Académique Documents
Professionnel Documents
Culture Documents
// Challenge 1 //
Michael
1. The Scenario
The challenge is based around the defacement of a web site belonging to a medium-sized public company. It was hosted on the company's own server and maintained by its IT department. A help desk employee was notified of the defacement on a Friday evening, and after confirming the incident, attempted to contact a list of IT department members, eventually getting hold of a junior technician. The technician in turn contacted his supervisor, who advised him to move the web server from the internal network to the DMZ and restore the site. The technician did this, using what appeared to be backup files left on the server by the person who defaced the site. The company's stock fell after the hack was discussed on a public message board.
We should also look at why the senior IT person wasn't motivated to deal with a serious incident in person, and why basic security wasn't implemented. Was he underpaid, under-trained or de-skilled? Or is the recruiting process flawed? 2.2 The DMZ Another factor identified is the web server wasn't already in the DMZ, where publicly-available resources should have been, but was on the company's internal network prior to the incident.
Although the events are listed as taking place sometime after the site was restored, they match the incident outlined in the scenario, so it's certain the attacker had also modified the times on the server logs, or possibly altered the system time. The log also shows the domain name of the attacker (chewie.hacker.fr) and the target (www.victim.com), the attacker's use of a Mozilla browser running on a Microsoft Windows 98 OS, and the operations performed. The first four entries show a request for cmd.exe residing in /scripts/../winnt/system32/, which allows the attacker to use a command shell to move between directories, list their contents and perform file operations. As the logs show, the attacker was using c+dir to probe volumes C:, D: and E:, and had settled on volume C:. Most the requests returned status code 200, indicated they were
successful, apart from the attempt to access volume E:, which could be unreachable over the Internet.
Having determined the contents of each volume, c+dir was used to search the /asfroot and /inetpub directories, where publicly-available web content would normally be placed. Another two entries (not shown here) reveal there was an attempt to download a file called mmc.gif. Both requests were rejected by the server.
After returning to volume D: and viewing a list of files available in the \wwwroot\ directory, the attacker visited the web pages buzzxyz.html, xyzBuzz3.swf and index.html.
The cmd.exe file also allowed a number of file operations. Here, detour.html was renamed detour.html.old, so it would be hidden from web browsers. Next, a directory called c:\ArA\ was created in volume C:, and the cmd.exe file was copied from /winnt/system32/ to that location and renamed cmd1.exe. This would allow the attacker to execute commands in future if access to the usual executable was revoked.
Using cmd.exe and the echo command, the attacker entered some HTML code and directed the output to a file called default.html in the recently created \ArA\ directory. This file would be rendered in a web browser as: