You have been called to analyze a compromised Linux web server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).
What is the system timezone?
Who was the last user to log in to the system?
What was the source port the user 'mail' connected from?
How long was the last session for user 'mail'? (Minutes only)
Which server service did the last user use to log in to the system?
What type of authentication attack was performed against the target machine?
How many IP addresses are listed in the '/var/log/lastlog' file?
How many users have a login shell?
What is the password of the mail user?
Which user account was created by the attacker?
How many user groups exist on the machine?
How many users have sudo access?
What is the home directory of the PHP user?
What command did the attacker use to gain root privilege? (Answer contains two spaces).
Which file did the user 'root' delete?
Recover the deleted file, open it and extract the exploit author name.
What is the content management system (CMS) installed on the machine?
What is the version of the CMS installed on the machine?
Which port was listening to receive the attacker's reverse shell?