Main Page | Contest Details

July- '03 Forensic Challenge Contest (still unsolved--but some users were very close)

(Level upgrade: moderate/hard)

I. Alert

Given: Joey from the IT staff at Mobey Concepts and Art, Inc. contacted you with a troubled call that their web server has been attacked and infiltrated. The VP is looking for a preliminary report from their findings with regard to what the risk is and what they can do to mitigate it.
 

II. Background Information

Given: Mobey Concepts and Art, Inc. is a small graphic design company. Joey provided an overview of their network diagram here:

 


III. Evidence

Given: Interesting snippets of information:

A. From the IDS sensor:

20:04:39.120000 24.201.111.22.2411 > 206.0.129.83.80: tcp 0 (DF)
20:04:39.120000 24.201.111.22.2412 > 206.0.129.83.81: tcp 0 (DF)
20:04:39.120000 24.201.111.22.2412 > 206.0.129.83.915: tcp 0 (DF)
20:04:39.130000 24.201.111.22.2413 > 206.0.129.83.958: udp 0 (DF)
20:04:39.140000 24.201.111.22.2414 > 206.0.129.83.1083: tcp 0 (DF)

B. From the router logs:

list 110 denied udp 24.201.111.22(22101) -> 206.0.129.83(1433), 1 packet 2003-04-01 20:12:15  Local4.Info  206.0.129.1  301
list 110 denied udp 24.201.111.22(64717) -> 206.0.129.83(135), 1 packet 2003-04-01 20:12:17  Local4.Info  206.0.129.1  302
list 110 denied udp 24.201.111.22(72822) -> 206.0.129.83(137), 1 packet 2003-04-01 20:12:28  Local4.Info  206.0.129.1  303

C. Packet capture from a running sniffer:

4/01-20:49:39.854010  0:25:24:8B:BB:33  ->  0:25:24:5C:9F:B2
type:0x800 len:0x45E
24.201.111.22:2861  ->  206.0.129.83:958  UDP  TTL:64
TOS:0x0  ID:22013  IpLen:20  DgmLen:1104
Len: 1084
63 B6 C9 4F 00 00 00 00 00 00 00 02 00 01 86 B8     c..0............
00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 20        ...............
3D 03 DC FE )) )) )) 09 6C 6F 63 61 6C 68 6F 73      =.......localhos
74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00        t..............
00 00 00 00 00 00 00 00 00 00 03 E7 1* F7 FF BF      ...............
-- snipped--
1A F7 FF BF 1B F7 FF BF 1B F7 FF BF 25 38 78 25 ..........%8x%
38 78 25 38 78 25 38 78 25 38 78 25 38 78 25 38 78    8x%8x%8x%8x%
-- snipped--
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90    ...............
-- snipped--
 

IV. Forensic Analysis
(Answer these as best and complete as you can for your forensic solution. First place for the first most correct analysis, all other correct analyses will be entered in a drawing at the end of the month.)

  1. What happened to the web server and how did the attack take place (i.e. what steps were taken)?
     
  2. What sort of vulnerability or exploit may have been involved?
     
  3. What steps can be taken to substantiate the attack type?
     
  4. What steps should likely be taken to mitigate an attack of this type?

 

Contest Details

 

 

 

 
 

 
 

Your contest entry is FREE. Only your first submission will count.