Searching for Forensic Evidence in a Compromised Virtual Web Server against SQL Injection Attacks and PHP Web Shell
Authors: Gigih Supriyatno
Abstract:
SQL injection is one of the most common types of attacks and has a very critical impact on web servers. In the worst case, an attacker can perform post-exploitation after a successful SQL injection attack. In the case of forensics web servers, web server analysis is closely related to log file analysis. But sometimes large file sizes and different log types make it difficult for investigators to look for traces of attackers on the server. The purpose of this paper is to help investigator take appropriate steps to investigate when the web server gets attacked. We use attack scenarios using SQL injection attacks including PHP backdoor injection as post-exploitation. We perform post-mortem analysis of web server logs based on Hypertext Transfer Protocol (HTTP) POST and HTTP GET method approaches that are characteristic of SQL injection attacks. In addition, we also propose structured analysis method between the web server application log file, database application, and other additional logs that exist on the webserver. This method makes the investigator more structured to analyze the log file so as to produce evidence of attack with acceptable time. There is also the possibility that other attack techniques can be detected with this method. On the other side, it can help web administrators to prepare their systems for the forensic readiness.
Keywords: Web forensic, SQL injection, web shell, investigation.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.2363199
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1261References:
[1] P. Technologies, “Web Application Attack Statistics 2017.” (Online). Available: https://www.ptsecurity.com/upload/corporate/ww-en/analytics/WebApp-Attacks-2017-eng.pdf.
[2] R. U. Putri and J. E. Istiyanto, “Analisis Forensik Jaringan Studi Kasus Serangan SQL Injection pada Server Universitas Gadjah Mada,” Indones. J. Comput. Cybern. Syst., vol. 6, no. 2, p. 12, 2012.
[3] R. J. Manoj, D. A. Chandrasekhar, and M. D. A. Praveena, “An Approach to Detect and Prevent Tautology Type SQL Injection in Web Service Based on XSchema validation,” Int. J. Eng. Comput. Sci., no. 1, p. 5, 2014.
[4] B. Nagpal, N. Chauhan, and N. Singh, “A Survey on the Detection of SQL Injection Attacks and Their Countermeasures,” J. Inf. Process. Syst., vol. 13, no. 2017, p. 14.
[5] B. Dickson, “Why are web applications attractive targets for hackers?,” TechTalks, 29-Feb-2016. (Online). Available: https://bdtechtalks.com/2016/02/29/why-are-web-applications-attractive-targets-for-hackers/. (Accessed: 10-Apr-2018).
[6] “Web Shells – Threat Awareness and Guidance.” (Online). Available: https://www.us-cert.gov/ncas/alerts/TA15-314A. (Accessed: 01-Apr-2018).
[7] N. Šuteva, A. Mileva, and M. Loleski, “Finding forensic evidence for several web attacks,” Int. J. Internet Technol. Secur. Trans., vol. 6, no. 1, p. 64, 2015.
[8] A. Fry, “A Forensic Web Log Analysis Tool: Technique and Implementation,” Thesis Dissertation, Department of Concordia Institute for Information Systems Engineering, Concordia University, Montreal, Canada, 2011.
[9] A. Lazzez and T. Slimani, “Forensics Investigation of Web Application Security Attacks,” Int. J. Comput. Netw. Inf. Secur., vol. 7, no. 3, pp. 10–17, Feb. 2015.
[10] L. Palkmets, “Forensic Analysis,” ENISA, p. 68, 2016.
[11] O. Segal, “Web Application Forensics: The Uncharted Territory.” Sanctum, 2002.
[12] M. Hirwani, Y. Pan, B. Stackpole, and D. Johnson, “Forensic Acquisition and Analysis of VMware Virtual Hard Disks,” Rochester Institute of Technology, 2012.
[13] S. Zakharchenko, “apache-scalp: Scalp!/Anathema is a log analyzer for web server (Apache, nginx) (Python3),” 01-Apr-2018. (Online). Available: https://github.com/nanopony/apache-scalp. (Accessed: 01-May-2018).
[14] S. Agisilaos, “Detecting Malicious Code in a Web Server,” Departemen Of Digital Systems, University Of Pireaus, Athens, 2016.