Has anyone experienced the following:
Description
GPL ATTACK_RESPONSE id check returned apache
Analysis
Source IP ###.###.###.### was observed communicating with destination IP 164.92.243.252 over destination port 53792/TCP. The observed stream data matched on a signature for a return traffic for an id command, typically run using a shell. The observed stream data appears to contain various options that would be present within a webshell as well as containing data regarding the webserver.
Recommendations
It is recommended that you investigate the affected IP for signs of compromise and remediate appropriately.
Please do not hesitate to leverage the MS-ISAC to assist you in investigating this incident or in your response and recovery efforts. We perform a variety of incident response services including log analysis, malware analysis, computer forensics, development of a mitigation and recovery strategy as well as network and application vulnerability scanning. Requests for these services can be obtained by calling 1-866-787-4722 or sending an email to SOC@msisac.org.
Supporting Details:
First Seen: 02/29/2024 09:05:20 UTC
Albert Observing Devices: wa-kitsco-PRO-Albert-A
Albert History: Initial Albert event notification
Affected Host IP: ###.###.###.###
HIP Info: PIQ - Kitsap County
Event Types Observed (Past 30 Days):
GPL ATTACK_RESPONSE id check returned apache
Possible /etc/passwd via HTTP (linux style)
------------------------------
George Geyer
Systems Engineer
Kitsap County
------------------------------