Dissecting the Breach - Investigating a Web Shell Infection in WordPress
· 12 min read
This time, we've been requested to take a look into a compromised WordPress server. In this blog post, you'll see how we approached the post-incident forensics and what interesting artifacts we've uncovered.
For this incident, we were provided with a disk snapshot of a compromised Wordpress server stored as a qcow2 image.
Extracting forensic data from a snapshot is a great task for using Dissect because it allows us to analyze targets without mounting or booting them. Dissect is actually a collection of modular tools that can be combined or extended to retrieve common information from the targets (users, cron jobs, services, history, filesystem entries).