Came in this morning just waiting for something to pop up to get my mind off this little heat wave.
First thing this morning I received another compromise and had an opportunity to do a little investigating.
The customer came to me stating after an email that alerted him to his website being compromised, he was able to identify a malicious file on his webserver and removed the file. The next day, the customer noticed that the file reappeared so he decided to query our service. After conducting an interview with the customer, I was able to request his RAW log files for parsing. This is where the fun begins.
After doing a quick parse of the log files searching for signatures related to recent trends, requests that contain sql injection, or any type of malicious activity, I was able to find a call to a malicious .php file. I documented the ip address, timestamp and name of the .php file and modified my parsing signatures to further break down this attack. After parsing out the .php file I was able to see in the log files the duration where the customer removed the .php file and where the attacker was able to re apply the file. I was able to use this information to further parse the log files and identify the IP address that initially setup the call to install the malicious .php file for the initial instance and the second installation. With this information I was able to go back and further modify my parsing to include all requests made by this malicious IP address. Right before a call to the malicious .php file I was able to document the request that the attacker made to use a page within the customers admin section to upload a .php file which contains the code to install all malicious .php files.
Forwarding all findings to the customer, he is now able to get in touch with his hosting company to secure his insecure section of his website.
There is really nothing out 0f the ordinary here, but it has been a while since ive had to do any investigating other than looking at FTP logs and identifying the issue as being Gumblar. It is nice to get back to using skills to chase down legitimate webserver attacks. It has slowly been picking back up and I hope that these types of opportunities come in at a steady rate. The more of these, the faster the day seems to go by.
And on that note, time to go home.
Posts
0 comments:
Post a Comment