The following excerpt is taken from a honeyput log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful. Study the log given below
and answer the following question:
(Note: The objective of this questions is to test whether the student has learnt about passive OS
fingerprinting (which should tell them the OS from log captures): can they tell a SQL injection
attack signature; can they infer if a user ID has been created by an attacker and whether they can
read plain source – destination entries from log entries.)
What can you infer from the above log?
A.
The system is a windows system which is being scanned unsuccessfully.
B.
The system is a web application server compromised through SQL injection.
C.
The system has been compromised and backdoored by the attacker.
D.
The actual IP of the successful attacker is 24.9.255.53.
How can we know that it is a windows pc?
I am wondering the same….I am also not sure why does it say its unsuccessful.
my guess the answer is C.
line 11 shows nops-x86, which suggests buffer overflow, followed by two opened sessions.
My guess is C also.
Following above comment, open sessions and then conection to port 1080 (Winhole trojan).
This seems to be a re-hash of a question from version 6:
http://www.aiotestking.com/ec-council/study-log-answer-questions/
A full write-up that this question seems to be taken from can be found here: http://www.symantec.com/connect/articles/know-your-enemy-forensic-analysis
In it the attacker uses a buffer overflow to get a root shell and backdoor the system, before accessing the system via the back door. Answer is C.
It is windows because we can see RPC and we can also see the username simon which is one of the default users in windows.