Log Analysis - Privilege Escalation
Last updated
Last updated
We can see the user move to a directory called /home/daniel/
.
The attacker used the wget
utility to download a Github script.
We can see the command tcpdump
which is used for packet analysis on the command line.
The attacker tried to delete a file named x.phtml
.
The PHTML files contain PHP code that is parsed by a PHP engine which allows the web server to generate dynamic HTML that is displayed in a web browser.
We can see that the attacker tried to find binaries with the SUID bit set.
On executing a binary with the SUID bit set, the file executes with the effective permissions of the owner of the file instead of the person executing. This allows for temporary privilege escalation.
Then the attacker executes sh
.