Re: site compromised and httpd log analysis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz <yehuda@xxxxxxxxxx> wrote:
Your log doesn't start early enough. Someone uploaded a web shell (or found an existing web shell) to your server, possibly using an upload for that doesn't validate the input, then used that shell to run commands on your server.

Yes, that was not too old log

Here is another old log  paste  https://zerobin.net/?a4d9f5b146676594#hkpTU0ljaG5W0GUNVEsaYqvffQilrXavBmbK+V9mzUw= 

.

Here is another log which starts earlier than the earlier logs.  Which may help to investigate more.

I would consider your entire server to be compromised at this point since you have no record of what else the attacker could have done once they had a shell.

Yes we took the server down, and recreated the VM with an old backup. Also informed the developer/maintainer about this simple.shell execution and the need of regular patching of the PHP7 version and the wordpress framework they used for hosting.

I would like to know what other details / analysis we need to perform to find out how the attacker got access and what time the backdoor was installed and through what vulnerability they exploited ?

I request your tips  to investigate further and to find the root cause of this kind of attack and how to prevent it in future..??



Make sure that you do not allow users to upload files and then execute those files.

- Y

On Tue, Jul 5, 2022 at 9:53 PM KK CHN <kkchn.in@xxxxxxxxx> wrote:

One of the websites hosted  by a customer on our Cloud infrastructure was compromised, and the attackers were able to replace the home page with their banner html page.

The log files output I have pasted above.

The site compromised was PHP 7 with MySQL.

From the above log, can someone point out what exactly happened and how they are able to deface the home page.

How to prevent these attacks ? What is the root cause of this vulnerability  and how the attackers got access ?

Any other logs or command line outputs required to trace back kindly let me know what other details  I have to produce ?

Kindly shed your expertise in dealing with these kind of attacks and trace the root cause and prevention measures to block this.

Regards,
Krish


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux