We had a significant and enthusiastic response to our first monthly forensic challenge from participants of several countries around the globe. Be sure to enter this month at http://www.tigertools.net/contest.htm and remember, as the challenges become more difficult the prizes become more desirable.

February Forensic Challenge (Level: easy)
Link: http://www.tigertools.net/febcontest.htm

<> February Solution

Based on evidence in the log entries from the attack, the actual penetration of Northlup, Inc’s Intranet took place on January 5, 2003 at 12:30. Taking into account the given company network diagram, Internet router configuration, and Intranet server’s log entries, the best choice for the exploit used in the attack is based on the IIS directory traversal vulnerability (i.e. Unicode Web Traversal exploit used in Sadmind/IIS Worm). The attack can lead to unauthorized access on Windows systems and--depending on the exploit--unauthorized root access on Solaris systems. The Sadmind/IIS worm uses the Solstice sadmind program buffer overflow vulnerability to infect Solaris systems and, subsequently, to try to infect Microsoft systems running IIS. Upon successful infection of a Solaris system, the worm causes the Solaris system to actively try to infect other Solaris systems and to attack Microsoft system running IIS. The infected Solaris system may contain entries similar to the following in the syslog:

May 15 00:30:01 carrier.example.com inetd[139]: /usr/sbin/sadmind: Bus Error - core dumped
May 15 00:30:01 carrier.example.com last message repeated 1 time
May 15 00:30:06 carrier.example.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped
May 15 00:30:08 carrier.example.com inetd[139]: /usr/sbin/sadmind: Hangup
May 15 00:30:08 carrier.example.com last message repeated 1 time
May 7 02:44:14 carrier.example.com inetd[139]: /usr/sbin/sadmind: Killed

Solaris may also be listening via TCP port 600, running an associated script process, and have the following directories: /dev/cub and /dev/cuc. A successfully compromised Windows system may contain log entries similar to the following:

2002-02-06 12:30:10 10.0.0.0 - 10.10.10.10 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
2002-02-06 12:30:10 10.0.0.0 - 10.10.10.10 80 \
GET /scripts/../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
2002-02-06 12:30:10 10.0.0.0 - 10.10.10.10 80 \
GET /scripts/root.exe /c+echo+<HTML code inserted here>.././index.asp 502 -

Consequently the web page of the infected Windows machine will likely be defaced with a message. Albeit the attack could have originated from a remote intruder that infiltrated a local workstation or modified log entries and/or spoofed to appear as such, based on the given evidence, the attack initiated from a local St. Louis station using an IP address of 172.16.0.80.

Countermeasure:
Both Sun and Microsoft have released patches for this vulnerability. Use an up-to-date antivirus program to scan the system. If the system is not infected, apply the appropriate patch for the operating system/IIS. If a machine has been infected, use the antivirus program to identify infected files, and then remove the files. Also scan the system for other potential malicious code that could have been applied in the wake of such an attack. The effects of this vulnerability can be limited (not necessarily avoided) by employing sound filtering procedures. Use a firewall (or router capable of port filtering) to block unnecessary and unwanted access to the system.


<> Results

Congratulations to February Forensic Challenge winners:

P. Stegmen
Dmitriy Mechislav
Joe Bernik
Patrick Lukasic