The Honeynet Project

Challenge 5 - Log Mysteries - (provided by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, Sebastien Tricaud from the French Chapter) takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to a virtual server using all the logs from a possibly compromised server.

The questions are a more open ended than past challenges. To score highly, we recommend to answer the following way:

• Accuracy is highly encouraged to get the highest note
• You must explain tools you used and how
• If you use visualization tools such as afterglow, picviz, graphviz, gnuplot etc. explain why this was better (than other tools, than other visualization): such as good timeline representation etc.
• Outline HOW you found things

Submission deadline has passed. Results have been posted below. For any questions and inquiries, please contact forensicchallenge2010@honeynet.org.
Skill Level: Intermediate

Enjoy the challenge!

The Challenge:
Analyze the attached sanitized_log.zip and answer the following questions:

1. Was the system compromised and when? How do you know that for sure? (5pts)
2. If the was compromised, what was the method used? (5pts)
3. Can you locate how many attackers failed? If some succeeded, how many were they? How many stopped attacking after the first success? (5pts)
4. What happened after the brute force attack? (5pts)
5. Locate the authentication logs, was a bruteforce attack performed? if yes how many? (5pts)
6. What is the timeline of significant events? How certain are you of the timing? (5pts)
7. Anything else that looks suspicious in the logs? Any misconfigurations? Other issues? (5pts)
8. Was an automatic tool used to perform the attack? if yes which one? (5pts)
9. What can you say about the attacker's goals and methods? (5pts)

Bonus. What would you have done to avoid this attack? (5pts)

Download:
[your email]_Forensic Challenge 2010 - Challenge 5 - Submission Template.doc Sha1: 37067e7a90ed5704e02fed2ea25c0b7c09dbbf1f
[your email]_Forensic Challenge 2010 - Challenge 5 - Submission Template.odt Sha1: ee5ed64399817e829176d219c06b1871a7ee50c0
sanitized_log.zip Sha1: 5d317ecf8147cafc0239166e47139afea3200c5b

The Winners:

1. William Soderberg (Sweden) - William's submission - Sha1: 14ec42dcd24162d2e536f5c84820240cb521cad4
2. Nikunj Shah(USA) - Nikunj's submission - Sha1: 950aa99eec3b7663ee9f415826e0dfcfe43ab4ac
3. David Bernal Michelena (Mexico)- David's submission - Sha1: 58fc0cfeac54cf9fdc490b22b4b5e0e8ed7e92db

Additional information:
Carl Pulley, a loyal follower of our Forensic Challenges, has written up an analysis on how could one determine the apache version that generated the logs. His analysis can be found at http://acme-labs.org.uk/news/2011/01/20/apache2-version-analysis/ and http://acme-labs.org.uk/news/2011/01/21/apache2-version-analysis-data-visualisation/.