install script was in Spanish. The FTP site account information could have been gathered by another compromised host that they were monitoring and have been used to put the rootkit on the ftp.home.ro server. What do the answers to questions #1 and #2 tell us about the tactics the badguys are using? After the attackers compromise a server they are using that server to attack other servers. They may be jumping through a couple of different servers before attacking another host so that they are harder to trace. What did you learn from this challenge? How hackers find and exploit services. I found it easier to use a packetsniffer (EtherPeek) to do this months challange. How long did this challenge take you? This months challenge took me about 3 hours.