Kibana web-attack timeline from enum to database exfil
Foundations DFIR engagement: Elastic logs reconstructed Nmap/Gobuster/Hydra, admin brute force, webshell upload, LFI credential theft, and phpMyAdmin export of customer_credit_cards.
- Case files
- Kibana web-attack timeline from enum to database exfil
Kibana logs from 26 Jul 2023 showed scanner UA chains, admin:thx1138, webshell commands, LFI of config-db.php, and export of customer_credit_cards.
Gobuster and Hydra UAs marked the path to admin:thx1138.
Uploaded shell ran whoami; LFI stole DB creds; customer_credit_cards exported.
Engagement summary
Kibana logs from 26 Jul 2023 showed scanner UA chains, admin:thx1138, webshell commands, LFI of config-db.php, and export of customer_credit_cards.
SLINGSHOT was an IR case for Slingway Inc.’s e-commerce host. Elastic Stack logs (activity from 26 Jul 2023) showed Nmap Scripting Engine probes, Gobuster directory enum (1867 404s, interesting path with artifact, /admin-login.php), Hydra against the admin panel succeeding as admin:thx1138, webshell upload (first command whoami), LFI reading /etc/phpmyadmin/config-db.php, access to /phpmyadmin, and export of database customer_credit_cards plus an attacker-inserted row.
Business impact
Unmonitored admin panels and upload features turn into cardholder-data breaches. Retain web/auth logs in a SIEM, alert on scanner UAs and Hydra patterns, and isolate phpMyAdmin from the internet.
Enumeration and admin compromise
Gobuster and Hydra UAs marked the path to admin:thx1138.
OPERATOR · KIBANA
# Kibana: filter @timestamp >= 2023-07-26; inspect user_agent
Nmap Scripting Engine → Mozilla/5.0 (Gobuster)
404 count: 1867 hit: /admin-login.php
Mozilla/4.0 (Hydra) → admin:thx1138
Webshell, LFI, and DB export
Uploaded shell ran whoami; LFI stole DB creds; customer_credit_cards exported.
OPERATOR · TIMELINE
POST /admin/... upload → webshell
first cmd: whoami
LFI → /etc/phpmyadmin/config-db.php
GET /phpmyadmin export: customer_credit_cards
Remediation
Force MFA on admin, disable arbitrary uploads, move phpMyAdmin behind VPN, and page IR on Gobuster/Hydra signatures plus sudden DB exports.