Hey, will you post the answers ?
Answer: Yes! Sorry I hadn't posted them previously. Glad you worked the case, hope you had fun. Let me know if there's any interest on a walkthrough for this one, I'd be happy to put one together.
- Verify SHA1 Checksum of the image provided: c67d36f2a8851fdf9bb3de9fd0441b619e40c070
- Through what protocol was this system compromised? SSH
- What distribution and version is this system? Ubuntu 14.04.4 LTS
- What country is the attacker's IP address from? Russia
- What time was the attacker account created in UTC (XX:XX:XX format)? Jun 1 20:11:03
- What port is the protocol used to compromise the system set on? 422
- How many different countries are represented by the IP's in the web server log? 6
- What date and time (directly copy/paste from log) did the attacker first log in? Jun 1 20:03:45
- What is the IP that failed to log in directly before the attacker successfully logged in? 107.150.94.4
- What day of the week does the attacker's cron job fire? Monday
- What is the name of the user account the attacker made? radvlad
- The attacker set a password for the account that they made, what is it set to? 1qaz2wsx
- The attacker changed the root password, what is it set to? asdzxc
- What addition to the website is causing users to get redirected to malicious pages? <iframe src="http://anecdote.roobaroo.org/xegblh2.html"></iframe>
- What exploit kit is the link associated with? Angler
- What is the sha256 hash of the first file the attacker added to /var/www/html? 94ebd2af4d1e1e4d01c4806cf1d94c44d24014da0703424f864e5e8cd3396fb9
- What is the ClamAV name for the second file the attacker added to /var/www/html? Win.Trojan.691128-1
- What file was exfiltrated? Secret-Recipe-Chili
- What command line tool did the attacker use to exfiltrate the file? pastebinit
Andy will you do a walkthrough of the Bob Chilli's case??
ReplyDeleteHey James, sure thing my friend.
ReplyDeleteI'd love a walkthrough as well :)
ReplyDelete