Investigating a Web Portal Compromise: A Case Study for Cybersecurity Investigators

Introduction

Cyber threats targeting public-facing web applications are increasing, with attackers deploying stealthy techniques to gain unauthorized access. This case study presents a real-world investigation into a compromised web portal in the education sector, uncovering unauthorized access, credential harvesting, and persistence tactics used by the attacker.

By walking through the investigation process, analysis techniques, and key findings, this report provides valuable insights for cybersecurity professionals handling similar incidents.

Phase 1: Initial Discovery and Suspicion

Q: What triggered the investigation?

On October 20, 2024, security teams at an educational institution reported suspicious activity on a public-facing web portal. The anomalies included:

• Injected malicious code in the AuthenticateUsers.php file.
• An unusual file icon.png present in the system

This led to a deeper investigation to understand the full scope of the compromise.

Q: What was the first step in analyzing the system?

1️⃣ Examining AuthenticateUsers.php for unauthorized modifications.
2️⃣ Inspecting icon.png to determine its actual content and purpose.

Phase 2: Analyzing the Malicious Code and Credential Harvesting

Q: What did the analysis of AuthenticateUsers.php reveal?

• The injected code was designed to capture login credentials entered on the portal.
• The stolen usernames and passwords were stored in icon.png, which was disguised as an image file but was actually a CSV text file.

💡 Key observation: The attacker used a misleading file extension (.png) to avoid detection.

Q: How was the actual content of icon.png verified?

Findings:

• The file was not an image but contained plaintext login credentials.

• Timestamp analysis of stored credentials showed activity between October 17-19, 2024. (entire content of the icon.png file is not shown here)

Phase 3: Correlating Logs to Determine Attacker Activity

Q: Were there any unauthorized logins during this period?

• Authentication logs from October 17-19, 2024 were reviewed.
• No suspicious login attempts were found during this period.
• This suggested that the stored credentials icon.png were collected for later use rather than immediately exploited.

💡 Key observation: The attacker aimed to steal credentials and potentially sell or use them later, rather than triggering immediate alerts.

Phase 4: Identifying Persistence Mechanisms

Q: How did the attacker gain access?

• A search of installed applications and system activity uncovered traces of the Metasploit framework, a well-known post-exploitation tool.

• The installation date of Metasploit was traced to August 2022, indicating long-term unauthorized access.

💡 Key observation: The presence of Metasploit suggested the attacker maintained privileged access for an extended period.

Q: Were there traces of attacker activity in network logs?

There was no explicit footprint in the network activity related logs but there was a hidden file which contained the command history used by the attacker

• Remote connections to 103.133.165.35, a registered IP in Bangladesh, using ports 3389 and 2222.

The attacker attempted to establish a reverse shell, likely to maintain remote access.

💡 Key observation: The attacker aimed to bypass detection and maintain access beyond system reboots.

Phase 5: Investigating the Initial Compromise

Q: How was Metasploit introduced into the system?

To trace the initial point of entry, investigators examined:
✅ User login sessions
✅ Command execution history
✅ Hidden directories & unauthorized files

Findings:

• Remote logins from August 24-25, 2022, linked to two suspicious IPs:
  • 84.252.93.145 – Flagged for malicious activity.
  • 86.48.11.153 – A VPN-associated IP, likely used for obfuscation.

• Attackers executed commands from home directories (ssl, amotin, super), indicating interactive access.
• Hidden Metasploit directories suggested the attacker had installed backdoor capabilities.

💡 Key observation: The attacker likely gained access through compromised credentials, an exposed vulnerability, or an improperly secured remote access service.

Phase 6: Post-Investigation Discovery

Q: Did the attacker attempt to regain access?

• On October 31, 2024, a new icon.png file was detected—indicating that the attacker had re-established access.
• This suggested that an undetected persistence mechanism remained active, requiring further investigation.

💡 Key observation: Even after removing initial backdoors, attackers may retain alternate access methods, making continuous monitoring essential.

---

What this case reveals about attacker techniques:

🔹 Credential Harvesting Tactics – Attackers used stealthy code injections to collect credentials without triggering immediate alerts.
🔹 Persistence Mechanisms – The presence of Metasploit indicated privileged access for long-term exploitation.
🔹 Stealthy Operations – VPN obfuscation, misleading file names (icon.png), and encrypted commands helped bypass detection.
🔹 Delayed Exploitation Strategy – Instead of immediate credential abuse, the attacker likely planned later use or sale of credentials.

Key Takeaways for the Investigation

In the aftermath of a security breach, it’s essential for both cybersecurity investigators and security practitioners to focus on critical areas to uncover the full scope of the attack and bolster defenses. The following takeaways provide actionable steps for these professionals to follow:

🔹 Monitor for Unauthorized File Modifications
For investigators, it’s crucial to check for hidden scripts or backdoors that attackers may have left behind. For security practitioners, regular file integrity checks can help prevent these unauthorized changes in the future. Tools like File Integrity Monitoring (FIM) are invaluable for both.

🔹 Review Installed Programs and Background Processes
Investigators should audit any unexpected or unfamiliar applications running in the background to identify potential compromises. Security practitioners can implement strict controls over software installations and continuously monitor active processes to detect malicious programs early.

🔹 Analyze Historical Logins and Network Traffic
Investigators must delve into historical login data and network traffic to pinpoint how the attacker gained access and moved within the system. Security practitioners can use this insight to improve network segmentation and detect abnormal activity that could signify a future attack.

🔹 Detect Repeated Intrusion Attempts
Even after cleanup, attackers may attempt to re-enter systems. Investigators should look for multiple failed login attempts, suspicious access patterns, or unusual network traffic. Security practitioners should focus on reinforcing authentication mechanisms and monitoring for signs of repeated attempts to regain access.

By following these key takeaways, investigators can conduct thorough investigations while security practitioners can implement preventive measures, reducing the risk of future incidents.

---

Conclusion

This case highlights how cybersecurity investigators can uncover stealthy cyber intrusions through log analysis, behavioral tracking, and attacker methodology assessment. The education sector, like many industries, remains a prime target for credential harvesting and long-term persistence attacks.

By continuously analyzing attacker behaviors and investigating persistence tactics, cybersecurity professionals can improve detection, response, and resilience against evolving cyber threats.