SUMMARY OF FINDINGS AND NEXT STEPS
You are now ready to write up your report for PAS. Your report should normally include an executive summary of less than a page, narrative that is free of unexplained technical jargon, and concrete recommendations and next steps (possibly with priority levels if it makes sense). Any raw tool outputs should be included in an appendix or appendices at the end of the report, if at all. It might make sense to burn all of this to a DVD, which includes tool outputs and your database files.
What should you do with the subject hard drive and your image? That depends on the situation. In this case there is very little chance of ever finding the attacker. Even if the attacker were found, he or she would quite possibly in a jurisdiction that would make prosecution difficult or impossible. If this is not the case, a lawsuit might be a bad business decision given the costs involved (both money and time). No customer information is stored on the PAS subject machine. The vast majority of the company’s sales occur at various conferences and trade shows. Customers wanting to buy products from the website are directed to call or e-mail the company. Given all of this, you might as well return the hard drive to the company. The image can be retained for a reasonable time, with the cost of the backup drive containing the image and all other case-related files included on your bill to PAS.
Summary of findings:
On the evening of May 3, an attacker exploited a vulnerability in the dns-lookup.php file on the webserver.
The attacker likely used the access gained to gather information about the system. The details of what he or she did are not available because parameters sent to web pages are not recorded in the logs.
After repeated failed SSH login attempts using John’s account shortly after the breach (many of which occurred in the same minute), the attacker successfully logged in using John’s account. An online password cracker, such as Hydra, was likely used. The fact that attacker was successful so quickly suggest that John has a weak password.
The attacker installed at least three rootkits or backdoors on the system.
There is evidence to suggest that the attacker attempted to crack other passwords. Michael’s account was used on one occasion which suggests his password may have been cracked. A command to crack Sue’s password was found in history files. It is unknown if the attack against her password was successful as her account has never been used to log in to this machine.
The attacker seems to have primarily worked via using SSH to remotely log in with John’s account, which has administrative privileges.
The attacker created a bogus account with a username of mysqll. This account had administrative privileges. On one occasion the attacker logged in remotely as Michael and then switched to the mysqll account.
Recommendations:
Urgent: Fix the vulnerability in dns-lookup.php
Urgent: All users must change passwords to something secure. It is recommended that new passwords are verified to not be in the rockyou.txt password list.
Important: Examine the entire website for other vulnerabilities. It is recommended that all items on the OWASP Top 10 list (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) be checked at a minimum.
Recommended: Install Snort or other Intrusion Detection System on the new webserver.
Recommended: Support the webmaster in his efforts to learn more about website security.
Recommended: Limit accounts on the webserver to the bare minimum. Several accounts on this server appear to be unused (i.e. Sue’s account which was targeted by the attacker).
Recommended: Periodic review of logs with emphasis on the Apache and MySQL logs. The initial breach might have been detected by such a review.
Recommended: Periodic penetration tests should be performed. If hiring a penetration tester is not economically feasible, at a minimum, the webmaster or other PAS employee should become familiar with and use several web vulnerability scanners.