Security Incident Response Tools
Security Incident Response Tools
Section titled “Security Incident Response Tools”Last Updated: 2026-02-15
Incident Date: 2026-02-12 to 2026-02-14
Tools Location: /root/ on production server
Status: Active & Operational
Overview
Section titled “Overview”Following the security incident on February 12-14, 2026, a comprehensive suite of security command tools was developed to detect, investigate, and remediate threats. These tools are designed to work together as a complete incident response toolkit.
Incident Summary
Section titled “Incident Summary”Attack Vector: Exposed credentials in /tmp/login.json (admin@kopanoworks.co.za)
Impact: Unauthorized access, log deletion (wtmp, lastlog, btmp)
Response: Automated remediation tools deployed within 48 hours
Current Status: ✅ Secured with ongoing monitoring
Security Tools Suite
Section titled “Security Tools Suite”1. Backdoor Detection Scanner
Section titled “1. Backdoor Detection Scanner”File: /root/backdoor-detection.sh
Purpose: Comprehensive scan for persistence mechanisms and backdoors
Run Frequency: Weekly or after suspicious activity
What It Detects
Section titled “What It Detects”| Check | Description | Severity |
|---|---|---|
| Cron Jobs | Suspicious scheduled tasks across all users | HIGH |
| Systemd Services | Recently modified service files (30-day window) | HIGH |
| SSH Keys | Unauthorized keys in all user directories | CRITICAL |
| Startup Scripts | Malicious /etc/rc.local or /etc/init.d entries | HIGH |
| Webshells | PHP/JSP/ASP shells in web directories | CRITICAL |
| Reverse Shells | Netcat, socat, perl, python shell processes | CRITICAL |
| Network Listeners | Unauthorized listening ports | MEDIUM |
| SUID Binaries | Privilege escalation via SUID/SGID files | HIGH |
| Hidden Files | Concealed files in /tmp and /var/tmp | MEDIUM |
| LD_PRELOAD Rootkits | Library injection attacks | CRITICAL |
| Modified Binaries | Tampered system binaries in /bin, /sbin | CRITICAL |
| PAM Backdoors | Authentication module tampering | CRITICAL |
# Run full backdoor scanbash /root/backdoor-detection.sh
# Save output to file for reviewbash /root/backdoor-detection.sh > /root/backdoor-scan-$(date +%Y%m%d).txt
# Email results to security teambash /root/backdoor-detection.sh | mail -s "Security Scan Results" security@isutech.co.zaWhen to Run
Section titled “When to Run”- ✅ Every Monday morning (scheduled maintenance)
- ✅ After deploying new code or services
- ✅ Following any security alert or suspicious activity
- ✅ Before major infrastructure updates
- ✅ After onboarding new team members with server access
2. Forensic Evidence Collector
Section titled “2. Forensic Evidence Collector”File: /root/investigate-attack.sh
Purpose: Comprehensive forensic data collection for incident analysis
Run Frequency: Only during active incident response
Data Collected
Section titled “Data Collected”-
System Information
- OS version, uptime, hostname
- Active kernel and loaded modules
-
Network Activity
- All ESTABLISHED connections
- Listening ports and services
- Recent network traffic patterns
-
Authentication Logs
- Last 100 successful SSH logins
- Last 50 failed login attempts
- User session history
-
User Accounts
- All users with shell access
- SSH authorized keys (root & sibonga)
- Sudo privileges and configurations
-
Scheduled Tasks
- All cron jobs for all users
- Systemd timers
- /etc/cron.d contents
-
File System Changes
- Files modified in last 3 days
- Focus on /root and /home directories
-
Web Access Patterns
- Suspicious POST/PUT requests
- Filtered by incident date range
- Nginx access logs
-
Security Controls
- fail2ban current status and bans
- Firewall rules
- Running processes (especially shells)
# Run investigation (creates timestamped report)bash /root/investigate-attack.sh
Output File Contains
Section titled “Output File Contains”- Section 1-5: User activity and authentication
- Section 6-7: System files and privileges
- Section 8-10: File changes and web activity
- Section 11-12: Security status and running processes
When to Run
Section titled “When to Run”- 🚨 Immediately upon detecting suspicious activity
- 🚨 When fail2ban bans spike unexpectedly
- 🚨 After receiving alerts from monitoring systems
- 🚨 Before contacting security consultants (provide evidence)
- 🚨 For monthly security audit trail documentation
3. Web Application Security Auditor
Section titled “3. Web Application Security Auditor”File: /root/webapp-security-audit.sh
Purpose: Audit all running web applications for common vulnerabilities
Run Frequency: Monthly or after application updates
Applications Monitored
Section titled “Applications Monitored”| Application | Technology | Ports | URL |
|---|---|---|---|
| KopanoWorks | Node.js + Next.js | 3010, 3011 | admin.kopanoworks.isutech.co.za |
| Prospectiq | Python + Next.js | 3002, 8002 | prospectiq.isutech.co.za |
| Sansa Backend | Python FastAPI | 8003 | Internal API |
| Tumi Backend | Python FastAPI | 8004 | Internal API |
| AutoSlip | Python Gunicorn | 5000 | Internal Service |
| SACE | Full-stack | 3000, 8001 | sace.isutech.co.za |
Security Checks
Section titled “Security Checks”HIGH PRIORITY:
- ✅ .env file permissions (must be 600, not 644)
- ✅ Exposed credentials in application logs
- ✅ Hardcoded secrets detection
MEDIUM PRIORITY:
- ⚠️ Missing rate limiting on API endpoints
- ⚠️ Missing CSRF protection on forms
- ⚠️ Missing authentication audit logging
LOW PRIORITY:
- ℹ️ Security headers (HSTS, X-Frame-Options, CSP)
- ℹ️ Dependency versions (outdated packages)
- ℹ️ API versioning implementation
# Run web application auditbash /root/webapp-security-audit.sh
# Check specific application logsbash /root/webapp-security-audit.sh | grep -A5 "KopanoWorks"Recommendations Provided
Section titled “Recommendations Provided”The script automatically provides prioritized security recommendations:
- Change exposed admin password (admin@kopanoworks.co.za)
- Audit all .env files for exposed secrets
- Enable rate limiting on all API endpoints
- Add CSRF protection to all forms
- Enable API request logging with IP tracking
When to Run
Section titled “When to Run”- ✅ Monthly security review (first Monday of month)
- ✅ After deploying new applications
- ✅ Before penetration testing
- ✅ After any credential rotation
- ✅ Following security incidents
4. Credential Rotation Guide
Section titled “4. Credential Rotation Guide”File: /root/change-compromised-passwords.sh
Purpose: Identify exposed credentials and guide rotation process
Run Frequency: After security incidents or quarterly reviews
Credentials Identified
Section titled “Credentials Identified”The script scans and identifies:
-
Exposed Web Credentials
- admin@kopanoworks.co.za (found in /tmp/login.json)
- All web admin accounts
-
Database Credentials
- PostgreSQL root password
- All application database passwords in .env files
- Redis passwords
-
Application Secrets
- JWT secrets (7 applications)
- API keys (AWS, Stripe, SendGrid, Twilio)
- Session secrets
-
Infrastructure Credentials
- Grafana admin password
- Monitoring system credentials
Step-by-Step Instructions
Section titled “Step-by-Step Instructions”The script provides detailed rotation steps for each credential type:
Example - JWT Secret Rotation:
# Generate new JWT secretopenssl rand -hex 32
# Update .env filesnano /var/www/kopanoworks/apps/api/.env# Replace JWT_SECRET=old_value with new value
# Restart servicesystemctl restart pm2-rootExample - Database Password Change:
# Change PostgreSQL passwordsudo -u postgres psql -c "ALTER USER postgres PASSWORD 'NEW_SECURE_PASSWORD';"
# Update all .env files that use this databasefind /var/www -name ".env" -exec grep -l "DATABASE_URL" {} \;
# Restart affected servicesbash /root/restart-services.sh# View credential rotation guidebash /root/change-compromised-passwords.sh
# Get specific section (JWT secrets only)bash /root/change-compromised-passwords.sh | sed -n '/ROTATE JWT SECRETS/,/ROTATE API KEYS/p'Helper Commands Included
Section titled “Helper Commands Included”# Generate strong password (32 chars)openssl rand -base64 24
# Generate JWT secretopenssl rand -hex 32
# List all .env filesfind /var/www /opt -name '.env' -type f
# Check PostgreSQL userssudo -u postgres psql -c '\du'5. Service Restart Manager
Section titled “5. Service Restart Manager”File: /root/restart-services.sh
Purpose: Safely restart all services after configuration changes
Run Frequency: After credential rotation or .env file updates
Services Managed
Section titled “Services Managed”| Service | Purpose | Dependencies |
|---|---|---|
| tumi-backend | Tumi API service | Database, Redis |
| prospectiq-api | Prospectiq backend | Database, Celery |
| autoslip | AutoSlip service | Database |
| sansa-frontend | Sansa UI service | Backend APIs |
| pm2-root | Node.js process manager | Multiple Node apps |
| nginx | Web server | All backend services |
Features
Section titled “Features”- ✅ Graceful restarts - No dropped connections
- ✅ Error handling - Reports failed restarts
- ✅ Status verification - Checks service status after restart
- ✅ Visual feedback - Clear success/failure indicators
# Restart all servicesbash /root/restart-services.sh
# Check if services are running after restartsystemctl status tumi-backend prospectiq-api autoslip sansa-frontend pm2-root nginx
# Restart specific service onlysystemctl restart tumi-backendWhen to Run
Section titled “When to Run”- ✅ After updating .env files
- ✅ After rotating database passwords
- ✅ After changing JWT secrets
- ✅ After modifying service configurations
- ✅ During scheduled maintenance windows
⚠️ WARNING: Restarting pm2-root will temporarily interrupt all Node.js applications. Schedule during low-traffic periods.
6. Password Hash Generator
Section titled “6. Password Hash Generator”File: /root/change-admin-password.py
Purpose: Generate bcrypt hashes for new admin passwords
Run Frequency: One-time use during password changes
# Generate password hashpython3 /root/change-admin-password.py
# Output:# New password: 7hPGJuV4H8AD/euQttRD2VsRxTsDGX4f# Bcrypt hash: $2b$10$...Integration with Database
Section titled “Integration with Database”-- Update admin password in databaseUPDATE usersSET password = '$2b$10$...'WHERE email = 'admin@kopanoworks.co.za';⚠️ SECURITY NOTE: This file contains a hardcoded password. After use:
# Securely delete the fileshred -u /root/change-admin-password.pyAutomated Monitoring
Section titled “Automated Monitoring”Security Monitor Daemon
Section titled “Security Monitor Daemon”File: /usr/local/bin/security-monitor
Schedule: Every 5 minutes via cron
Log File: /var/log/security-alerts.log
What It Monitors
Section titled “What It Monitors”- SSH authorized_keys changes
- /etc/sudoers modifications
- Critical system binary changes
- Suspicious running processes
- New SUID/SGID files
- Unexpected network listeners
Viewing Alerts
Section titled “Viewing Alerts”# View recent alertstail -50 /var/log/security-alerts.log
# Filter for specific alert typegrep "ALERT" /var/log/security-alerts.log | tail -20
# Check last security scan timestamptail -1 /var/log/security-alerts.logCurrent Known False Positives
Section titled “Current Known False Positives”The following processes are flagged but are legitimate:
- AutoSlip gunicorn workers (4 processes)
- Docker runc init processes (2 processes)
Recommendation: Update security monitor to exclude these:
nano /usr/local/bin/security-monitor# Add exclusions for: gunicorn, runc initComplete Incident Response Workflow
Section titled “Complete Incident Response Workflow”Phase 1: Detection (0-15 minutes)
Section titled “Phase 1: Detection (0-15 minutes)”-
Identify Threat
Terminal window # Check fail2ban for unusual bansfail2ban-client status sshd# Review recent SSH loginsgrep "Accepted\|Failed" /var/log/auth.log | tail -50# Check security monitoring alertstail -100 /var/log/security-alerts.log -
Initial Assessment
Terminal window # Run quick backdoor scanbash /root/backdoor-detection.sh | grep -E "ALERT|WARNING"# Check for suspicious processesps aux | grep -E "(nc|netcat|socat)" | grep -v grep
Phase 2: Investigation (15-60 minutes)
Section titled “Phase 2: Investigation (15-60 minutes)”-
Collect Evidence
/root/security-investigation-YYYYMMDD-HHMMSS.txt # Run full forensic collectionbash /root/investigate-attack.sh -
Analyze Attack Vector
Terminal window # Check web application securitybash /root/webapp-security-audit.sh# Review exposed credentialsbash /root/change-compromised-passwords.sh -
Document Timeline
- Note first detection time
- Identify attack window
- List affected systems/accounts
- Document attacker actions
Phase 3: Containment (1-4 hours)
Section titled “Phase 3: Containment (1-4 hours)”-
Isolate Affected Systems (if necessary)
Terminal window # Block attacker IP immediatelyfail2ban-client set sshd banip <ATTACKER_IP># Or use UFWufw deny from <ATTACKER_IP> -
Disable Compromised Accounts
Terminal window # Lock user accountusermod -L <compromised_user># Remove SSH keys> /home/<compromised_user>/.ssh/authorized_keys -
Verify No Backdoors
Terminal window # Run comprehensive backdoor scanbash /root/backdoor-detection.sh > /root/backdoor-scan-$(date +%Y%m%d).txt# Review results carefullyless /root/backdoor-scan-$(date +%Y%m%d).txt
Phase 4: Eradication (4-8 hours)
Section titled “Phase 4: Eradication (4-8 hours)”-
Rotate All Credentials
Terminal window # Follow rotation guidebash /root/change-compromised-passwords.sh# Generate new database passwordsopenssl rand -base64 24# Generate new JWT secretsopenssl rand -hex 32 -
Update All .env Files
Terminal window # Find all .env filesfind /var/www /opt -name ".env" -type f# Update each with new credentials# Ensure permissions are 600chmod 600 /var/www/*/. env -
Restart Services
Terminal window # Apply new configurationsbash /root/restart-services.sh# Verify all services runningsystemctl list-units --state=running | grep -E "tumi|prospectiq|sansa|autoslip"
Phase 5: Recovery (8-24 hours)
Section titled “Phase 5: Recovery (8-24 hours)”-
Verify System Integrity
Terminal window # Check all services are operationalcurl -I https://kopanoworks.isutech.co.zacurl -I https://prospectiq.isutech.co.zacurl -I https://sace.isutech.co.za# Verify database connectivitysudo -u postgres psql -c "SELECT version();" -
Monitor for Reinfection
Terminal window # Watch authentication logstail -f /var/log/auth.log# Monitor security alertstail -f /var/log/security-alerts.log# Watch fail2ban activitytail -f /var/log/fail2ban.log
Phase 6: Post-Incident (24-72 hours)
Section titled “Phase 6: Post-Incident (24-72 hours)”-
Document Incident
- Create incident report
- Include timeline
- List remediation actions
- Note lessons learned
-
Improve Defenses
Terminal window # Install additional monitoring (if needed)apt install aide rkhunter# Initialize file integrity monitoringaide --initmv /var/lib/aide/aide.db.new /var/lib/aide/aide.db -
Team Briefing
- Share incident details with team
- Update security procedures
- Schedule security training
- Review access controls
Quick Reference Commands
Section titled “Quick Reference Commands”Daily Security Checks
Section titled “Daily Security Checks”# Morning security status checkfail2ban-client status sshd # Check banned IPstail -20 /var/log/security-alerts.log # Review overnight alertsgrep "Accepted" /var/log/auth.log | tail -10 # Recent loginsWeekly Security Tasks
Section titled “Weekly Security Tasks”# Monday morning routinebash /root/backdoor-detection.sh > /root/backdoor-scan-$(date +%Y%m%d).txtbash /root/webapp-security-audit.shtail -100 /var/log/fail2ban.logMonthly Security Review
Section titled “Monthly Security Review”# First Monday of monthbash /root/investigate-attack.sh # Full forensic reportbash /root/webapp-security-audit.sh # Application audit# Review and rotate credentials as neededEmergency Response
Section titled “Emergency Response”# Immediate threat responsefail2ban-client set sshd banip <ATTACKER_IP> # Block attackerbash /root/investigate-attack.sh # Collect evidencebash /root/backdoor-detection.sh # Scan for persistenceSecurity Dashboard API
Section titled “Security Dashboard API”# Check API statussystemctl status security-api
# View API logsjournalctl -u security-api -f
# Test API healthcurl http://127.0.0.1:5001/api/health
# Get live security statuscurl http://127.0.0.1:5001/api/security-status | python3 -m json.tool
# Restart API (if needed)systemctl restart security-api
# View nginx API logstail -f /var/log/nginx/docs-access.log | grep "/api/"Browser Console Commands
Section titled “Browser Console Commands”// Clear dashboard dismissal (for testing)localStorage.removeItem('isutech_security_dashboard_dismissed');location.reload();
// Check dismissal statuslocalStorage.getItem('isutech_security_dashboard_dismissed');
// Manually show dashboard (if dismissed)localStorage.removeItem('isutech_security_dashboard_dismissed');window.location.reload();Security Metrics
Section titled “Security Metrics”Current Protection Status (as of 2026-02-15)
Section titled “Current Protection Status (as of 2026-02-15)”| Metric | Value | Status |
|---|---|---|
| fail2ban Bans | 189 IPs | ✅ Active |
| .env Permissions | All 600 | ✅ Secured |
| Database Passwords | Rotated | ✅ Updated |
| JWT Secrets | Rotated (7 apps) | ✅ Updated |
| SSH Keys | 8 root, 3 sibonga | ✅ Verified |
| Backdoors Detected | 0 | ✅ Clean |
| Monitoring | Every 5 min | ✅ Active |
Security Tools Usage Statistics
Section titled “Security Tools Usage Statistics”# View when tools were last runls -lth /root/security-investigation-*.txt 2>/dev/null | head -5ls -lth /root/backdoor-scan-*.txt 2>/dev/null | head -5Troubleshooting
Section titled “Troubleshooting”Issue: Script Fails to Run
Section titled “Issue: Script Fails to Run”Symptom: Permission denied or command not found
Solution:
# Ensure scripts are executablechmod +x /root/backdoor-detection.shchmod +x /root/investigate-attack.shchmod +x /root/webapp-security-audit.shchmod +x /root/change-compromised-passwords.shchmod +x /root/restart-services.sh
# Verify they existls -lh /root/*.shIssue: Service Restart Fails
Section titled “Issue: Service Restart Fails”Symptom: Service fails to start after restart
Solution:
# Check service statussystemctl status <service-name>
# View service logsjournalctl -u <service-name> -n 50
# Check configuration syntax# For nginx:nginx -t
# For Python services:python3 -m py_compile /var/www/<app>/app.pyIssue: False Positive Alerts
Section titled “Issue: False Positive Alerts”Symptom: Security monitor constantly alerts on legitimate processes
Solution:
# Edit security monitor scriptnano /usr/local/bin/security-monitor
# Add exclusions to process checkps aux | grep -E "(nc|netcat|socat)" \ | grep -v "gunicorn" \ | grep -v "runc init" \ | grep -v grepAdditional Resources
Section titled “Additional Resources”Related Documentation
Section titled “Related Documentation”External References
Section titled “External References”Security Contacts
Section titled “Security Contacts”Internal: security@isutech.co.za Emergency: Contact on-call engineer via PagerDuty Vendor Support: Hetzner support for infrastructure issues
Maintenance Schedule
Section titled “Maintenance Schedule”| Task | Frequency | Responsibility |
|---|---|---|
| Run backdoor scan | Weekly (Monday) | DevOps Team |
| Review security alerts | Daily | DevOps Team |
| Application security audit | Monthly | Security Lead |
| Credential rotation | Quarterly | Security Lead |
| Full security review | Quarterly | Management + Security Lead |
| Penetration testing | Annually | External Consultant |
Changelog
Section titled “Changelog”| Date | Version | Changes |
|---|---|---|
| 2026-02-15 | 1.0 | Initial documentation created |
| 2026-02-14 | 0.9 | Security tools deployed |
| 2026-02-14 | 0.5 | Incident remediation completed |
| 2026-02-12 | 0.0 | Security incident occurred |
Document Status: ✅ Active Next Review: 2026-03-15 Owner: iSu Technologies DevOps Team