This is my first attempt at actually submitting an answer
to a honeynet challenge.
First I downloaded the snort binary file snort-0315@0005.log.tar.gz.
I extracted the snort binary: gzip -dc snort-0315@0005.log.tar.gz |
tar -xof -
I could have extracted the file with: tar -zxvf snort-0315@0005.log.tar.gz
I started ethereal and loaded snort-0315@0005.log.
Knowing that the attackers were using an rpc.statd attack, I typed this
filter in to ethereal to find all of the ip's that were attempting to exploit
rpc.statd: tcp.port eq 111 and ip.addr eq 172.16.1.108
The resulting information showed that 211.185.125.124 had an extended
conversation on port 111. There was also a single probe from 203.111.78.182
at 04:53.29.0532 which appears to have been the initial contact from this
attacker during a scan sweep. A quick check proved that this was indeed the
case by changing the ethereal filter to: ip.addr eq 203.111.78.182
I then switched to a new filter with ethereal: ip.addr eq 211.185.125.124
This allowed me to see all of the packets that were originating from
211.185.125.124
I noticed that at packet 132 that the ports changed. I right clicked
on packet 132 and told ethereal to follow this tcp stream. This showed me
that the attacker had opened a root shell on port 39168 and allowed me to
see what their script was doing.