www.TigerTools.net, Tiger Box

March '03 Forensic Challenge Contest

(Level: easy/moderate)

I. Alert

Given: It's 4:30a on May 20, 2002 and Sara Jones (Dev HQ IT manager) received an alert from her old--but trusted--WebXray station. The pager alert heading indicated the PoserToo server was not responding.

As Sara struggled to change her clothes this early in the morning she received more pages indicating several servers were failing to respond--looked like all servers on Network_1. An additional page indicated Network_1 was reporting upwards to 95% congestion.

Sara contacted her assistant that lives a block away from Dev HQ. While driving to the office, her assistant informed her that for some reason he cannot access the SQL database from Access Workflow Designer on PoserToo and the server was sluggish as well.

II. Background Information

Given: Poser Entertainment is an experienced and successful game publisher with over 6 years of publishing worldwide. With well-established international business relations, the company makes considerable steps towards distributing the most recognizable gaming brands all over the world.

Sara provided an overview of the Dev HQ portion of their network diagram here.

III. Evidence

Given: Interesting snippets of details Sara put together for you to interpret.

A. The only interesting event from a log via Event Viewer on PoserToo:

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 6004
Date:  5/20/2002
Time:  3:26:04 AM
User:  N/A
Computer: TOO-9J81ON
Description:
The DNS server received a zone transfer request from 12.211.176.227 for a non-existent or non-authoritative zone deadzonne.com.

B. Last known ports WebXray monitored on PoserToo:

53/tcp
80/tcp
88/tcp
135/tcp
139/tcp
389/tcp
443/tcp
464/tcp
593/tcp
636/tcp
1433/tcp

C. Output from the TigerSim Virtual Server Simulator operating as a Honeypot:

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; .NET CLR 1.0.3705)
Host: 12.211.176.91
Connection: Keep-Alive
Connect: /index.asp_vti_bin/owssvr.dll
Connect: /siteadmin.asp
Connect: /SiteAdmin.asp?pass=1
Connect: /SiteAdmin.asp?UserSiteId=272
Connect: /admin/login.asp
Connect: //sqlexec/.../exec
Host: 12.211.176.89
Connection: Keep-Alive
Connect: //transfer/.../failed
Host: 12.211.176.89
Connection: Keep-Alive
Connect: //transfer/.../failed
Host: 12.211.176.89
Connection: Keep-Alive

D. Internet router configuration provided here.

IV. Forensic Analysis
(Answer these as best and complete as you can for your forensic solution. First place for the first most correct analysis, all other correct analyses will be entered in a drawing at the end of the month.)

What happened to PoserToo and how did the congestion on Network_1 take affect (i.e. what steps were taken)?
What vulnerability or exploit may have been involved?
What next steps can be taken to substantiate the attack type in #2 above?

Contest Details

March '03 Solution

Your March contest entry is FREE. Only your first submission will count.