Here’s the background scenario:
A team member zipped up a website from a production server and copied it to their local machine. This particular production server did not have an antivirus scanner on it at the time, and when the zip file reached the team members machine this warning message appeared from the machines antivirus software:
The team member did the right thing and deleted the files from disk and contacted the security team to investigate.
Soo … what are the right steps to perform from here? I’m not sure, but here are some steps that could be taken.
- Despite the constant warnings of security trainers, don’t assume that a virus has now been distributed onto the server and now onto the team members workstation. This is a classic fear based training technique used to prevent the spread of an attack, but it may not always be the right thing to do.
- Instead, look at the evidence presented soo far and try to see what more information can be learned from it.
Okay, so what can be determined from the information so far:
- A server could possibly have a backdoor virus called PHP/Remoteshell.B on it.
- If the backdoor was executed, then potentially a different/higher privileged malware could be on the server.
- A team member machine could possibly have a different/higher privileged malware on it.
- The website was running Sitefinity
- Sitefinity is an ASP.NET product, not a PHP product
- The virus signature was found in a file called Error.*.log
- Sitefinity uses Error.*.log files to record messages about errors it detects or encounters in order for administrators to review them later.
- Therefore the Error.*.log files would be error messages and not executable code.
And, what assumptions could we make from the information so far:
- Given that it’s an error log, viewing the log file would probably be benign and could possibly give information about how an attack started and if the attack stopped.
- Given that it’s an ASP.NET web application and not a PHP application, the attack did not succeed. So, there is very little to no risk is assuming the server is not infected with a backdoor or virus.
- However, if it was infected with a virus, and that virus was capable of proliferating itself through RDP, then the team member had already brought the virus into their/your network.
- In this highly unlikely scenario, if the team member had already brought the virus onto your network then it wouldn’t be terrible to connect with an isolated VM instance from that network which could be used to look at the files on the server.
At this point, the risk of proliferating a virus onto a disposable VM in order to view the actual log files on the server seemed like a good risk vs reward scenario.
So, using a throw away virtual machine, you could connect up to the server and take a look at the Error.*.log files, which might show this:
There are a number of lines that look very similar to ones above, and they were all done over short 30 second period and then stopped. The requested urls varied with syntaxs from PHP, .NET, to regular old SQL injection.
So, what’s the new information that we can learn from this:
- This looks like an automated attack signature from a bot that was penetration testing.
This server is fortune enough to get a routine penetration testing from out automated penetration testing system around every two weeks. If any of the attacks are found to be successful then a report is generated and sent to the Security and Development teams to implement fixes.
So, this could be a nice moment to call the analysis done, but it did highlight a few missing things. It resulted in the antivirus software being hooked up to the server and a scan being performed, along with a good amount of information sharing and more awareness of the automated penetration testing system.
There’s probably a lot more that could be done, and a lot more safety precautions that could have been taken during the analysis. At least, there’s always tomorrow to improve.