Introduction

There was an incident where an attacker successfully transferred files from the web server. The attack is known as ex-filtration and it was detected by the hosting nation intrusion detection system. The type of attack might result in web servers being vulnerable to other attacks such as denial of services. The attack is from within the member nations attending the conference and it should be stopped before it spreads further. Ex-filtration is a dangerous type of attack because it enables an attack to access resources they are not authorized. The kind of attack might result in major problems since nations keep highly classified information that should never be accessible to other nations at any given period of time. The source of data leak and the tools used to perform the attack should be identified and necessary steps put in place to stop such an attack from happening in the coming future. The resources being targeted should be made unavailable until the web server targeted and the whole network has be secured. The protocols for accessing the resources should be changed so as to give the team an ample time to solve the problem.

Analysis

Wireshark is a dynamic tool capable of sniffing and capturing network activities. Using the tool it is established that a total of 1,907,899 packets were sent over the period of the attack. The participants were computer A and B, computer A sent a total of 1,864,853 and computer B sent a total of 43,046 packets. A total of 170 mega bytes were sent over the total conversation, computer A sent a total of 143 mega bytes and computer B sent a total of 26 mega bytes. The conversation took a total of 358.3253 seconds; this is the total time the ex-filtration took place.

After the wireshark capture is parsed the process of identifying the time the attack begin starts and it is indicated as 21:59:17.432035000. That is the period the attackers were able to actively copy files from the web server. The protocol the attackers utilized is the UDP and the destination port affected was port 55. Port 55 makes it possible for messages to be transferred from one computer to another and it is utilized in the internet network layer, transport layer and session layer. The IP address of the web server affected is 192.168.19.111 and the IP addresses for the system the attackers used is 192.168.10.101. The total size of the packet transferred successfully by the attackers to their system is 74 bytes. The system administrator was alerted by the host monitoring system using the user datagram protocol.

Using UDP flood unicorn to perform the denial of service attack is relatively easy. It is done by entering the target IP address and for our case the target is 192.168.19.111 and the target port is 55. The packet size for the attack can be any amount but for testing case 1 KB is enough. Performing a denial of service attack is simple because there are different types of tools available to aid in the process. There is a increase in HTTP request sent to the internal web server and it might be linked to the attack. The resources that is receiving more requests is the /worldpress/randomfile1 HTTP/1.1\r\n. That is the targeted resource in the internal web server and the attackers might be aiming at copying the file or making it inaccessible through the denial of service attack.

The servers’ HTTP response code is 500 and it means the internal server encountered a problem and could not fulfill the required request. The error means that the resource cannot be accessed by legitimate users of the resource due to a problem the server is encountering and it might be linked to the increase in requests to the server. The IP of the computer requesting the resource resulting in the error is 192.168.10.101 and it is the attacking computer. The attacker user-agent for the request is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n.

The type of web server that is occurring is distributed denial of service attack this is because the resource targeted cannot be accessed by legitimate users. The attackers are also performing a SQL injection to the web server. The abnormal requests send by attackers is 404 not fount (text/html). This is because the request send by attackers are not available hence the error code is displayed. The URL being used by the attackers to perform on distributed denial of service is /wordpress/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix-http://cirt.net/rfil_.

More attacks are being performed to the web server by sending of abnormal GET requests. The nature of the attack is brute force hacking. This is evident due to the HTTP response code returned for the abnormal requests. The HTTP/1.1 Bad Request (text/html) signifies that the server is receiver bad requests from the attackers. The user-agent for the request received from the attackers is Mozilla/5.00.

There is a repetition of username and password being used by the attacker during the brute force attack. The password and usernames being repeated are located in the root/password folder it is evident by the traffic captured using wireshark tool. The user-agents contained in the attack requests is Mozilla/5.00. The HTTP response code returned for the attack requests sent is HTTP/1.1 404 Not Found (text/html).

The interesting repetition string value is responsible for the denial of service experienced. The user-agent for the interesting string is Mozilla/5.00 and the HTTP response code for the request is HTTP/1.1 Not Found (text/html). The user-agent Mozilla/5.00 points at Nikto web server testing tool. The tool is the one responsible for the attacks the web server is under-going at the moment.

Findings

· The system is under the following types of attack.

1. Distributed denial of service

2. SQL injection

3. Brute force attack

· Nikto tool is being used by the attackers to hack the web server

· The IP address for the victim web server is 192.168.19.111

· The IP address of the computer being used by attackers is 192.168.10.101

· The port number affected by the attack is 55

Recommendations

I would recommend that the system administrator blocks traffic from IP address 192.168.10.101 for accessing the network. It can be done by adding the policy on the firewall or configuring the intrusion detection system to drop traffic from the IP address. The port 55 should be blocked using the firewall to reduce its vulnerability of leaking data through ex-filtration. The system administrator should also configure their firewall and intrusion detection and penetration systems to drop traffic to /wordpress/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix-http://cirt.net/rfil_ and /worldpress/randomfile1 HTTP/1.1\r\n. This should be done until the problem is resolved so as to reduce more attacks to the network resulting in major damages.

Works Cited

Jaiswal, A., Raj, G., & Singh, D. (2014). Security Testing of Web Applications: Issues and

Challenges. International Journal of Computer Applications , 26-30.

Ullah, F., Edwards, M. a., Ramdhany, R., Chitchyan, R., Babar, M. A., & Awais, R. (2018). Data

Exfiltration:A Review of External Attack Vectors and Countermeasures. Journal of Network and Computer Applications , 18-54.

Ullah, F., Edwards, M., Ramdhany, R., & Chitchyan, R. (2017). Data Exfiltration: A Review of

External Attack Vectors and Countermeasures. Journal of Network and Computer Applications , 2-13.

HIRE ACADEMIC WRITERS and CONTENT WRITERS

Pages

31 October, 2019

Ex-filtration cyber attack

Works Cited

No comments:

Post a Comment

CONTACT US

Email: writingdoers@gmail.com

WhatsApp: +254740674142

Skype: writingdoers@gmail.com