CASE FILE 002

Linux Web Server Compromise Investigation

Controlled DFIR simulation: Web exploit → shell → root → persistence → exfil. Built to practice evidence handling, log correlation, artifact validation, and timeline reconstruction using SIFT.

Deterministic Initial Access (DVWA) Provable PrivEsc (Misconfig) Persistence (SSH Keys + systemd) Exfil (scp/curl)

Scenario Summary

A Linux web server hosting a deliberately vulnerable web application is compromised. The attacker exploits a web flaw to gain an initial foothold, escalates privileges to root via a misconfiguration, establishes persistence in two distinct ways, and exfiltrates staged “sensitive” data to an attacker host on an isolated network.

Objective: reconstruct the full attack chain with defensible evidence (logs + host artifacts), produce a coherent timeline, and document IOCs and remediation recommendations.

Status: Planned (Academic Simulation). This page will be updated as the lab is executed and findings are validated.

What This Case Demonstrates

Log Correlation

Correlate Apache access/error logs with auth/syslog (or journald) to prove initial access, lateral actions, and exfil.

Host Artifact Validation

Identify dropped files (webshell, tooling), validate persistence artifacts, and record hashes + metadata.

Privilege Escalation Proof

Demonstrate root access via a provable configuration weakness (sudoers/SUID/cron), not “magic kernel exploits.”

Timeline Reconstruction

Build a single timeline (Plaso/log2timeline) mapping: exploit → shell → root → persistence → exfil.

Evidence Examined

Evidence types below reflect the intended dataset. Only validated artifacts will appear in the final redacted report.

Disk / File System Artifacts

Webroot uploads, suspicious binaries/scripts, permission changes, timestamps, hashes, and persistence files.

Web Server Logs

Apache access/error logs used to prove exploit traffic and subsequent attacker interactions.

Auth & System Logs

SSH logins, sudo events, service changes, and transfer activity (auth.log + syslog/journald).

Optional: Memory Artifacts

If collected, memory can validate processes and network connections at time of compromise (advanced).

Case Details

Case ID: CASE-002
Target Window: Spring 2026
Current Phase: Infrastructure setup
Status: Planned (Academic)
Investigator: Dontavious Ellis

Lab Architecture

VM 1 — Victim
Ubuntu Server + Apache + DVWA + SSH
Staged “sensitive” directory for exfil simulation
VM 2 — Attacker
Kali Linux
Recon + exploit + controlled post-exploitation
VM 3 — Forensics
SIFT Workstation
Imaging, analysis, Plaso timeline, reporting
Network
Isolated internal network (no internet during attack)

Planned Tooling (Subject to Change)

SIFT / Sleuth Kit / Autopsy — File system analysis
Plaso (log2timeline) — Timeline reconstruction
Linux native tooling — journalctl, grep, find, stat, sha256sum
Optional: Volatility + LiME — Memory analysis (advanced)

Only tools actually used will be reflected in the final write-up.

Build Phases (Planned)

Phase 1 — Infrastructure Setup

  • • Create Victim VM (Ubuntu Server + Apache + DVWA + SSH)
  • • Create Attacker VM (Kali) + Forensics VM (SIFT)
  • • Stage “sensitive” data directory for exfil simulation
  • • Snapshot baseline clean state + validate isolated networking

Phase 2 — Attack Simulation

  • • Deterministic web exploit (DVWA) → foothold shell
  • • Privilege escalation via provable misconfiguration
  • • Persistence: SSH authorized_keys + systemd service
  • • Exfiltrate staged data via scp or curl (isolated network)

Phase 3 — Forensic Investigation

  • • Acquire disk image + hash integrity (original + working copy)
  • • Artifact hunting: webshell, privesc, persistence, exfil traces
  • • Log correlation: Apache + auth/system logs
  • • Timeline reconstruction (Plaso) mapping the full chain

Phase 4 — Reporting & Publication

  • • Executive summary + scope + methodology
  • • Findings (Initial Access / PrivEsc / Persistence / Exfil)
  • • Timeline table + IOCs + remediation recommendations
  • • Publish redacted report to dontaviousellis.com/case-002

Working Hypotheses (To Be Tested)

H1: Exploit traffic + host artifacts indicate a confirmed compromise with established persistence.

Evidence needed: corroboration across web logs, auth/system logs, and persistence artifacts (authorized_keys + systemd).

H2: Some suspicious signals may be benign admin activity or expected service behavior.

Evidence needed: baseline comparison (snapshot), elimination of false positives, and consistent timeline attribution.

Confidence will be assessed after cross-validation of artifacts and timeline consistency.

Case Documentation

Redacted report will be published after the lab is executed and findings are validated.

* This page documents simulated work in a controlled environment; no live systems are involved.