In this lab, we analyze a compromised Ubuntu Linux honeypot that was deployed on Microsoft Azure in October 2021. The honeypot was specifically designed to attract attackers exploiting CVE-2021-41773, a critical vulnerability in Apache HTTP Server that allows for path traversal and remote code execution (RCE). This vulnerability was actively targeted in the wild, making the honeypot an ideal environment to observe real-world attack techniques.
Upon deployment, the system experienced numerous attacks, primarily from crypto-mining malware. To maintain a controlled environment and prevent resource exhaustion from rampant crypto-mining, a cron job was implemented to periodically remove files associated with common miners. This setup allowed the honeypot to remain operational for extended periods, capturing more diverse and sophisticated attack behaviors.
The lab provides three primary forensic artifacts for analysis:
sdb.vhd.gz – A Virtual Hard Disk (VHD) snapshot of the main drive, captured via an Azure disk snapshot. This image allows for endpoint forensics on the file system, including the examination of scheduled tasks, malicious scripts, and other artifacts left by attackers.
ubuntu.20211208.mem.gz – A memory dump acquired using the LiME (Linux Memory Extractor) tool. Memory analysis helps uncover running