Please follow the instructions in the document. Answer all questions

This assignment is about a harmless rootkit that was developed by our CS's Senior Systems Programmer Analyst, Dan van Pelt. It mimics a lot of the things that we would expect a real toolkit to do. There are multiple components that the rootkit has.
I have a few questions for you that are there to guide you through your process of discovering as many things that the rootkit does. If you cannot answer a question move on to the next, they are all tied together. 
Download the VM that contains the rootkit that is attached
SHA1 Checksum: d82cff7894f2c12f994a70e1d3ddc166a59b0d14
 
Username: maint
Password: SHASUMSrox
 
There is something in the
oot that is there to help you with your rootkit hunt.
 
Useful
Linux startup locations
Shell inits:
https:
www.tecmint.com/understanding-shell-initialization-files-and-user-profiles-linux/ (Links to an external site.)
Systemd systems (if the system has sytemctl):
https:
unix.stackexchange.com/questions/172115/where-are-the-systemd-configuration-files (Links to an external site.)
https:
access.redhat.com/documentation/en-us
ed_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files (Links to an external site.)
Service:
etc/init.d/ - these are bash files that you can check
Root SHA256SUMS:
The rootkit contains a SHA256SUMS file that was produce before the rootkit infected this system (in
oot/ dir). Check the file and the directories that it has monitored. This was produced using shasum -a256. You can built a bash script that generates a similar looking file (exact ideally) and then use diff to compare and find which files have been altered or use the -c flag. This will indicate potential (but not 100%) rootkit changes.
Crontab:
It is place that we do not think as having the potential to start files but it does. Note: Each user gets his/her own crontab.
Ports and connections:
https:
www.howtoforge.com/linux-netstat-command/ (Links to an external site.)
If you are wondering on why linux has different locations for startup scripts and how does it find where service startup scripts are see this thread:
https:
askubuntu.com/questions/903354/difference-between-systemctl-and-service-commands (Links to an external site.)
Listing files and directories:
When in doubt, use a variety of tools.
 Please answer the following questions and give a list of instructions and commands used
Top of Form
 
Question 1
Many rootkits enable a backdoor on the infected system. This toolkit uses the (name of utility) utility to listen on port .
 
Question 2
Type the name of the script that initiates the backdoor. [No need to add the path, just the name]
 
Question 3
Can a computer from the XXXXXXXXXX/24 block use the backdoor and connect to this VM if the VM is setup with a
idge adapter (i.e., it also obtains an IP address on the same subnet).
Group of answer choices
True
False
 
Question 4
Apache2 is a patched compromised version of Apache2 that the rootkit altered. (check its shasum with the shasum in the
oot directory. Those are pre-any-modification)
Group of answer choices
True
False
 
Question 5
The (modified or not) apache2 binary is version: (Type version as 2.0.1)
 
Question 6
The rootkit has modified the and binaries. Right the name of the compromised processes. These are typical utilities used in shell.
 
Question 7
What are the names of files (without extension) that the rootkit attempts to hide from a user (these are multiple but I will accept any co
ect answer)
 
Question 8
Over what port are command and control (C&C) communications when the rootkit engages with the "mothership." (destination port)
 
Question 9
What is the name of the script that initiates C&C communications? [Type the name along with any extension]
 
Question 10
The rootkit has a C&C communication that is typical of how other malware communicate with their C&C. How is the C&C communication script executed?
Group of answer choices
crontab
systemd
upstart
init.d
service
SysV
 
Question 11
What is the name of the keylogger? [No need to include any extensions. You won't find this on the web but on VM there are several times the name appears]
 
Question 12
What is the full path of the file that the keylogger outputs what it captures?
 
Question 13
The rootkit has a C&C communication component. What is the C&C domain? [There are many ways to answers this, either find the process that performs the C&C communications or do a packet capture using tcpdump or tshark]. Enter only the domain name, e.g., google.com
Bottom of Form