Putting It All Together
The initial objective was to determine whether or not an incident occurred. The volatile and nonvolatile data collected during the Windows live response indicates that an unauthorized intrusion did in fact occur. Figure 1-1 indicates the status of ongoing unauthorized network connections detected during the response.
Figure 1-1 Network Connections During Intrusion Response at 9:58PM on 1 October 2003
Although there were no Windows Security Event Logs, the IIS logs indicated that JBRWWW was scanned with a well-known Web scanning utility known as Nikto at 6:51:17PM on September 23, 2003, from IP address 220.127.116.11. Approximately 18 seconds prior to the scan, a default IIS Web page was accessed from the IP address 18.104.22.168. It is common before and after an attack for the intruder to check the status of the Web site by accessing such a page. This may indicate that the attacker had access or control of the system at 22.214.171.124 or perhaps was working with someone else who did.
Then on October 1, 2003, an attacker from IP address 126.96.36.199, possibly working in conjunction with 188.8.131.52, initiated a successful Unicode attack after failed ".printer" buffer overflow attempts.
Although the details haven’t been determined, it appears that the attackers were able to execute commands on JBRWWW via the IIS Unicode attack and establish an FTP session back to one of their systems. They were also able to install netcat and iroffer in the C:\WINNT\system32\os2\dll directory. Figure 1-2 shows a general sequence of the activity based on information collected during the response.
Figure 1-2 Timeline for October 1, 2003
Up to this point, we’ve conducted the initial system approach, identified an intrusion, and obtained a forensic image of the victim system. In Chapters 3, "Collecting Network-Based Evidence," and 4, "Analyzing Network-Based Evidence for a Windows Intrusion," we will analyze network traffic captured as part of this intrusion, and in Chapter 8, "Noncommercial-Based Forensic Duplications," we will perform a forensic analysis of the system. Combining these processes will help "fill in the gaps" and will play a critical role in subsequent incident response cycles such as containment and eradication.