Re: site compromised and httpd log analysis

[Yehuda Katz <yehuda@xxxxxxxxxx>]

On Wed, Jul 6, 2022 at 9:08 AM KK CHN <kkchn.in@xxxxxxxxx> wrote:

On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz <yehuda@xxxxxxxxxx> wrote:

Your log doesn't start early enough. Someone uploaded a web shell (or found an existing web shell) to your server, possibly using an upload for that doesn't validate the input, then used that shell to run commands on your server.

Here is another old log  paste  https://zerobin.net/?a4d9f5b146676594#hkpTU0ljaG5W0GUNVEsaYqvffQilrXavBmbK+V9mzUw= 

I see an entry in that log file mentioning a web shell on June 19:

175.141.226.202 - - [19/Jun/2022:03:35:03 +0530] "GET /dashboard/upload/wordpdf/origiinal-shellbackdoor-anonymous-bypass-kak827j.php?path=/var/www/html HTTP/1.1"

You can see the same IP address added a second hidden shell (gel4y - an open-source hidden shell).

 

I would like to know what other details / analysis we need to perform to find out how the attacker got access and what time the backdoor was installed and through what vulnerability they exploited ?

I request your tips  to investigate further and to find the root cause of this kind of attack and how to prevent it in future..??

As I said before, you need to make sure your webserver will not try to execute files uploaded by users.

Since you mentioned Wordpress: Wordpress is well known for having this vulnerability because uploads are stored in a public location by default.

Make sure none of your plugins allow file uploads with unspecified extensions - for example, an upload form for pictures should check to make sure that what was uploaded is actually a picture before moving it to the wp-content/uploads directory.

You should also look into blocking execution of PHP and other scripts in the wp-content/uploads directory (and any other location an untrusted user may be able to upload to).

- Y