FILESYSTEM ANALYSIS

At this point, we know there are at least two pieces of malware that were likely installed around May 4, based on the bash histories. We also know that a new user with administrative privileges was created and that the attacker has attempted to crack additional passwords on the system. What we do not know yet is when the initial breach occurred and how.

Using our Python scripts from Chapter 5, the disk image is easily mounted on the forensics workstation. Once this is accomplished, running grep 1001 on the passwd file reveals that user ID 1001, which was used to launch one of the root shells, belongs to the michael user, whose real name is Michael Keaton.

Because the system was running a webserver, and the Weevely PHP backdoor was installed, it makes sense to have a look at the webserver logs for some possible insight into how the breach occurred. We do not know at this point if the breach was caused by a problem with the website, but it is certainly worth checking out.

The Apache webserver logs can be found in /var/log/apache2. The two primary log files are access.log and error.log which store requests and errors, respectively. Both of these logs have the standard numbered archives. After examining the access logs, it is discovered that a rarely used, obscure page, called dns-lookup.php, is called 51 times late on May 3. A look at the error logs reveals 19 errors logged about the same time. Some of these results are shown in Figure 9.18.

FIGURE 9.18

Evidence of an attack on the webserver.

Examination of the MySQL logs found in /var/log/mysql covering the same period of time reveals that they contain multiple errors. The zcat command was used to cat the compressed log files, which were then piped to egrep. The complete command used was zcat error.log.2.gz | egrep ’(^150503)|(ERROR)’. The regular expression in the egrep command displays only lines that begin with the date code for May 3 or that contain an error. Partial results from this command are shown in Figure 9.19.

FIGURE 9.19

MySQL errors indicating a possible website attack.

Memory analysis revealed the existence of a hidden directory /usr/local/mysql/.hacked. Issuing the command ls -al from the /usr/local/mysql directory reveals several interesting things. There is another hidden directory, /usr/local/mysql/.weevely, that was created shortly after the suspicious web activity occurred on May 3. Immediately after the webserver attack, .bashrc and .bash_logout files were created in the /usr/local/mysql directory. A .bash_history file in the same directory reveals the installation of the weevely backdoor with a password of “hacked”. These results are displayed in Figure 9.20.

FIGURE 9.20

Evidence of the installation of the weevely PHP SSH backdoor.

results matching ""

    No results matching ""