Digital Forensics Write-up — Web Server Case by Ali Hadi

A company’s web server has been breached through their website.


  1. What type of attacks has been performed on the box?
  2. How many users has the attacker(s) added to the box, and how were they added?
  3. What leftovers (files, tools, info, etc) did the attacker(s) leave behind? (assume our team arrived in time and the attacker(s) couldn’t clean and cover their tracks)
  4. What software has been installed on the box, and were they installed by the attacker(s) or not?
  5. Using memory forensics, can you identify the type of shell code used?
  6. What is the timeline analysis for all events that happened on the box?
  7. What is your hypothesis for the case, and what is your approach in solving it?


  1. AccessData FTK Imager
  2. Autopsy (I prefer this for analysis)
  3. Registry Explorer by Eric Zimmerman
  4. Volatility
  5. Mft2Csv
  6. LogFileParser

Let’s Seek Some Solutions!

NTFS formatted filesystem with Windows
Apache Logs
Installing Apache HTTP Server 2.x withDomainName =
ServerName =
ServerAdmin =
ServerPort = 80
ServerSslPort = 443
ServerRoot = c:/Apache24
cat access.log | awk '{print $1}' | sort | uniq -c | sort -nr
IP addresses communicating with the server
 grep "" access.log >> 192-168-56-102-access_log.log
cat 192-168-56-102-access_log.log | awk -F\" {print $6} | sort | uniq -c | sort -nr
Usage of SQLMAP

Exploit Public-Facing Application (T1190)

SQL Injection attempts
A file being sent over exploiting SQL injection vulnerabilities — /tmpukudk.php
Four tmp files being created and then deleted via the command prompt
XSS Vulnerabilities
Unrestricted file upload vulnerabilities shows PHP based web shells
Commands executed
Proof the commands were executed by the attacker
Local File Inclusion
‘exec’ endpoint — POST requests show the attacker must’ve sent some input here
“cmd” spawned using the webshell
volatility -f memdump.mem imageinfo
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86
Number of Processors : 1
Image Type (Service Pack) : 1
Image date and time : 2015–09–03 10:04:05 UTC+0000
Image local date and time : 2015–09–03 03:04:05 -0700
volatility -f memdump.mem --profile=VistaSP1x86 pslistvolatility -f memdump.mem --profile=VistaSP1x86 psscanvolatility -f memdump.mem --profile=VistaSP1x86 pstree
‘cmd.exe’ processes under explorer.exe
. 0x83e7b7f8:cmd.exe 612 816 1 72 2015–08–23 10:30:44 UTC+0000. 0x84259100:cmd.exe 1972 816 1 19 2015–09–02 09:28:30 UTC+0000
volatility -f memdump.mem --profile=VistaSP1x86 cmdlinevolatility -f memdump.mem --profile=VistaSP1x86 consolesvolatility -f memdump.mem --profile=VistaSP1x86 cmdscan
CommandProcess: csrss.exe Pid: 524
CommandHistory: 0x5a24708 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 17 LastAdded: 16 LastDisplayed: 16
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x2d8
Cmd #0 @ 0xe907c8: ipconfig
Cmd #1 @ 0xe91af8: cls
Cmd #2 @ 0xe91db0: ipconfig
Cmd #3 @ 0x5a34bd0: net user user1 user1 /add
Cmd #4 @ 0x5a34eb8: net user user1 root@psut /add
Cmd #5 @ 0x5a34c10: net user user1 Root@psut /add
Cmd #6 @ 0x5a24800: cls
Cmd #7 @ 0x5a34c58: net /?
Cmd #8 @ 0x5a34d88: net localgroup /?
Cmd #9 @ 0x5a34f48: net localgroup “Remote Desktop Users” user1 /add
Cmd #10 @ 0x5a34c70: net /?
Cmd #11 @ 0xe911b0: netsh /?
Cmd #12 @ 0xe907e8: netsh firewall /?
Cmd #13 @ 0xe91218: netsh firewall set service type = remotedesktop /?
Cmd #14 @ 0xe91288: netsh firewall set service type = remotedesktop enable
Cmd #15 @ 0xe91300: netsh firewall set service type=remotedesktop mode=enable
Cmd #16 @ 0xe91380: netsh firewall set service type=remotedesktop mode=enable scope=subnet
  • The attacker ran IP configuration commands to identify the source IP of the box
  • The attacker added the user user1 to the Remtoe Desktop Users group using net
  • The attacker configured the Firewall to allow Remote Desktop from within the same subnet

Command and Scripting Interpreter (T1059) — Execution

Account Creation (T1136) — Persistence

  • %SystemRoot%\System32\config
  • {Username}\Documents\NTUser.dat
Shows two users added at the same time — ‘hacker and user1' — we have proof of the user ‘user1’
httpd.exe   2796   2768     1     92 2015-08-23 10:32:21 UTC+0000
httpd.exe 2880 2796 155 483 2015-08-23 10:32:26 UTC+0000
volatility -f mempdump.mem --profile=VistaSP1x86 memdump -p 2796 --dump-dir E:\
volatility -f mempdump.mem --profile=VistaSP1x86 memdump -p 2880 --dump-dir E:\
Same commands being executed for the second account — hacker
Output from the second process’ dump
Command Injection
Exploitation of SQLi using SQLMAP
tmpukdk.php — the dropper

Let’s Summarize it All

  1. SQL Injection
  2. Command Injection
  3. Local File Inclusion
  4. Cross-site Scripting
  5. Unrestricted file uploads
  6. Web-shells
  7. Brute-forcing (haven’t discussed it but you can review access logs for it)
Output extracted from Mft2Csv
  • 02/09/2015 07:10:41 — Requests from the IP start coming in from the browser IceWeasel (typically installed on Kali Linux as well)
  • 02/09/2015 09:04:35 — ‘exec’ endpoint exploited by means of command injection attacks, followed by net commands to create the users ‘hacker’ and ‘user1’, then addition to the Remote Desktop Users group
  • 02/09/2015 09:31:16 — LFI vulnerability being exploited to access administrator files, PHP configurations, and logs
  • 02/09/2015 10:49 — SQLi attacks
  • 02/09/2015 11:15:40 — SQLmap being used to automated SQLi attacks
  • 02/09/2015 11:25 — Droppers ‘tmpukudk’ and ‘tmpbiwuc’ being dropped and then drop webshells on the endpoint
  • 03/09/2015 07:14:41 — Creation of on the system which includes more command shells inside — including C99
  • 03/09/2015 07:21:40 — Access and run commands via the webshell




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀