The Challenge:
On September 16th a Redhat Linux 6.2 honeypot was compromised. This is the 3rd time this system was compromised by the
same
intruder. The honeynet is VMware based and uses a modified bash to log to
syslog. Syslog is remotly logging to 0.0.0.0 (remote syslog server IP
has
been replaced). The compromised system has an IP of 192.168.1.102. After
successfully breaking into the box, the attacker ended up using 3 modes of
connecting and running commands (some of which is encrypted). The attacker
also tried to hide some of his edits from the MAC times.
Downloads:
scan19.tar.gz, MD5 =11e0be295d138df14111796a7733a5d2
scan19.zip, MD5 = c065797b3c2ddfad3396e3d4542ed8a7
- Which vulnerability did the intruder exploit?
- What ways, and in what order, did the intruder use to connect and
run commands on the system?
- How did the intruder try to hide his edits from the MAC times?
- The intruder downloaded rootkits, what were they called? Are they
new/custom rootkits?
- Recover (tell how you did it too) the rootkits from the snort
binary capture
- What does the rootkit do to hide the presence of the attacker on
the system?
- What did you learn from this exercise?
- How long did this challenge take you?
Bonus Questions:
Based on this challenge, write an example letter of notification to the source owner that attacked the system. Include
any
evidence or logs that you feel important.
The Results:
Writeup from the Honeynet Project members.
Writeup from Honeynet Project member Mike Clark
Writeup from the Security Community
Top Three
Stuart Fox
Quentin Giorgi
Orlando F. S. Bordoni
Neil Desai
Top Ten
Ian Stefanison
Luke Butcher
Christopher Lee
Jason Testart
Jean BENOIT
Ricci Ieong and Vincent Ip
Edwin Chan
Remaining submissions
Matthew M. Shannon
Tyler Hudak
Sven Carstens
Jerome Poggi
Tom Lyne
jlofshult
Joe Stewart
Iftach Amit
Michael Carter
Jason Prost
Rohit Nand
Ichinin
|