Web Server Compromise

Web Server Compromise

Background:

You are an employee in the Georgia Tech SOC, you receive a report from a system adminstrator that one of their websites is acting "funny." The website is running Wordpress and is accessible from the world. You have access to the access logs for the site as well as the directory that the website lives under. Both of these are attached to the assignment below.

Georgia Tech's IP ranges are:

Assignment:

You will use the logs and site directory to figure out what happened and when. You should turn in two documents. The first will be answers to 8 questions found in the "Questions" section below. The second will be an incident report.

Steps:

We will be teaching using Splunk, but if you are more comfortable using Elastic (ELK) or some other log searching mechanism you are free to do so. The raw logs are attached to this assignment below. While you can definitely succeed at this assignment using plain old grep, I would recommend you don't. While grep will work due to the small size of the log files being provided, grep fails to perform when you are in an actual Enterprise with massive amounts of data. To access Splunk:

  1. Log in to the Georgia Tech VPN
  2. Navigate to https://splunk.class.security.gatech.edu(Links to an external site.)
  3. Log in with your GT username and password
  4. Click "Search and Reporting"
  5. Start searching!

The data for this assignment is in the "main" index. You can see all of the data by searching for "index=main" and changing the time dialog from "Last 24 hours" to "All time." Splunk already has the fields extracted from the logs for you. 

Questions: 

Using the logs, answer the following questions. Please include the Splunk (or Elastic) queries you used to find each answer. This will allow us to understand your thought process if you come to a different answer or interpret the question in a different way.

  1. Which IP(s) attempted to brute force the Wordpress login?
  2. How many attempts did it/they make?
  3. How many of the IP(s) were successful? When were each successful?
  4. What did each IP do after it logged in?
  5. What file was changed?
  6. When was it changed?
  7. How was it changed?
  8. What was the purpose of the change?

Incident Report:

Write an incident report based on this assignment. Use the provided template from additional resources. The audience for this report will be your executive leadership and the affected business unit leadership.

As discussed in the report writing lecture, make sure to include (these are all sections in the template):

  • An executive summary
  • A detailed timeline of the incident. Include detail of the attack
  • Any containment and eradication steps that you would have taken. (e.g. would you have requested that the web server be restored from back up?). Document these steps as if you had taken them (e.g. At 12:05pm the security team requested the web server be restored from previous clean back up)
  • Financial impact
    • Include effort estimates for your investigation and the time resources from any other involved teams
    • Anything else you can think of that might have had financial impact
    • The numbers can be completely made up
  • Lessons learned

hihi


Want latest solution of this assignment

Want to order fresh copy of the Sample Template Answers? online or do you need the old solutions for Sample Template, contact our customer support or talk to us to get the answers of it.