Crackers, Admins, and Sploits… Oh My!

By Ed Skoudis

 

Dorothy was the web site administrator for the Kansas Company, whose main website was located at www.kansascorp.com.  To administer the site, Dorothy logged in using her trusty laptop computer, which she affectionately named Toto.  Dorothy carried Toto with her everywhere.

One night, Dorothy received an urgent phone call from her friend, L10n.  According to L10n, the main Kansas Company web site had been vandalized!  All of its normal content was removed and replaced with an attacker's message.  "I'm r-r-r-really scared about th-th-th-this attack," stuttered L10n.

From her office, which was directly connected to Kansas Company's internal network, Dorothy surfed to the website using her laptop, Toto.  In her browser, the website looked completely intact.  No changes were apparent.

Dorothy called two other friends, Scar3cr0w and T1nman, on the phone to help troubleshoot the problem.  When Scar3cr0w looked at the site using his own ISP, it appeared normal.  "This anomalous event is quite a conundrum," shouted Scar3cr0w.  On the other hand, her friend T1nman saw the defaced site.  "I'm so very sad about this web defacement," sobbed T1nman.  So, while L10n and T1nman could see the defaced page, Dorothy and Scar3cr0w saw the intact Kansas Company site.

To help make sense of this problem, Dorothy decided to access the web site using her dial-up ISP.  She disconnected Toto from the corporate internal network and used her modem to dial up the same ISP used by L10n and T1nman.  After her modem connected, she quickly typed www.kansascorp.com in her browser's location line, to reveal the following web page:

•Welcome to Oz!

•Defaced by the Tornado Crew

•And the Wicked Witch of the Web…

After seeing the defaced web site, Dorothy exclaimed to her laptop, "Toto, I have a feeling we're not in Kansas anymore!"

Dorothy disconnected her dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the web server.  She ran Tripwire against the entire web site, and determined that every system file and all web content on the server were intact.  She even used the chkrootkit tool (free from http://www.chkrootkit.org/) to look for both traditional and kernel-level RootKits.  According to the chkrootkit, no RootKits were present on the system.

Questions:

•1) How had the Tornado Crew and the Wicked Witch accomplished this hack?

•2) What system(s) had the attackers manipulated?

•3) How can Dorothy verify your assertions for 1 and 2?

•4) What should Dorothy do next to correct the problem?