DEV Community

Mihika
Mihika

Posted on

Linux Log Analysis | Hammered Lab | CyberDefenders

Go to the CyberDefenders website, Open the lab & Download the challenge file Hammered Lab

Types of Logs given in the Challenge

  • kern.log: Logs related to the Linux kernel, including hardware, driver messages, and kernel errors.
  • auth.log: Authentication-related logs like login attempts, sudo use, and SSH access.
  • daemon.log: Logs from system daemons like cron, cupsd, and other services.
  • dmesg: Kernel ring buffer logs (boot info, hardware, drivers).
  • apache2: Apache web server logs (access and error logs for HTTP requests).

I am Analyzing these logs with powershell.

1. Which service did the attackers use to gain access to the system?
powershell command: Select-String -Path "auth.log" -Pattern "failed"
or
Select-String -Path "auth.log" -Pattern "accepted"

ssh
answer: SSH

2. What is the operating system version of the targeted system?
check dmesg or messages file, Look for entries mentioning the OS version or kernel version, typically near boot logs.
Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3))
answer: 4.2.4-1ubuntu3

3. What is the name of the compromised account?
filter: Select-String -Path "auth.log" -Pattern "Accepted" or
Select-String -Path "auth.log" -Pattern "failed"
users in log:
user1, user2, user3, root, dhg, fido
filter: Select-String -Path "auth.log" -Pattern "failed password for root"
the entries for failed password for root user is higher than other users.
answer: root

4. How many attackers, represented by unique IP addresses, were able to successfully access the system after initial failed attempts?
filter to extract accespted password enteries for root user:

Select-String -Path "auth.log" -Pattern "Accepted password for root" > AcceptedPass.txt
Enter fullscreen mode Exit fullscreen mode

filter to extract IP addresses from AccesptedPass.txt :

Select-String -Path "AcceptedPass.txt" -Pattern "from" | ForEach-Object { ($_ -match "from (\d{1,3}(\.\d{1,3}){3})") ; $matches[1] } | Sort-Object | Select-Object -Unique > IPAddress.txt
Enter fullscreen mode Exit fullscreen mode

Ip addresses used by attacker
Total 18 IP address , 1 IP is private removing it, now total is 17. answer should be 17, but it is showing wrong, there is something wrong in the challenge question . the correct answer according to challenge is 6 because there are 6 users in the logs.

5. Which attacker's IP address successfully logged into the system the most number of times?
Attacker's IP and their Occurances
answer: 219.150.161.20

6. How many requests were sent to the Apache Server?
navigate to folder apache2, open the terminal
filter: (Get-Content "www-access.log").Count
It will count enteries in log file uniquely
answer: 365

7. How many rules have been added to the firewall?
you have to find which firewall used in log file, it could be firewalld, ufw or iptables
navigate to the challenge directory, open the terminal
filter: Get-ChildItem -Path . -Recurse | Select-String -Pattern "iptables"
We found some references of iptables in auth.log file. No enteries related to firewalld, and there are some enteries related to ufw blocking incoming traffic.

You will see some entries for creating firewall rules using iptables

iptables rule creation
answer: 6

8. One of the downloaded files to the target system is a scanning tool. Provide the tool name.
navigate to challenge directory filter: Select-String -Path "dpkg.log" -Pattern "install"
Inspect the installed tools, you will find nmap, a scanning tool.
answer: nmap

9. When was the last login from the attacker with IP 219.150.161.20? Format: MM/DD/YYYY HH:MM:SS AM
filter: Select-String -Path "auth.log" -Pattern "accepted" | Select-String -Pattern "219.150.161.20"
answer: 04/19/2010 05:56:05 AM

10. The database displayed two warning messages, provide the most important and dangerous one.
Navigate to the directory where all the log files of this challenge is stored. filter: Get-ChildItem -Path . -Recurse | Select-String -Pattern "warning"
answer: mysql.user contains 2 root accounts without password!

11. Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15?
Navigate to challenge directory, and use filter, which will search for all occurances of "useradd" in the directory.
filter: Get-ChildItem -Path . -Recurse | Select-String -Pattern "useradd"
answer: wind3str0y

12. Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?
useragent info is present in www-access.log file, in 12th column, use filter to extract the column:
Get-Content access.log | ForEach-Object { ($_ -split "\s+")[11] } | Sort-Object | Get-Unique | Out-File useragents.txt

check the useragent, the one which is similiar to the proxy name.
answer: pxyscand/2.1

Top comments (0)