web logic server Breach Help! How do Find Signs of what data if any was accessed?

Question

A Weblogic server got hacked and the problem is now removed. I am looking through the infected VM's now in a sandbox and want to see what if any data was accessed on the application servers. the app servers were getting hammered with ssh requests and so we identified the infected VM's as the web logic VMS, we did not have http logging on. Is there any way to Identify if any PII was Compromised?

Looked through secure logs on weblogic as well as looked through the PIA logs I am not sure how to identify what if any data was accessed

I would like to find out what went out of our network and info or data

what should I be looking for

is there anything I can learn from looking at the weblogic servers running on red hat?

Answer 1

I would want to believe that SSH was not the only service being hammered, and that was a large attempt to make eyes be on Auth logging whilst an attempt on other services is made.

• Do you have a Time frame that you are working with?
• Have the OS logs been checked for that time frame?
• .bash_history been checked? env variables? /etc/pass* for added users? aliases? reverse shells open on the network connections? New users created on services running on that particular host?
• Was WebLogic the only service running on this publicly available host?
• What other services and ports were available?
• Was this due to an older version of Weblogic or another service, application, plugin?

Create yourself an excel spreadsheet and start a timeline. Look at all the OS level logging possible and start to make note of anything that looks suspicious, to then follow that breadcrumb to exhaustion.