Challenge 5 – Log Mysteries – (provided by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, Sebastien Tricaud from the French Chapter) takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to a virtual server using all the logs from a possibly compromised server.
The questions are a more open ended than past challenges. To score highly, we recommend to answer the following way:
- Accuracy is highly encouraged to get the highest note
- You must explain tools you used and how
- If you use visualization tools such as afterglow, picviz, graphviz, gnuplot etc. explain why this was better (than other tools, than other visualization): such as good timeline representation etc.
- Outline HOW you found things
Skill Level: Intermediate
Enjoy the challenge!
Analyze the attached sanitized_log.zip and answer the following questions:
- Was the system compromised and when? How do you know that for sure? (5pts)
- If the was compromised, what was the method used? (5pts)
- Can you locate how many attackers failed? If some succeeded, how many were they? How many stopped attacking after the first success? (5pts)
- What happened after the brute force attack? (5pts)
- Locate the authentication logs, was a bruteforce attack performed? if yes how many? (5pts)
- What is the timeline of significant events? How certain are you of the timing? (5pts)
- Anything else that looks suspicious in the logs? Any misconfigurations? Other issues? (5pts)
- Was an automatic tool used to perform the attack? if yes which one? (5pts)
- What can you say about the attacker’s goals and methods? (5pts)
Bonus. What would you have done to avoid this attack? (5pts)
This work by Raffael Marty, Anton Chuvakin and Sebastien Tricaud is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
- William Soderberg (Sweden) – William’s submission – Sha1: 14ec42dcd24162d2e536f5c84820240cb521cad4
- Nikunj Shah(USA) – Nikunj’s submission – Sha1: 950aa99eec3b7663ee9f415826e0dfcfe43ab4ac
- David Bernal Michelena (Mexico)- David’s submission – Sha1: 58fc0cfeac54cf9fdc490b22b4b5e0e8ed7e92db
Carl Pulley, a loyal follower of our Forensic Challenges, has written up an analysis on how could one determine the apache version that generated the logs. His analysis can be found at http://acme-labs.org.uk/news/2011/01/20/apache2-version-analysis/ and http://acme-labs.org.uk/news/2011/01/21/apache2-version-analysis-data-visualisation/.
|[your email]_Forensic Challenge 2010 – Challenge 5 – Submission Template.doc||71 KB|
|[your email]_Forensic Challenge 2010 – Challenge 5 – Submission Template.odt||21.23 KB|