The Challenge:
After penetrating the Linux system using the WU-FTPD vulnerability,
the attacker deployed a backdoor binary and then proceeded to use
the system for certain nefarious activity. Your mission, should you
choose to accept it, is to determine what the activity was and how it
was accomplished. All the necessary evidence is contained in this
snort binary capture file. The IP
address of the honeypot is 172.16.183.2. Using
the snort binary capture answer the following questions. Send all
submissions to sotm@honeynet.org
Points will be given for answer correctness, depth of analysis and
creativity as well. Please, make sure to support the conclusions you
reach with available facts. Do check previous
challenges (especially top entries) to get an idea of the "ideal
write-up".
Download:
snort-0718@1401.log.gz MD5 = 6d0056c385f4d312f731d9506e217314 ( snort-0718@1401.log.gz)
Questions
- What is the attacker's IP address?
- What is the attacker doing first? What do you think is his/her
motivation for doing this?
- Why there is some readable text in packets #17-#25 (and some
others), but not in packets #15-#16 (and several others)? What
differentiates these groups of packets from each other?
- What is the purpose of 'foo'? Can you provide more insights about
the internal workings of 'foo'? Do you think that 'foo' was coded by a
good programmer or by an amateur?
- What is the purpose of './ttserve ; rm -rf /tmp/ttserve' as done by
the attacker?
- How do you think the attacker will use the results of his activity
involving 'foo'?
Bonus Question:
- If you administer a network, would you
have caught such NVP backdoor communication? If yes, how? If you do
not administer a network, what do you think is the best way to prevent
such communication from happening and/or detect it?
Note:
Traffic decoder, if you need it, is available here as either
source code, or precompiled
Linux binary".
The Results:
This months challenge questions, judging and team write-up are done by
the Honeynet Research
Alliance, specifically
netForensics Honeynet Research team led by Anton Chuvakin.
Writeup from the Honeynet Project / Honeynet Research Alliance
Writeup by netForensics Honeynet Research
Anton Chuvakin, netForensics Honeynet Team
Writeup from the Security Community
Top Three Entries
Remaining Top Eleven Entries
Remaining Entries
|