Case file

Kibana web-attack timeline from enum to database exfil

Foundations DFIR engagement: Elastic logs reconstructed Nmap/Gobuster/Hydra, admin brute force, webshell upload, LFI credential theft, and phpMyAdmin export of customer_credit_cards.

Foundations28 minDFIR · Log Analysis · Web Attacks · Incident Response
01

Engagement summary

Kibana logs from 26 Jul 2023 showed scanner UA chains, admin:thx1138, webshell commands, LFI of config-db.php, and export of customer_credit_cards.

SLINGSHOT was an IR case for Slingway Inc.’s e-commerce host. Elastic Stack logs (activity from 26 Jul 2023) showed Nmap Scripting Engine probes, Gobuster directory enum (1867 404s, interesting path with artifact, /admin-login.php), Hydra against the admin panel succeeding as admin:thx1138, webshell upload (first command whoami), LFI reading /etc/phpmyadmin/config-db.php, access to /phpmyadmin, and export of database customer_credit_cards plus an attacker-inserted row.

Business impact

Unmonitored admin panels and upload features turn into cardholder-data breaches. Retain web/auth logs in a SIEM, alert on scanner UAs and Hydra patterns, and isolate phpMyAdmin from the internet.

02

Enumeration and admin compromise

Gobuster and Hydra UAs marked the path to admin:thx1138.

OPERATOR · KIBANA

# Kibana: filter @timestamp >= 2023-07-26; inspect user_agent

Nmap Scripting Engine → Mozilla/5.0 (Gobuster)

404 count: 1867 hit: /admin-login.php

Mozilla/4.0 (Hydra) → admin:thx1138

03

Webshell, LFI, and DB export

Uploaded shell ran whoami; LFI stole DB creds; customer_credit_cards exported.

OPERATOR · TIMELINE

POST /admin/... upload → webshell

first cmd: whoami

LFI → /etc/phpmyadmin/config-db.php

GET /phpmyadmin export: customer_credit_cards

Remediation

Force MFA on admin, disable arbitrary uploads, move phpMyAdmin behind VPN, and page IR on Gobuster/Hydra signatures plus sudden DB exports.