To determine thedate the webshell was accessedfrom theinvestigation22.pcapfile, follow these detailed steps:
Step 1: Access the PCAP File
Log into the Analyst Desktop.
Navigate to theInvestigationsfolder on the desktop.
Locate the file:
investigation22.pcap
Step 2: Open the PCAP File in Wireshark
LaunchWireshark.
Open the PCAP file:
mathematica
File > Open > Desktop > Investigations > investigation22.pcap
Step 3: Filter for Webshell Traffic
Since webshells typically useHTTP/Sto communicate, apply a filter:
http.request or http.response
Alternatively, if you know the IP of the compromised host (e.g.,10.10.44.200), use:
nginx
http and ip.addr == 10.10.44.200
Step 4: Identify Webshell Activity
Look for HTTP requests that include:
Common Webshell Filenames:shell.jsp, cmd.php, backdoor.aspx, etc.
Suspicious HTTP Methods:MainlyPOSTorGET.
Right-click a suspicious packet and choose:
arduino
Follow > HTTP Stream
Step 5: Extract the Access Date
Look at theHTTP request/response header.
Find theDatefield orTimestampof the packet:
Wireshark displays timestamps on the left by default.
Confirm theHTTP streamincludes commands or uploads to the webshell.
Example HTTP Stream:
POST /uploads/shell.jsp HTTP/1.1
Host: 10.10.44.200
User-Agent: Mozilla/5.0
Date: Mon, 2024-03-18 14:35:22 GMT
Step 6: Verify the Correct Date
Double-check other HTTP requests or responses related to the webshell.
Make sure thedate fieldis consistent across multiple requests to the same file.
Answer:
2024-03-18
Step 7: Document the Finding
Date of Access:2024-03-18
Filename:shell.jsp (as identified earlier)
Compromised Host:10.10.44.200
Method of Access:HTTP POST
Step 8: Next Steps
Isolate the Affected Host:
Remove the Webshell:
rm /path/to/webshell/shell.jsp
