The Challenge:
In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a succesful attack, the honeypot was joined to a large botnet. During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. The challenge is based on logs from five days of honeypot operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file. Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent. Your mission is to analyze the log file in order to answer the questions below. Be sure you review the submission rules at the SotM challenge page before submitting your results.

Tools You Can Use in This Challenge
Learn about tcpdump and libpcap.
http://www.tcpdump.org/

Snort, network intrusion detection information.
http://www.snort.org/

Ethereal, a packet capture tool for reading binary logs files or just sniffing packets off the network. Has a very nice graphical interface.
http://www.ethereal.com/

Download the Binary
Note: We received reports of people failing the MD5 Checksum. Be sure you check the binary BEFORE decompressing it. The MD5 checksum shown below is show while the file is compressed.
MD5 (sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9

Beginning Questions

1. What is IRC?
2. What message is sent by an IRC client when it asks to join an IRC network?
3. What is a botnet?
4. What are botnets commonly used for?
5. What TCP ports does IRC generally use?
6. What is a binary log file and how is one created?
7. What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?
8. During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?
9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

Intermediate Questions

1. What IP source addresses were used in attacking the honeypot?
2. What vulnerabilities did attackers attempt to exploit?
3. Which attacks were successful?

General Questions (not judged)

1. What did you learn about analysis as a result of studying this scan?
2. How do you anticipate being able to apply your new knowledge and skills?
3. How can we improve the SotM challenge? What would you like to see added? What would you like to see done differently?

The Results:
This month's challenge questions, judging, and team write-up are done by the Azusa Pacific University Honeynet Project, operated by Bill McCarty, Chris Banescu, and Patrick McCarty. You can find their detailed writeup here.

We would like to thank the folks that submitted their detailed analysis for this challenge. SotM 27 was a little different, as individuals could submit entries for either the 'beginners' group or 'intermediate' group. There were a total of four submissions for beginner, and a total 15 submissions for intermediate.

Top Four Beginning Submissions

• Vinay A. Mahadik and Ashley Thomas
• Anders Amandusson
• Meera Shashank Khatavkar
• Skeets Norquist

Top Ten Intermediate Submissions

• Diego González Gómez
• Michael Capp
• Massimo Buso
• NST-NDCA
• Matthijs R. Koot
• Laurent Butti
• B. Ghavalas
• Shomiron Das Gupta
• Nir Hauser
• Bill Frische

Other Intermediate Submissions

• Christian Schridde
• Ross Marchand
• Christophe Grenier
• Rohit Nand
• David Dodd