Friday, March 04, 2011

New Honeynet Project Challenge (#7): Forensic Analysis of a Compromised Server

The plot? As usual:

A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.

Are you up to the challenge? Here are the questions that need your answers:

  • What service and what account triggered the alert? (1pt)
  • What kind of system runs on targeted server? (OS, CPU, etc) (1pt)
  • What processes were running on targeted server? (2pts)
  • What are attackers IP and target IP addresses? (2pts)
  • What service was attacked? (1pt)
  • What attacks were launched against targeted server? (2pts)
  • What flaws or vulnerabilities did he exploit? (2pts)
  • Were the attacks successful? Did some fail? (2pts)
  • What did the attacker obtain with attacks? (2pts)
  • Did the attacker download files? Which ones? Give a quick analysis of those files. (3pts)
  • What can you say about the attacker? (Motivation, skills, etc) (2pts)
  • Do you think these attacks were automated? Why? (1pt)
  • What could have prevented the attacks? (2pts)

    Bonus question: From memory image, can you say what network connections were opened and in which state ?

Get the information here (warning: even compressed, disk images are large) and start your investigation. As a reminder to beginners, be careful when handling untrusted files!

Possibly related posts:

Dr Anton Chuvakin