abuseipdb
Below is what we find on Cisco Talos Intelligence:
talosdescription
link: https://talosintelligence.com/reputation_center/lookup?search=203.160.68.12
The next step for us is examining the HTTP traffic:
httptraffic
This is a POC for the CVE exploit:
https://github.com/un9nplayer/CVE-2024-24919
Let's dive in the logs now.
log1
Looks like our attacker is attempting to navigate the file system of a server to access sensitive files like /etc/passwd and /etc/shadow on Unix-based systems, which contains user account information.
lfi
Answer: LFI & RFI
plan
Now we have to check if it is a planned test.
After checking the Email Security tab and searching for the IP addresses and the hostname, we see no such mail regarding a notification of any planned test. We can conclude it is NOT a planned test.
intetonetwork
We saw the source IP is an external IP from Hong Kong.
so the traffic is moving from Internet -> Company Network
checkifsuccefful
The attack was successful.
containment
The next step for us is to contain the host.
contained
Based on what we have uncovered during our investigation it would be wise for us to contain this server endpoint to prevent further damages.
Add artifacts:
artifacts
escalate
Here in this case we need Tier 2 escalation
After adding Analyst's notes we finish the playbook and close the alert.