Part 1
What package(s) were installed by the threat actor? Select the most correct answer!
Part 2
Why?
- hosting a database
- serving a webpage
- to run a php webshell
- create a fake systemd service
Part 1
Especially considering last weeks question, we know where to look when we are investigating packages! Jumping into /var/log/apt/history.log
there is an entry at the bottom for php. There is a significant jump in the timestamps so this potentially could be the attacker.
I tried php and it was correct!
Answer: php
Part 2
If I had to take a guess from the get go, the multiple choice answer for web shell makes the most sense, but I wanted to make sure.
In a previous week, I had noticed a suspicious service installed on the host that refered tp php in /etc/systemd/system/cluster.service
Here you can see the service is running php on a file called cluster.php
The file cluster.php
does look like a reverse shell when inspecting it.
From the infomation we have discovered, it will be one of the bottom two answers
- hosting a database
- serving a webpage
- to run a php webshell
- create a fake systemd service
I first tried “to run a php webshell” because it was the end goal of the service but it was wrong. Luckily there were two chances!
Answer: create a fake systemd service