We’ve posted the 14th challenge in the “Infosec Advent” series. This one is a Linux server intrusion case. You get syslog and auth.log. Unfortunately that’s all that was being forwarded.
We have some Linux syslog and authentication logs download here. Download and analyze the logs for signs of intrusion. Based on the log data, let us know what you think has happened.
Specifically, we’re looking to understand the following:
- How many attackers compromised the server?
- What did the attackers do once on the server?
- What steps should be taken to recover from the incident?
- What, in your opinion, is the likely root cause of the incident?
In all cases, please show your work (e.g. back your analysis with facts, where available). In cases where data is not available to back your hypothesis, let us know what data you would need and where you would look to collect it.
Please limit your submissions to 1500 words. The best characterization of this web server intrusion will receive a $25 Amazon gift card (subject to contest rules). The winner will be announced 21DEC17.
If you were looking for another Digital Forensics and Incident Response (DFIR) related challenge, here you go. Have fun!
If you don’t already have an account, you can register to play at https://www.infosecadvent.com.