THE HONEYNET FORENSIC CHALLENGE January/February 2001 Prepared for the HoneyP.edu Incident Response Team (HIRT) by Brian Coyle ----------------------------------------------------------------------- errata.txt Errata and Clarifications This is not part of the official entry. It addresses some items discovered (or pointed out) after the submission deadline. I added it simply for completeness. ----------------------------------------------------------------------- Errata and Clarifications ------------------------- The Honeynet Project provided a swap disk image from the compromised system. My analysis with strings and such did not reveal anything worth mentioning. I neglected to report the analysis was done in the evidence.txt file. ---------------------------------------------------------------------------- In evidence.txt at line #716, there is a missing portion of the sentence describing the $ROOT/var/tmp/nap file (I must've fat fingered a vi 'dd' command or something). The corrected text: There is what appears to be a password log file in $ROOT/var/tmp/nap. This file contains a root passwd of 'tw1Lightz0ne' and the hostname from lastlog. $ cat $ROOT/var/tmp/nap +-[ User Login ]-------------------- --- --- - - | username: root password: tw1Lightz0ne hostname: c871553-b.jffsn1.mo.home.com +----------------------------------- ----- --- -- -- - ---------------------------------------------------------------------------- The traceroute to the intruders @HOME address (in evidence.txt) shows two hops (#10 & 11) that don't resolve. I was reminded by a fellow LUGer (thanks kolya!), that this might be due to source addresses with private network numbers getting filtered. Here's what traceroute output looks like from a host without any filtering: ... 13 bb1-pos5-0.rdc2.tx.home.net (24.7.74.70) 78.364 ms 77.820 ms 80.673 ms 14 10.0.194.3 (10.0.194.3) 82.823 ms 79.656 ms 92.293 ms 15 10.252.68.70 (10.252.68.70) 91.679 ms 91.002 ms 90.412 ms 16 ATHM-216-216-xxx-2.home.net (216.216.74.2) 93.028 ms 89.700 ms 91.692 ms Next time I'll be sure to try my traceroutes from a couple of 'looking glass' sites, just to verify the results. ---------------------------------------------------------------------------- To quote my wife: "It's amazing how much time and effort you'll devote for a chance to win a book you already own!" (But honey, it's the _SECOND EDITION_!!!) Of course I could have spent more time on the project. There are several areas of investigation I didn't fully explore. If this had been a 'work for hire', I'm sure there would have been many other alternative paths of investigation. For example, the 'do' script in the rootkit removes two id's from the passwd and shadow files. This suggests they were probably added at some point. I could have looked for traces of those id's in the images. I didn't fully research the eggdrop bot and how it was configured on the compromised system. There's probably a wealth of information to be learned from the channels it maintains and the IP addresses it uses. I could have spent considerably more time on the replacement binaries, the ssh installation and the patches for the vulnerabilites. It's possible some of these are trojans or have backdoors. Come to think of it, that password log file needs to capture from somewhere... HMMM. Well lookie here! $ strings $ROOTKIT/usr/local/sbin/sshd1 | grep nap /usr/tmp/nap My timeline is another area that could've used some additional effort. I concentrated most of my analysis on the rootkit and deleted inodes. However, I should have constructed a MACtime list that included the system binaries and other files. This would have presented a better picture of the attackers actions, possibly pinpointing exactly when he or she returned to the system. At the very least it might have given some insight on the activity after the compromise. Oh well, I guess there's always next time! Kudos to the Honeynet Project team for pulling this off. I look forward to the next challenge. ----------------------------------------------------------------------------