First page Back Continue Last page Summary Graphics

The HoneyNet Forensic Challenge -- Analysis & Findings

Timeline Summary
Nov 8 00:08:40 - scripted rpc exploit probe begins.
Nov 8 00:09:00 - rpc.statd payload delivers rootshell bound to port 4545.
Nov 8 ~08:45 - intruder returns to the system to install the rootkit and
patch the known vulnerabilities against other intruders.
Nov 8 08:51:37 - eggdrop.tar file accessed
Nov 8 08:51:53 - ssh-install (from inode 109801) accessed
Nov 8 08:51:54 - $ROOTKIT/ ... files created
Nov 8 08:52:13 - sniffer started with pid# 2485 ($ROOTKIT/sniff.pid)
Nov 8 08:53:13 - ssh-install (from inode 109802) accessed
Nov 8 08:52:33 - sshd started with pid# 2871 ($ROOT/var/run/sshd.pid)
Nov 8 08:53:41 - wu-ftpd-2.6.0-14.6x.rpm accessed - wuftpd-rpm-install file accessed
Nov 8 08:53:49 - nfs-utils-0.1.9.1-1.rpm accessed - statd-rpm-install file accessed
Nov 8 08:54:25 - named started with pid# 2965 ($ROOT/var/run/named.pid)
Nov 8 08:54:43 - named-install file accessed
Nov 8 08:55:58 - $ROOT/etc/passwd and shadow modified
Nov 8 08:56:08 - massive hda5 deletion begins.
Nov 8 08:58:57 - tpack-install file accessed
Nov 8 08:59:07 - user drosen exits a bash shell. (based on ~/.bash_history)
Nov 8 08:59:52 - $ROOT/var/log/wtmp begins
Nov 8 20:37 - HoneyNet official logs in as root from tty1 to collect evidence.

Notes:

Reminder - because the IDS time is not synchronized to the subject computer, the timestamps are from the compromised host.

Timeline (and this is just highlights!) shows just how much data is recoverable using forensics.

The HoneyNet Forensic Challenge -- Analysis & Findings

Timeline Summary

Nov 8 00:08:40 - scripted rpc exploit probe begins.

Nov 8 00:09:00 - rpc.statd payload delivers rootshell bound to port 4545.

Nov 8 ~08:45 - intruder returns to the system to install the rootkit and

patch the known vulnerabilities against other intruders.

Nov 8 08:51:37 - eggdrop.tar file accessed

Nov 8 08:51:53 - ssh-install (from inode 109801) accessed

Nov 8 08:51:54 - $ROOTKIT/ ... files created

Nov 8 08:52:13 - sniffer started with pid# 2485 ($ROOTKIT/sniff.pid)

Nov 8 08:53:13 - ssh-install (from inode 109802) accessed

Nov 8 08:52:33 - sshd started with pid# 2871 ($ROOT/var/run/sshd.pid)

Nov 8 08:53:41 - wu-ftpd-2.6.0-14.6x.rpm accessed - wuftpd-rpm-install file accessed

Nov 8 08:53:49 - nfs-utils-0.1.9.1-1.rpm accessed - statd-rpm-install file accessed

Nov 8 08:54:25 - named started with pid# 2965 ($ROOT/var/run/named.pid)

Nov 8 08:54:43 - named-install file accessed

Nov 8 08:55:58 - $ROOT/etc/passwd and shadow modified

Nov 8 08:56:08 - massive hda5 deletion begins.

Nov 8 08:58:57 - tpack-install file accessed

Nov 8 08:59:07 - user drosen exits a bash shell. (based on ~/.bash_history)

Nov 8 08:59:52 - $ROOT/var/log/wtmp begins

Nov 8 20:37 - HoneyNet official logs in as root from tty1 to collect evidence.

Notes: