Introduction
There was an incident
where an attacker successfully transferred files from the web server. The
attack is known as ex-filtration and it was detected by the hosting nation
intrusion detection system. The type of attack might result in web servers
being vulnerable to other attacks such as denial of services. The attack is
from within the member nations attending the conference and it should be
stopped before it spreads further. Ex-filtration is a dangerous type of attack
because it enables an attack to access resources they are not authorized. The
kind of attack might result in major problems since nations keep highly
classified information that should never be accessible to other nations at any
given period of time. The source of data leak and the tools used to perform the
attack should be identified and necessary steps put in place to stop such an
attack from happening in the coming future. The resources being targeted should
be made unavailable until the web server targeted and the whole network has be
secured. The protocols for accessing the resources should be changed so as to
give the team an ample time to solve the problem.
Analysis
Wireshark is a dynamic
tool capable of sniffing and capturing network activities. Using the tool it is
established that a total of 1,907,899 packets were sent over the period of the
attack. The participants were computer A and B, computer A sent a total of
1,864,853 and computer B sent a total of 43,046 packets. A total of 170 mega
bytes were sent over the total conversation, computer A sent a total of 143
mega bytes and computer B sent a total of 26 mega bytes. The conversation took a total of 358.3253 seconds;
this is the total time the ex-filtration took place.
After the wireshark
capture is parsed the process of identifying the time the attack begin starts
and it is indicated as 21:59:17.432035000. That is the period the attackers
were able to actively copy files from the web server. The protocol the
attackers utilized is the UDP and the destination port affected was port 55.
Port 55 makes it possible for messages to be transferred from one computer to
another and it is utilized in the internet network layer, transport layer and
session layer. The IP address of the web
server affected is 192.168.19.111 and the IP addresses for the system the
attackers used is 192.168.10.101. The total size of the packet transferred
successfully by the attackers to their system is 74 bytes. The system
administrator was alerted by the host monitoring system using the user datagram
protocol.
Using UDP flood unicorn
to perform the denial of service attack is relatively easy. It is done by
entering the target IP address and for our case the target is 192.168.19.111 and
the target port is 55. The packet size for the attack can be any amount but for
testing case 1 KB is enough. Performing a denial of service attack is simple
because there are different types of tools available to aid in the process. There
is a increase in HTTP request sent to the internal web server and it might be
linked to the attack. The resources that is receiving more requests is the
/worldpress/randomfile1 HTTP/1.1\r\n. That is the targeted resource in the
internal web server and the attackers might be aiming at copying the file or
making it inaccessible through the denial of service attack.
The servers’ HTTP
response code is 500 and it means the internal server encountered a problem and
could not fulfill the required request. The error means that the resource
cannot be accessed by legitimate users of the resource due to a problem the
server is encountering and it might be linked to the increase in requests to
the server. The IP of the computer requesting the resource resulting in the
error is 192.168.10.101 and it is the attacking computer. The attacker
user-agent for the request is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)\r\n.
The type of web server
that is occurring is distributed denial of service attack this is because the
resource targeted cannot be accessed by legitimate users. The attackers are
also performing a SQL injection to the web server. The abnormal requests send
by attackers is 404 not fount (text/html). This is because the request send by
attackers are not available hence the error code is displayed. The URL being used by the attackers
to perform on distributed denial of service is
/wordpress/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix-http://cirt.net/rfil_.
More attacks are being
performed to the web server by sending of abnormal GET requests. The nature of
the attack is brute force hacking. This is evident due to the HTTP response
code returned for the abnormal requests. The HTTP/1.1 Bad Request (text/html)
signifies that the server is receiver bad requests from the attackers. The
user-agent for the request received from the attackers is Mozilla/5.00.
There is a repetition
of username and password being used by the attacker during the brute force
attack. The password and usernames being repeated are located in the
root/password folder it is evident by the traffic captured using wireshark
tool. The user-agents contained in the attack requests is Mozilla/5.00. The
HTTP response code returned for the attack requests sent is HTTP/1.1 404 Not
Found (text/html).
The interesting
repetition string value is responsible for the denial of service experienced. The
user-agent for the interesting string is Mozilla/5.00 and the HTTP response
code for the request is HTTP/1.1 Not Found (text/html). The user-agent Mozilla/5.00
points at Nikto web server testing tool. The tool is the one responsible for
the attacks the web server is under-going at the moment.
Findings
·
The system is under the following types
of attack.
1.
Distributed denial of service
2.
SQL injection
3.
Brute force attack
·
Nikto tool is being used by the
attackers to hack the web server
·
The IP address for the victim web server
is 192.168.19.111
·
The IP address of the computer being
used by attackers is 192.168.10.101
·
The port number affected by the attack
is 55
Recommendations
I would recommend that
the system administrator blocks traffic from IP address 192.168.10.101 for
accessing the network. It can be done by adding the policy on the firewall or
configuring the intrusion detection system to drop traffic from the IP address.
The port 55 should be blocked using the firewall to reduce its vulnerability of
leaking data through ex-filtration. The system administrator should also
configure their firewall and intrusion detection and penetration systems to
drop traffic to /wordpress/web/BetaBlockModules/EnableModule/EnableModule.php?path_prefix-http://cirt.net/rfil_
and /worldpress/randomfile1
HTTP/1.1\r\n. This should be done until the problem is resolved so as to reduce
more attacks to the network resulting in major damages.
Works
Cited
Jaiswal, A., Raj, G., & Singh, D. (2014).
Security Testing of Web Applications: Issues and
Challenges. International Journal of Computer
Applications , 26-30.
Ullah,
F., Edwards, M. a., Ramdhany, R., Chitchyan, R., Babar, M. A., & Awais, R.
(2018). Data
Exfiltration:A Review of External
Attack Vectors and Countermeasures. Journal of Network and Computer
Applications , 18-54.
Ullah,
F., Edwards, M., Ramdhany, R., & Chitchyan, R. (2017). Data Exfiltration:
A Review of
External Attack Vectors and
Countermeasures. Journal of Network and Computer Applications , 2-13.