Project Honeynet just released its latest Forensic Challenge 5 - Log Mysteries. It is based on logs from a compromised virtual server and requires quite a bit of digging through messy log data.
Analyze the attached sanitized_log.zip [A.C. – get the logs here] and answer the following questions:
- Was the system compromised and when? How do you know that for sure? (5pts)
- If the was compromised, what was the method used? (5pts)
- Can you locate how many attackers failed? If some succeeded, how many were they? How many stopped attacking after the first success? (5pts)
- What happened after the brute force attack? (5pts)
- Locate the authentication logs, was a bruteforce attack performed? if yes how many? (5pts)
- What is the timeline of significant events? How certain are you of the timing? (5pts)
- Anything else that looks suspicious in the logs? Any misconfigurations? Other issues? (5pts)
- Was an automatic tool used to perform the attack? if yes which one? (5pts)
- What can you say about the attacker's goals and methods? (5pts)
Bonus. What would you have done to avoid this attack? (5pts)
Go get the challenge here and get to solving it – you have about a month. And, yes, there will be prizes too!
Finally, if you really want to make me happy (hehe...who’d want that? :-)), please invent a new approach while solving the challenge.
Possibly related posts:
- Everything tagged Project Honeynet