First page Back Continue Last page Summary Graphics
The HoneyNet Forensic Challenge
- The rootkit 'do' script removes two users, suggesting they existed at some point
- Trojans and backdoors in the replacement binaries and patches
- Compare to other challenge results
Notes:
MAC = Modified, Accessed, Changed These timestamps are stored in each inode.
I should have constructed a MACtime list that included the system binaries and other files. This would have presented a better picture of the attackers actions, possibly pinpointing exactly when he or she returned to the system. At the very least it might have given some insight on the activity after the compromise
trojans and backdoors. That password log file needs to capture from somewhere... HMMM.Well lookie here!
$ strings $ROOTKIT/usr/local/sbin/sshd1 | grep nap
/usr/tmp/nap