SKJ 4213

E-COMMERCE SECURITY

CASE STUDY 1 : THE FRENCH CONNECTION

GROUP 2

MEMBERS :
1)

NURUL NAJIHAH BT ROHMAT

(1130419)

2)

NUR HANIS BT MOHAMAD RAFEE

(1130437)

3)

HALIMATUN SAADIAH BT AZIZAN

(1130439)

4)

NUR FATIN NAJIHAH BT YAACOB

(1130440)

5)

WAN NUR AZMINA BT WAN BASRI

(1130441)

ANALYSIS :
After the attack, IT staff started to search the Web defacement attacks and
discovered that the Web server they are currently use, Microsoft IIS Web server
contained of a bug that easily allowed attackers to gain access to the Web page.
The bug that the attacker exploited is Web server file request parsing
vulnerability. It is detailed in the CVE database under #CVE-2000-0886. The
attacker could have backdoors to the systems inside the network and also
gained the sensitive data and passwords. This is because the server was on the
inside of the network when it was compromised.
In order to execute a command, the bugs depend on the ability to
execute a system shell called cmd.exe. The attacker collected the data from the
Web server log files and analyse them. Then, the attacker will get all the
directory listing from the victims computer.
The next step, the attacker then copy the cmd.exe and rename it as
cmdl.exe and upload it with their attacking message as in the log file below :
03/03/2001 4:07 chewie.hacker.fr W3SVC1 WWW-2K WWW2K.victim.com 80
GET /scripts/../../ArA/cmd1.exe
/c+echo+"<title>SKI</title><center
><H1><b><u>****</u>SCRIPT+KIDZ,
INC<u>****</u></h1><br><h2>You,+my+
The attacker then make a backup of the original website before copying
the defaced Web site over the original Web site. The attack took only 10 minutes
based on the time in the log files.
03/03/2001 4:10 chewie.hacker.fr W3SVC1 WWW-2K WWW2K.victim.com 80
GET /scripts/../../ArA/cmd1.exe
/c+copy+c:\ArA\default.htm+d:\wwwr
oot\index.html 502 382 514 31 www.victim.com Mozilla/4.0+
(compatibl

SUGGESTION :
The company can take several steps to treat the problems as well as in
preventing the same problems to occur such as :
1) Plug off the network connection of the web server that had been attacked.
2) Analyze the log file in order to identify or to know whether web server had
been trespassing by malevolent person or not. It is good to analyze the log
files on the day that the web had been attacked and two days before it
happened.
3) Scan the web server by using free software (Tripwire) to track any trap or
hiding malicious code there.
4) Do not remove or modify the file and data in the web server that had been
attacked. Users are encouraged to prepare some copies for backup or
copy the contents of the hard disk that has been hacked to another hard
disk.
5) Contact ISP / CERT for further assistance.
6) The company fully rebuilds the web server from scratch using the latest
software available.
7) Only a single person was assigned to do the maintenance of the machine
8) The security audit from outside firm was being hired to detect any deeper
penetration
ANSWER :
1. What vulnerability did the attacker exploit to compromise the Web server?
The attacker exploit to compromise Web server by using the filename
inspection vulnerability. In the CVE database, the attacker used the web
server file request parsing vulnerability which is under #CVE-2000-0886 to
penetrate into the web server.
2. What did the attacker do to try to obfuscate tracking?
The attacker copy and rename the command of cmd.exe to cmd1.exe to
obfuscate the tracking. Then, the staff will start to follow new log pattern
set up by the attacker.