SQL Injection attack. These attacks are performed by inputing special characters such as the single quote (') character to get SQL to execute commands, other than the command intended by the web application.
>> 2) What was the real purpose of the first set of user input, and how does it function?
The purpose was to check to see if irsfile.asp was vulnerable to SQL injection attacks. The SQL command which was injected uses a stored procedure which executes a command using the Windows command shell. The command executed, ping, sends a icmp echo requests to a host at the 220.127.116.11 address. Trinity could monitor the network anywhere between the IRS web server and 18.104.22.168 and watch for ICMP echo request packets. If these packets were spotted, it would indicate the attack was successful. Since many firewalls are configured to allow outbound ICMP echo requests originating from the inside network, these type of packets were likely to reach their destination undetected.
It appears that the IP address in question hosts a website which belonged an ancient security expert known within the Matrix as Ed Scoudis. This website and software hadn't been updated since 2003, almost 200 years ago. With 200 years worth of security vulnerabilities, this host was likely controlled by a hacker.
3) What was the real purpose of the second user input, and how does it function?
The second injected command retrieves a list of users on the SQL database servers by appending extra statements at the end of the input field. The extra 1,'1',1,'1' is used to pad the query so that the UNION function will work properly against the table which stores the 'username' field.
4) What was the real purpose of the third user input, and how does it function?
The third injected command retrieves the phone number for each tax payer with the last name of 'Anderson' using the valid username of Trinity obtained from the 2nd injected command.