Hammered Cyberdefenders
Category : Digital Forensics Log Analysis Honeypot Apache2
This challenge takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to this webserver honeypot using the logs from a possibly compromised server.
Challenge files:
kern.log
auth.log
daemon.log
dmesg
apache2
Q1 Which service did the attackers use to gain access to the system?
let's investigate auth.log file to see the authentication of accounts
cat auth.log | grep -F 'Failed'

by greping failed authentication attempets we can see that there are many attempts to login by sshd .
okay the service is ssh
Ans : ssh
Q2 What is the operating system version of the targeted system? (one word)
we can look in the kern.log file, as it contains information logged by the kernel
head kern.log

Ans : 4.2.4-1ubuntu3
Q3 What is the name of the compromised account?
We can back to auth.log file to see which account was successfully login
cat auth.log | grep -F 'Accepted password'

Ans : root
Q4 Consider that each unique IP represents a different attacker. How many attackers were able to get access to the system?
let's grep failed auth ip
grep sshd auth.log| grep "authentication failure" | awk '{print $14}' | sort | uniq -c | sort -n

and success ip
cat auth.log |grep "Accepted" | awk '{print $11}' | sort | uniq -c | sort -n

By comparing them we found it's 6 login to system
219.150.161.20, 222.66.204.246, 121.11.66.70, 222.169.224.197, 122.226.202.12, 61.168.227.12
Ans : 6
Q5 Which attacker's IP address successfully logged into the system the most number of times?
The two IP addresses 188.131.23.37 and 219.150.161.20 are the highest value
but 188.131.23.37 appears only six times in auth.log, and appears 219.150.161.20 many times.
grep "Accepted" auth.log| grep Accepted | grep root | awk '{print $11}' | sort | uniq -c | sort -n

Ans : 219.150.161.20
Q6 How many requests were sent to the Apache Server?
The requests store in www-access.log

Ans : 365
Q7 How many rules have been added to the firewall?

Ans : 6
Q8 One of the downloaded files to the target system is a scanning tool. Provide the tool name.
We can Look for installed package in dpkg.log file


Ans : nmap
Q9 When was the last login from the attacker with IP 219.150.161.20? Format: MM/DD/YYYY HH:MM:SS AM
back to auth.log file and grep login success from the attacker ip address
grep "Accepted password" auth.log | grep "219.150.161.20"

last log in Apr 19 05:56:05
Ans : 04/19/2010 05:56:05 AM
Q10 The database displayed two warning messages, provide the most important and dangerous one.
database information stores in daemon.log

The most dangerous one is creates root users without passwords
Ans : mysql.user contains 2 root accounts without password!
Q11 Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15?
grep the time in the Q

Ans : wind3str0y
Q12 Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?
Grep User-Agent Value from www-access.log file
cat apache2/www-access.log | cut -d ' ' -f 12 | sort | uniq

Ans : pxyscand/2.1 Thanks UUUUUUUUUUUUUUUUUU 🥰
Last updated