This week was more centered around Incident Response, which isn’t normally in my wheelhouse, so I Was excited to maybe learn a few tricks.
The first part of the question was asking what package was installed by the attacker. Considering some of the previous questions, I immediately went to a previous file /var/log/apt/history.log and found the following:
So it looks like there’s a large gap in time between the latest upgrade and the php install. So I tried “php” and that was the answer!
The question only said “Why?” with a multiple choice question. So at this point I thought I was supposed to try and map the whole attack which I was a little worried about, but based on the multiple choice question, I knew I only had to narrow my search to what they did with the PHP install. I tried a few things until I thought about doing some timeline analysis. Since the gap between what appeared to be the latest update and the PHP install was 2 years, it felt safe to find any files modified after that log file was modified. Using my trusty find command:
find ./ -type f -newercm ./var/log/apt/history.log
Since the previous question asked about php, the obvious culprit here was cluster.php
I’m not super well versed in websockets and this type of code, but the “shell_exec” function led me to believe this was a webshell.
So to answer the question, the answer was “To run a php webshell”.
An easier week this time round, can’t decide if I was relieved that it was easier than I expected or disappointed that I didn’t learn any new IR skills.