Storyline

The AROBANK had been receiving many reports from customers regarding to theft and illegal
transactions. The first analysis process by the local security team discovered a JavaScript link
which has been injected in the logo field in database and all reported suspicious transactions
were occurred through the authorized customers IPs and they were signed by the dangle
customers.

As an action, the AROBANK reported their national CERT for support and assistance to perform
an intensive investigation about the incident. Also to review the logs of the internet banking
access in order to identify the threat actors behind the attack. As consequences, they requested
the National CERT to provide recommendations and solutions to prevent the occurrence of
these vulnerabilities. The National CERT team was given an access to provide access logs from
internet banking web server (/home/notroot/logarobank/).

Questions
Q1:

What type of attacks and attacks attempts exist in the website logs?

-----------------------------------------------------------------------------------------------------------------

Q2:

Identify IPs/attackers and origins they were involved in the attack?

-----------------------------------------------------------------------------------------------------------------

Q3:

What was the tool used by the attacker to exploit the vulnerability on the website?

-----------------------------------------------------------------------------------------------------------------
Q4:

Determine the vulnerable parameter that was exploited by the attackers to compromise the
website?

-----------------------------------------------------------------------------------------------------------------

Q5:

How long was the website attacked? (in day)

-----------------------------------------------------------------------------------------------------------------

Q6:

Determine the last IP/attacker and the last line that attacked the website?

-----------------------------------------------------------------------------------------------------------------

Q6:

Decrypt/decode the last injection in the last line?

-----------------------------------------------------------------------------------------------------------------

Q7:

Find out the malicious file used to exploit the website vulnerability?

-----------------------------------------------------------------------------------------------------------------

Q8:

What are the names of vulnerabilities, which has been exploited to inject the malicious file and
transfer money? What are the best recommendations to solve it?

-----------------------------------------------------------------------------------------------------------------

Q9:

What is the encoding method that hacker used to hide and protect his information (POST data,
account number, amount to be transferred)?

-----------------------------------------------------------------------------------------------------------------

Q10:

Find the account number & the fake charity name used to transfer the money.?