1 of 9

Ubuntu Server Analysis

IS 565 Final Project

Bronson Puzey and Justis Brown

2 of 9

What the attacker was trying to do

Connect with ssh

  • The attacker’s IP address was 10.0.1.248
  • They attempted to connect on April 4 at 18:54:45-47 but was not successful
  • These IP addresses also tried to connect with ssh but were not successful
    • 104.248.157.240 from port 34284 - Singapore
    • 159.203.169.17 from port 45842 – Clifton, New Jersey
    • 176.111.173.44 from port 37390 – Olsztyn, Poland
    • 20.38.174.70 from port 45304 – Phoenix, Arizona
    • 92.255.85.237 from port 37866 – St. Petersburg, Russia
    • 101.35.130.158 from port 57734 – Beijing, China
    • 177.91.80.10 from port 42130 – Mesquita, Brazil
    • 159.223.41.251 from port 33184 – Singapore
    • 218.60.104.15 from port 33494 – Dalian, China
    • 61.177.173.41 – Lianyungang, China
    • 159.223.41.251 – Singapore

3 of 9

What the attacker was trying to do pt. 2

SQL injection

  • Attempted at least one SQL injection attack using sqlmap on April 4 at 18:52:38
  • Attempted to log in on login.php using sqlmap libraries from 18:52:37 - 18:53:40

4 of 9

What the attacker was trying to do pt. 3

XSS

  • The website is vulnerable to XSS attacks
  • We believe that the attacker may have attempted a XSS attack, but we don’t know for sure

5 of 9

What we did to stop the attack and results

  • Turned the firewall on and only allowed connections via ssh (port 22) and http (port 80)
  • Monitored users and network traffic
  • The attacker never gained control of the server

Results

  • We did not find any evidence that the attacker accessed any sensitive or private information

6 of 9

Memory Collection

  • Ran the command for LiME to work, but every time the .mem file was empty
  • We were not able to analyze memory

7 of 9

Hard Drive Data Collection and Analysis

Collection

  • Used Data Dump and SCP

Analysis

  • Used Autopsy
  • Log files were really helpful, especially apache logs and auth.log

8 of 9

Network Traffic Collection and Analysis

Collection

  • Used TCP Dump (ran for about 1 minute each)
  • Looking back on it, I should have had a separate terminal running that collected network data the entire time

Analysis

  • Used Wireshark and Network Miner
  • Not a whole lot of information

9 of 9

Recommendations

  • Remove or encrypt sensitive files like /var/www/passwords/accounts.txt and phpinfo.php
  • Give sudo access only to users who need it, and only give them sudo privileges for specific processes - principle of least privilege
  • Remove unnecessary users - lock root user
  • Review website code to mitigate the possibility of SQL injection, javascript injection, and XSS attacks
  • Turn on fail2ban to mitigate DDOS attacks and bots from foreign IP addresses
  • Configure the firewall SSH rule to only allow attempts from internal IP addresses
  • Create more logging systems (mysql)
  • Implement an IDS or IPS