Log Analysis - Compromised WordPress
-
Identify the URI of the admin login panel that the attacker gained access to (include the token) (3 points)
Command:
cat access.log | grep adminAnswer:
/wp-login.php?itsec-hb-token=adminlogin -
Can you find two tools the attacker used? (3 points)
Source: Lines 1364 and 1528.
119.241.22.121 - - [14/Jan/2021:06:01:41 +0000] "GET / HTTP/1.1" 403 3160 "http://172.21.0.3/" "WPScan v3.8.10 (https://wpscan.org/)" ... 168.22.54.119 - - [14/Jan/2021:06:12:53 +0000] "POST /wp-login.php HTTP/1.1" 302 243 "-" "sqlmap/1.4.11#stable (http://sqlmap.org)"Answer:
WPScan, sqlmap -
The attacker tried to exploit a vulnerability in ‘Contact Form 7’. What CVE was the plugin vulnerable to? (Do some research!) (4 points)
Source: https://blog.wpsec.com/contact-form-7-vulnerability/
Answer:
CVE-2020-35489 -
What plugin was exploited to get access? (4 points)
Answer:
Simple File List 4.2.2 -
What is the name of the PHP web shell file? (3 points)
Source: Line 1717.
103.69.55.212 - - [14/Jan/2021:06:27:04 +0000] "GET /wp-content/uploads/simple-file-list/fr34k.php HTTP/1.1" 200 1295 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)"Answer:
fr34k.php -
What was the HTTP response code provided when the web shell was accessed for the final time? (3 points)
Source: Line 1736.
103.69.55.212 - - [14/Jan/2021:06:30:05 +0000] "GET /wp-content/uploads/simple-file-list/fr34k.php HTTP/1.1" 404 488 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)"Answer:
404