1500 Bytes

This post will discuss forensics on a Linux system and use basic forensics techniques to investigate two attacks made against a Linux web server. Specifically, this post is going to focus on reading and understanding information contained in log files.  The first attack is an attempt by an adversary to gain un-authorised administrative access on a WordPress website by attacking the wp-login.php page. The second attack is an obfuscated PHP script that, when decoded, attempts to find and exploit several PHP files commonly used by Joomla websites. Before looking at either attack it is necessary to establish some prerequisite knowledge regarding Linux and how system events are logged.                           the '/var/log' directory on a Kali Linux system Linux systems log all events in text files known simply as log files. There is no shortage of information to be found within these files; everything from kernel events, network events, SSH login attempts a

Consider the following scenario: A user within a corporation connects a USB drive to their work station. The USB drive contains a Word document that is copied to the users desktop and opened with Microsoft Word. Word presents a security warning to the user - "Macros are disabled. Click to enable" - and unfortunately the user chooses to enable macros. The Word document's malicious payload is executed, but fortunately stopped by Anti-Virus. In a panic the user closes the Anti-Virus alert, closes and deletes the Word document, and removes the USB drive from the computer. This scenario presents some interesting questions: Is it possible to identify exactly which USB devices have been connected to the computer? How could the malicious Word document's filename be identified if it has been removed from the system, or if the user simply does not recall which document was opened? If the Word document was successful in dropping an additional stage of malware onto th