Please follow the instructions in the document. Answer all questions

Please follow the instructions in the document. Answer all questions



This assignment is about a harmless rootkit that was developed by our CS's Senior Systems Programmer Analyst, Dan van Pelt. It mimics a lot of the things that we would expect a real toolkit to do. There are multiple components that the rootkit has. I have a few questions for you that are there to guide you through your process of discovering as many things that the rootkit does. If you cannot answer a question move on to the next, they are all tied together.  Download the VM that contains the rootkit that is attached SHA1 Checksum: d82cff7894f2c12f994a70e1d3ddc166a59b0d14   Username: maint Password: SHASUMSrox   There is something in the /root that is there to help you with your rootkit hunt.   Useful Linux startup locations Shell inits: https://www.tecmint.com/understanding-shell-initialization-files-and-user-profiles-linux/ (Links to an external site.) Systemd systems (if the system has sytemctl): https://unix.stackexchange.com/questions/172115/where-are-the-systemd-configuration-files (Links to an external site.) https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files (Links to an external site.) Service: /etc/init.d/ - these are bash files that you can check Root SHA256SUMS: The rootkit contains a SHA256SUMS file that was produce before the rootkit infected this system (in /root/ dir). Check the file and the directories that it has monitored. This was produced using shasum -a256. You can built a bash script that generates a similar looking file (exact ideally) and then use diff to compare and find which files have been altered or use the -c flag. This will indicate potential (but not 100%) rootkit changes. Crontab: It is place that we do not think as having the potential to start files but it does. Note: Each user gets his/her own crontab. Ports and connections: https://www.howtoforge.com/linux-netstat-command/ (Links to an external site.) If you are wondering on why linux has different locations for startup scripts and how does it find where service startup scripts are see this thread: https://askubuntu.com/questions/903354/difference-between-systemctl-and-service-commands (Links to an external site.) Listing files and directories: When in doubt, use a variety of tools.  Please answer the following questions and give a list of instructions and commands used Top of Form   Question 1 Many rootkits enable a backdoor on the infected system. This toolkit uses the (name of utility) utility to listen on port .   Question 2 Type the name of the script that initiates the backdoor. [No need to add the path, just the name]   Question 3 Can a computer from the 140.160.140.0/24 block use the backdoor and connect to this VM if the VM is setup with a bridge adapter (i.e., it also obtains an IP address on the same subnet). Group of answer choices True False   Question 4 Apache2 is a patched compromised version of Apache2 that the rootkit altered. (check its shasum with the shasum in the /root directory. Those are pre-any-modification) Group of answer choices True False   Question 5 The (modified or not) apache2 binary is version: (Type version as 2.0.1)   Question 6 The rootkit has modified the and binaries. Right the name of the compromised processes. These are typical utilities used in shell.   Question 7 What are the names of files (without extension) that the rootkit attempts to hide from a user (these are multiple but I will accept any correct answer)   Question 8 Over what port are command and control (C&C) communications when the rootkit engages with the "mothership." (destination port)   Question 9 What is the name of the script that initiates C&C communications? [Type the name along with any extension]   Question 10 The rootkit has a C&C communication that is typical of how other malware communicate with their C&C. How is the C&C communication script executed? Group of answer choices crontab systemd upstart init.d service SysV   Question 11 What is the name of the keylogger? [No need to include any extensions. You won't find this on the web but on VM there are several times the name appears]   Question 12 What is the full path of the file that the keylogger outputs what it captures?   Question 13 The rootkit has a C&C communication component. What is the C&C domain? [There are many ways to answers this, either find the process that performs the C&C communications or do a packet capture using tcpdump or tshark]. Enter only the domain name, e.g., google.com Bottom of Form