STATUS: FORENSIC ANALYSIS COMPLETE

ATTACK INVESTIGATION REPORT

Technical Forensic Analysis

Incident Date: October 10, 2025 (06:46-06:59 MST)

Report Generated: October 14, 2025

Classification: INTERNAL USE ONLY

SUMMARY

Between 06:46 and 06:59 on 10 Oct 2025 (MST: [-7:00]) the attacker exploited an uploaded malicious PHP file ( mine.php ) to gain command execution on the web server. Using this backdoor, they issued multiple POST requests to modify core site files, resulting in a JavaScript redirect being injected into index.php (and 5000+ other files, see accompanying affected-files.txt document). This redirected users to the domain effectivegatecpm.com .

Log evidence indicates that the attacker subsequently deleted the uploaded shell and auxiliary scripts ( mine.php , lock3.php ) to conceal their actions.

INCIDENT ANALYSIS

Modified Files:

/home/[user]/public_html/index.php and 5,941 other files across the server
  • Modification timestamp: 2025-10-10 06:59:27 -0700
  • Files compromised:
    • • 305 index.php files replaced with redirect payload
    • • 5,637 index.html files created/modified with redirect payload
  • Change: Files replaced entirely with a <script> redirect payload to malicious domains.

Malicious Files Observed:

  • mine.php – uploaded web shell allowing remote directory and file operations.
  • lock3.php – likely used to trigger or finalize modifications to site files.
  • Both files later removed from the filesystem.

Logs Analyzed:

  • washinstitute.org-ssl_log-Oct-2025.gz – primary log showing the attack sequence (GET/POST requests to mine.php and subsequent commands).
  • washinstitute.org-Sep-2025.gz & washinstitute.org-ssl_log-Sep-2025.gz – verified no earlier malicious activity.
  • ftp.washinstitute.org-ftp_log-*.gz – examined to rule out FTP-based intrusion; no suspicious logins found during relevant period.

KEY OBSERVATIONS

  • • Initial GET /assets/images/user/mine.php returned 404, followed shortly by a successful GET indicating successful file upload.
  • • Repeated POST requests to mine.php with parameters like directoryPath reveal attacker exploring and modifying directories.
  • • Final POST to /lock3.php matches precisely with index.php 's modification timestamp, confirming the action that introduced the redirect.
  • • Subsequent inspection confirmed both mine.php and lock3.php were deleted, showing deliberate cleanup.

TECHNICAL TIMELINE

Time (MST: [-7:00]) Action Evidence & Command
06:46:48 GET /assets/images/user/mine.php → 404 zgrep "mine.php" washinstitute.org-ssl_log-Oct-2025.gz
06:47:00 Successful GET /mine.php?pass=bytesquadx → 200 Same log source
06:47–06:57 Multiple POSTs to /mine.php with directoryPath params zgrep "POST" washinstitute.org-ssl_log-Oct-2025.gz
06:57:45 Final POST to /mine.php targeting /assets/images/user Same log source
06:59:27 POST /lock3.php (200 OK) zgrep "lock3.php" washinstitute.org-ssl_log-Oct-2025.gz
06:59:27 index.php modified (379 bytes, redirect payload inserted) ls -l --time-style=full-iso index.php
Post-incident mine.php and lock3.php missing from filesystem stat returned No such file or directory

CONCLUSION

The attacker gained unauthorized access through an upload point under /assets/images/user/ , likely exploiting weak validation on file uploads. They executed a series of commands via mine.php , culminating in modification of the homepage.

After completing their actions, they deleted traces of the malicious scripts to hinder detection.