Digital Forensics Write-up — Web Server Case by Ali Hadi

A company’s web server has been breached through their website.

Questions

For this investigation, we’re asked to answer the following questions:

  1. How many users has the attacker(s) added to the box, and how were they added?
  2. What leftovers (files, tools, info, etc) did the attacker(s) leave behind? (assume our team arrived in time and the attacker(s) couldn’t clean and cover their tracks)
  3. What software has been installed on the box, and were they installed by the attacker(s) or not?
  4. Using memory forensics, can you identify the type of shell code used?
  5. What is the timeline analysis for all events that happened on the box?
  6. What is your hypothesis for the case, and what is your approach in solving it?

Tool-set

For the purpose of this write-up, I’m going to utilize the following set of tools:

  1. Autopsy (I prefer this for analysis)
  2. Registry Explorer by Eric Zimmerman
  3. Volatility
  4. Mft2Csv
  5. LogFileParser

Let’s Seek Some Solutions!

Focusing on the premise again — we know the box served as a server. Let’s analyze the system image in FTK Imager to see the filesystem and identify whether it’s a Windows or Linux-based machine.

NTFS formatted filesystem with Windows
C:\xampp\apache\logs
Apache Logs
Installing Apache HTTP Server 2.x withDomainName = example.com
ServerName = www.example.com
ServerAdmin = admin@example.com
ServerPort = 80
ServerSslPort = 443
ServerRoot = c:/Apache24
cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr
IP addresses communicating with the server
 grep "192.168.56.102" access.log >> 192-168-56-102-access_log.log
cat 192-168-56-102-access_log.log | awk -F\" {print $6} | sort | uniq -c | sort -nr
Usage of SQLMAP

Exploit Public-Facing Application (T1190)

Since the rest of the user-agents seem pretty generic, I’ll pivot to the logs with the sqlmap useragent. After separating them from the main log file, we have an even smaller dataset to work on. By exploring the URI field in these logs, we can clearly see the injection attempts:

SQL Injection attempts
A file being sent over exploiting SQL injection vulnerabilities — /tmpukudk.php
Four tmp files being created and then deleted via the command prompt
XSS Vulnerabilities
Unrestricted file upload vulnerabilities shows PHP based web shells
Commands executed
Proof the commands were executed by the attacker
Local File Inclusion
‘exec’ endpoint — POST requests show the attacker must’ve sent some input here
“cmd” spawned using the webshell
volatility -f memdump.mem imageinfo
...
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86
Number of Processors : 1
Image Type (Service Pack) : 1
Image date and time : 2015–09–03 10:04:05 UTC+0000
Image local date and time : 2015–09–03 03:04:05 -0700
...
volatility -f memdump.mem --profile=VistaSP1x86 pslistvolatility -f memdump.mem --profile=VistaSP1x86 psscanvolatility -f memdump.mem --profile=VistaSP1x86 pstree
‘cmd.exe’ processes under explorer.exe
. 0x83e7b7f8:cmd.exe 612 816 1 72 2015–08–23 10:30:44 UTC+0000. 0x84259100:cmd.exe 1972 816 1 19 2015–09–02 09:28:30 UTC+0000
volatility -f memdump.mem --profile=VistaSP1x86 cmdlinevolatility -f memdump.mem --profile=VistaSP1x86 consolesvolatility -f memdump.mem --profile=VistaSP1x86 cmdscan
CommandProcess: csrss.exe Pid: 524
CommandHistory: 0x5a24708 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 17 LastAdded: 16 LastDisplayed: 16
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x2d8
Cmd #0 @ 0xe907c8: ipconfig
Cmd #1 @ 0xe91af8: cls
Cmd #2 @ 0xe91db0: ipconfig
Cmd #3 @ 0x5a34bd0: net user user1 user1 /add
Cmd #4 @ 0x5a34eb8: net user user1 root@psut /add
Cmd #5 @ 0x5a34c10: net user user1 Root@psut /add
Cmd #6 @ 0x5a24800: cls
Cmd #7 @ 0x5a34c58: net /?
Cmd #8 @ 0x5a34d88: net localgroup /?
Cmd #9 @ 0x5a34f48: net localgroup “Remote Desktop Users” user1 /add
Cmd #10 @ 0x5a34c70: net /?
Cmd #11 @ 0xe911b0: netsh /?
Cmd #12 @ 0xe907e8: netsh firewall /?
Cmd #13 @ 0xe91218: netsh firewall set service type = remotedesktop /?
Cmd #14 @ 0xe91288: netsh firewall set service type = remotedesktop enable
Cmd #15 @ 0xe91300: netsh firewall set service type=remotedesktop mode=enable
Cmd #16 @ 0xe91380: netsh firewall set service type=remotedesktop mode=enable scope=subnet
  • The attacker added the user user1 to the Remtoe Desktop Users group using net
  • The attacker configured the Firewall to allow Remote Desktop from within the same subnet

Command and Scripting Interpreter (T1059) — Execution

Account Creation (T1136) — Persistence

I’ve also extracted the registry hives from:

  • {Username}\Documents\NTUser.dat
Shows two users added at the same time — ‘hacker and user1' — we have proof of the user ‘user1’
httpd.exe   2796   2768     1     92 2015-08-23 10:32:21 UTC+0000
httpd.exe 2880 2796 155 483 2015-08-23 10:32:26 UTC+0000
volatility -f mempdump.mem --profile=VistaSP1x86 memdump -p 2796 --dump-dir E:\
volatility -f mempdump.mem --profile=VistaSP1x86 memdump -p 2880 --dump-dir E:\
Same commands being executed for the second account — hacker
Output from the second process’ dump
Command Injection
Exploitation of SQLi using SQLMAP
tmpukdk.php — the dropper

Let’s Summarize it All

Question Number 1:

  1. Command Injection
  2. Local File Inclusion
  3. Cross-site Scripting
  4. Unrestricted file uploads
  5. Web-shells
  6. Brute-forcing (haven’t discussed it but you can review access logs for it)
Output extracted from Mft2Csv
  • 02/09/2015 09:04:35 — ‘exec’ endpoint exploited by means of command injection attacks, followed by net commands to create the users ‘hacker’ and ‘user1’, then addition to the Remote Desktop Users group
  • 02/09/2015 09:31:16 — LFI vulnerability being exploited to access administrator files, PHP configurations, and logs
  • 02/09/2015 10:49 — SQLi attacks
  • 02/09/2015 11:15:40 — SQLmap being used to automated SQLi attacks
  • 02/09/2015 11:25 — Droppers ‘tmpukudk’ and ‘tmpbiwuc’ being dropped and then drop webshells on the endpoint
  • 03/09/2015 07:14:41 — Creation of webshells.zip on the system which includes more command shells inside — including C99
  • 03/09/2015 07:21:40 — Access and run commands via the webshell

Conclusion

The ‘Web Server Case’ was definitely interesting to learn and revise analysis strategies you’d normally equip during an investigation. Download the files, review a write-up if you will, or get started on your own. If you do stumble, it’s perfectly fine to seek help and remember the technique for future use!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store