A Linux server was possibly compromised and a forensic analysis is required in order to unterstand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.
- What service and what account triggered the alert?
- What kind of system runs on targeted server? (OS, CPU, etc)
- What processes were running on targeted server?
- What are attackers IP and target IP addresses?
- What service was attacked?
- What attacks were launched against targeted server?
- What flaws or vulnerabilities did he exploit?
- Were the attacks successful? Did some fail?
- What did the attacker obtain with attacks?
- Did the attacker download files? Which ones? Give a quick analysis of
- What can you say about the attacker? (Motivation, skills, etc)
- Do you think these attacks were automated? Why?
- What could have prevented the attacks?
Bonus question: From memory image, can you say what network connections were opened and in which state ?
victoria-v8.kcore.img: memory dump done by dd’ing /proc/kcore
victoria-v8.memdump.img: memory dump done with memdump
- victoria-v8.kcore.img.zip = 3b74b32279422e93f93927b80f18df2c
- victoria-v8.memdump.img.zip = 7d271455ad65e55678a530aaed696040
- victoria-v8.sda1.img.zip = cba614f59020ce8910346cc43056692f
- victoria-v8.kcore.img.zip = e971ccfd4853d4b7459eb6862e4b747074f23a7
- victoria-v8.memdump.img.zip = eae53cb9fb1e98f9f9ba334edfe8a4b3e7ca9104
- victoria-v8.sda1.img.zip = cddc70ca67db4f3cfca4d48c755c43bb286738c3