|
The Challenge:
On 08 January, 2002 a default, unpatched installation of Solaris8 Sparc
was remotely compromised with the
dtspcd exploit. What makes this attack interesting is that this is the first time the
attack was identified and captured in the wild, resulting a
CERT advisory.
Using the Snort binary capture of the attack, answer the following questions. The honeypot
that is attacked is 172.16.1.102.
Download:
0108@000-snort.log.tar.gz MD5 = 612be364f54ca5fcb47cf70e69419175
- What is a NOP slide, and how is this one different from the NOP slide in the rpc.statd
exploit in Scan10?
- The attack was on 08 Jan, 2002. Would Snort have generated an alert then for the attack?
- In the exploit code, the command "/bin/sh sh -i" is given, what is its purpose, and
why is 'sh' shown twice?
- The attacker executed a variety of commands on the hacked Solaris box. Which
commands were automated by the exploit, which commands were manual by the attacker himself?
- What is sun1, and how does it work?
- What did you learn from this exercise?
- How long did this challenge take you?
Bonus Question:
One of the commands executed during the attack is
echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
What is the purpose of this command and what does 'BD' stand for?
The Results:
This months judging and team write-up were done by the
Honeynet Research Alliance,
specifically
netForensics's Honeynet Research team, led by
Anton Chuvakin.
Writeup from the Honeynet Project / Honeynet Research Alliance
Writeup by Anton Chuvakin.
Writeup from the Security Community
Top Two
Next Top Nine
Remaining Entries
|
