[TP FORENSIC] Analyse d’un serveur compromis

The Challenge:
A Linux server was possibly compromised and a forensic analysis is required in order to unterstand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.

    1. What service and what account triggered the alert?
    2. What kind of system runs on targeted server? (OS, CPU, etc)
    3. What processes were running on targeted server?
    4. What are attackers IP and target IP addresses?
    5. What service was attacked?
    6. What attacks were launched against targeted server?
    7. What flaws or vulnerabilities did he exploit?
    8. Were the attacks successful? Did some fail?
    9. What did the attacker obtain with attacks?
    10. Did the attacker download files? Which ones? Give a quick analysis of
      those files.
    11. What can you say about the attacker? (Motivation, skills, etc)
    12. Do you think these attacks were automated? Why?
    13. What could have prevented the attacks?

Bonus question: From memory image, can you say what network connections were opened and in which state ?

Forensic_Analysis_of_a_Compromised_Server

victoria-v8.kcore.img: memory dump done by dd’ing /proc/kcore
victoria-v8.memdump.img: memory dump done with memdump

MD5:

  • victoria-v8.kcore.img.zip = 3b74b32279422e93f93927b80f18df2c
  • victoria-v8.memdump.img.zip = 7d271455ad65e55678a530aaed696040
  • victoria-v8.sda1.img.zip = cba614f59020ce8910346cc43056692f

SHA1

  • victoria-v8.kcore.img.zip = e971ccfd4853d4b7459eb6862e4b747074f23a7
  • victoria-v8.memdump.img.zip = eae53cb9fb1e98f9f9ba334edfe8a4b3e7ca9104
  • victoria-v8.sda1.img.zip = cddc70ca67db4f3cfca4d48c755c43bb286738c3

Views: 682