spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 20

This month's challenge is to investigate a compromise of a Solaris box. All submissions are due no later then 17:00 EST, Friday, 26 April. Results will be released Friday, 03 May.

Skill Level: Intermediate

The Challenge:
On 08 January, 2002 a default, unpatched installation of Solaris8 Sparc was remotely compromised with the dtspcd exploit. What makes this attack interesting is that this is the first time the attack was identified and captured in the wild, resulting a CERT advisory. Using the Snort binary capture of the attack, answer the following questions. The honeypot that is attacked is

0108@000-snort.log.tar.gz MD5 = 612be364f54ca5fcb47cf70e69419175

  1. What is a NOP slide, and how is this one different from the NOP slide in the rpc.statd exploit in Scan10?
  2. The attack was on 08 Jan, 2002. Would Snort have generated an alert then for the attack?
  3. In the exploit code, the command "/bin/sh sh -i" is given, what is its purpose, and why is 'sh' shown twice?
  4. The attacker executed a variety of commands on the hacked Solaris box. Which commands were automated by the exploit, which commands were manual by the attacker himself?
  5. What is sun1, and how does it work?
  6. What did you learn from this exercise?
  7. How long did this challenge take you?
Bonus Question:
One of the commands executed during the attack is

echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`

What is the purpose of this command and what does 'BD' stand for?

The Results:
This months judging and team write-up were done by the Honeynet Research Alliance, specifically netForensics's Honeynet Research team, led by Anton Chuvakin.

Writeup from the Honeynet Project / Honeynet Research Alliance

Writeup by Anton Chuvakin.

Writeup from the Security Community

Top Two

Next Top Nine Remaining Entries

Back to Top