Action on objectives

As the website was defaced due to a successful attack by the adversary, it would be helpful to understand better what ended up on the website that caused defacement.

The first quest could be to figure out the traffic flow.

Examine the Suricata log source and the IP addresses communicating with the webserver

index=botsv1 dest= sourcetype=suricata

To change the flow direction to see if any communication originates from the server:

index=botsv1 src= sourcetype=suricata

Three external IPs appear, towards which the web server initiates the outbound traffic. There is a large chunk of traffic going to these external IP addresses, which could be worth checking.

Pivot into the destination IPs one by one to see what kind of traffic/communication is being carried out:

index=botsv1 src= sourcetype=suricata dest_ip=

The url field shows 2 .php files and one .jpeg file. This jpeg file looks interesting.

To see where this jpeg file came from:

index=botsv1 url="/poisonivy-is-coming-for-you-batman.jpeg" dest_ip="" | table _time src dest_ip http.hostname url

The end result shows poisonivy-is-coming-for-you-batman.jpeg was downloaded from the attacker’s host


What is the name of the file that defaced the website?


Fortigate Firewall fortigate_utm detected SQL attempt from the attacker’s IP What is the name of the rule that was triggered during the SQL Injection attempt?

index=botsv1 src= sourcetype=fortigate_utm

Add the attack field to the fields and: