Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page

Was this helpful?

  1. Incident Response

Compromised UniFi Controller

General pointers on where to look for configuration files and/or logs when investigating a compromised UniFi controller.

PreviousLogging Powershell activitiesNextAnyDesk Remote Access

Last updated 3 years ago

Was this helpful?

For tips on acquiring a full disk image via SSH, please see Acquiring Linux VPS via SSH

This page only provides a summary of files of interest, and where you may look for specific information. It doesn't include any information on how to investigate the initial compromise itself (ie username/password bruteforcing over SS

Files of interest

UniFi controller log /var/log/unifi/server.log (and server.log.* for archived/pruned logs)

This contains the following;

  1. Failed and successful authentication attempts (with reason, for example 'Invalid Credential', 'Invalid Username'

  2. Username associated with those attempts

  3. IP address of remote host attempting to authenticate

  4. MAC address of device syncing with controller

  5. WAN & local IP address of devices synced with controller

  6. Logs for system upgrades

  7. INFO/WARN level for API and DEV (device) associations

  8. Controller site identifier (appears to be 8 alpha-numeric character string)

/var/lib/unifi/db/collection-*-*.wt

Appears to be WiredTiger log files before they're committed to the core server logs

(.wt is the file extension associated with the files, WiredTiger appears to be the engine contained within mongoDB)

  1. /backup; meta.json file for time/date when backup was created, 5.x.x.unf for backup itself

  2. /backup/autobackup; autobackup_meta.json for time/date when autobackup was created, and a series of .unf auto backups.

  3. /db; series of WiredTiger collection logs, index logs, version control logs, etc.

  4. /db/diagnostic.data & /db/journal; self-explanatory - journal and diagnostic information.

  5. /sites/*; folder for each site configured on the controller (8 alpha-numeric character identifer, plus a folder for the default site)

  6. /sites/abcd1234/maps; map photograph/layout associated with the site ID

Not strictly a UniFi controller related file as such, but it's part of the Java performance counter which still includes sensitive information (usernames, email addresses, password hash, local performance statistics)

I'm not too sure why this file & hidden directory (.unifi-***) is generated, but nevertheless it still contains sensitive information & database contents relative to an investigation (usernames, emails, IP addresses, etc). It's the contents of the mongoDB (ace) associated with the UniFi controller.

  1. /usr/lib/unifi/logs (symlink to /var/log/unifi)

  2. /usr/lib/unifi/run (symlink to /var/run/unifi)

  3. /usr/lib/unifi/data (symlink to /var/lib/unifi)

  4. /usr/lib/unifi/bin (binaries for ubnt-apttool and unifi.init, including a symlink to /usr/bin/mongod)

  5. /usr/lib/unifi/dl/firmware (bundles.json for different firmware revisions for specific models)

  6. /usr/lib/unifi/lib/* - jar files for specific java archives)

  7. /usr/lib/unifi/webapps/ROOT (root for web interface, including angular & react files)

To list accounts associated with the UniFi controller database (if you suspect a backdoor administrator account has been added), either check through the controller interface itself, or SSH into the host and execute the following command. This will list each account, password hash, epoch time created, email address, name, etc)

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

mongoDB only listens on the localhost for connections (which is great, it's not exposed to the greater internet like most other mongoDB instances), so if you want to acquire a copy of the database and interrogate it locally, you'll need to export/dump the database first.

/var/lib/unifi/

/tmp/hsperfdata_root/control/0

/tmp/.unifi-********/db.gz/db

/usr/lib/unifi

➡️
➡️
➡️
➡️
➡️
➡️