Here is the alert received on the SIEM

Firstly what is CVE-2024-24919? Here is the description on the NIST website.

After some more research, CVE-2024-24919 is a path traversal attack, which explains the request being made to the '/etc/passwd' directory.

The /etc/passwd directory stores user account information, including the user's username, user ID (UID), group ID (GID), home directory, and login shell

This is enough for me to contain the server, and I'll investigate further for any more signs of compromise.

First I'll start by checking the source IP on the threat intelligence feed. And it has been flagged as malicious, specifically because of CVE-2024-24919

It has also been reported on AbuseIPDB and VirusTotal

Searching the logs for the source IP shows three events. Two of the events correlate with what seen was on the SIEM alert.

Investigating the first log (No Event Time) it says the source address is 203.160.68.12 (the suspicious IP).

However, the raw log says that the IP is 203.160.68.13, and this time it's requesting the '/etc/shadow' directory. This directory stores the encrypted password hashes for user accounts on the system. Also searching the logs for 203.160.68.13 shows no results, and it's not flagged in the threat intel feed or on AbuseIPDB/Talos/VirusTotal.

Checking the logs for the destination IP (172.16.20.146) shows the same logs seen above, and another containing a list of IPs that accessed the server. Here we see 203.160.68.12 did make three separate connections and 203.160.68.13 made only one.

The destination address (172.16.20.146) is a server and it made three connections with 203.160.68.12 and two with 203.160.68.13