Imperva Alert Details
Alert ID: IMPERVA-WEB-SHELL-1505-7842 Alert Time: 2024-02-18 10:30:22 EST Severity: CRITICAL (95/100) Source: Imperva Web Application Firewall + RASP Rule: “Web Shell Detected on Server” MITRE ATT&CK: T1505.003 – Server Software Component: Web Shell
Alert Details:
Detection: Malicious file uploaded to web server – PHP web shell
Server: WEB-SRV-045 (Public-Facing Web Server) Application: Company Portal (PHP) Time: 10:25 EST
File Details:
Path: /var/www/html/uploads/images.php
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Size: 2.3 KB
Upload Time: 10:23 EST
Uploaded Via: HTTP POST to /uploads/upload.php
Source IP: 185.143.221[.]89 (Bulgaria)
Web Shell Analysis:
File Type: PHP web shell (“WSO” – Web Shell by oRb)
Capabilities:
Execute system commands
Upload/download files
Browse file system
Database queries
Reverse shell
Obfuscated: Base64 encoded functions
Password Protected: “attacker123”
Access Logs:
10:24 EST – GET /uploads/images.php?action=cmd&cmd=whoami
Result: www-data
10:24 EST – GET /uploads/images.php?action=cmd&cmd=id
Result: uid=33(www-data) gid=33(www-data)
10:25 EST – GET /uploads/images.php?action=cmd&cmd=uname -a
Result: Linux web-server 5.4.0
10:25 EST – Imperva detects and blocks
Additional Context:
File upload functionality intended for images only
No validation on file type (vulnerability)
Web server accessed from Bulgaria (unusual)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Imperva alert
Imperva Console
Confirmed web shell upload and access
2. Immediate Action
Remove web shell
SSH, File System
images.php deleted
3. Block IP
Block attacker IP
Imperva WAF, Firewall
IP 185.143.221[.]89 blocked
4. Vulnerability Assessment
Identify upload vulnerability
Code Review, Scanner
File upload allowed PHP files; patched
5. Log Review
Check for data access
Web Logs, Database Logs
No database access; file system browsed
6. Credential Rotation
Rotate any exposed credentials
DevOps Team
Database credentials rotated
Jira Incident Report
Ticket: SOC-2024-095 Summary: T1505 – PHP Web Shell Uploaded to Public Web Server Status: RESOLVED Resolution: MALICIOUS – Web Shell Removed Priority: P1 – CRITICAL Labels: T1505, web-shell, server-component, imperva, php Components: Web-Security, Server-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Imperva Web Application Firewall + RASP.
Alert: “Web Shell Detected on Server”.
Server: WEB-SRV-045 (Public-Facing Web Server).
File: /var/www/html/uploads/images.php (WSO web shell).
Time: 2024-02-18 10:30 EST.
Technique: MITRE ATT&CK T1505.003 – Server Software Component: Web Shell.
2. Technical Analysis:
Attack Chain:
10:20 – Attacker scans for vulnerable file upload endpoints
10:21 – Discovers /uploads/upload.php (no file type validation)
10:22 – Attacker crafts PHP web shell named images.php
10:23 – Uploads images.php via HTTP POST
10:23 – File saved to /var/www/html/uploads/images.php
10:24 – Attacker accesses web shell, runs reconnaissance commands
10:24 – whoami, id, uname -a executed
10:25 – Imperva detects web shell signature
10:25 – Imperva blocks further access
Web Shell Analysis:
Type: WSO (Web Shell by oRb) – popular PHP web shell
Password: “attacker123” (required for access)
Capabilities:
Command execution (via system, shell_exec)
File upload/download
File system navigation
Database queries
Reverse shell creation
Obfuscation: Base64 encoded functions to evade detection
Attacker Activity:
Reconnaissance only (3 commands)
No file downloads
No database access
No persistence installed
Vulnerability:
File upload script allowed PHP files
No file type validation
No authentication on upload endpoint
3. Investigation Findings:
Timeline:
10:23 – Web shell uploaded
10:24 – Attacker reconnaissance
10:25 – Imperva detects and blocks
10:26 – Web shell removed
10:30 – Alert triggers
Indicators of Compromise (IoCs):
Files:
– /var/www/html/uploads/images.php (SHA256: a1b2c3d4…)
Network:
– Attacker IP: 185.143.221[.]89
– URLs:
– POST /uploads/upload.php
– GET /uploads/images.php?action=cmd&cmd=whoami
4. Containment Actions:
Immediate Actions:
Deleted images.php from server.
Blocked attacker IP at WAF and firewall.
Verified no other web shells present.
Vulnerability Remediation:
Patched upload.php to validate file types (images only).
Implemented file extension whitelist.
Added authentication to upload endpoint.
Credential Rotation:
Rotated database credentials (as precaution).
Rotated any service account passwords.
5. Root Cause Analysis:
Primary Cause: Insecure file upload allowing PHP files.
Contributing Factors:
No file type validation on upload.
Upload endpoint publicly accessible without auth.
No WAF rules blocking web shells (until now).
6. Business Impact:
Operational Impact: Web server offline for 30 minutes.
Data Exposure: None (recon only).
Reputational Impact: None (contained quickly).
7. Remediation & Prevention:
Completed Actions:
Web shell removed.
Vulnerability patched.
Attacker IP blocked.
Technical Controls Enhanced:
Implemented file type validation on all uploads.
Added authentication to upload endpoints.
Deployed Imperva RASP for runtime web shell detection.
Created WAF rule to block web shell signatures.
8. Conclusion:
An attacker exploited an insecure file upload to place a PHP web shell on a public web server. They performed basic reconnaissance before Imperva detected and blocked the web shell. The file was removed, and the vulnerability patched. No data was accessed or exfiltrated.
Closure Rationale: Web shell removed; vulnerability patched; attacker blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 11:30 EST
End of Batch 11 (Revised)
Ready for your next batch of prompts whenever you are.
Batch 12: Defense Evasion & Command and Control Incident Reports
Here are the next 5 detailed SOC incident reports.