Hammered Cyberdefenders

Category : Digital Forensics Log Analysis Honeypot Apache2

This challenge takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to this webserver honeypot using the logs from a possibly compromised server.

Challenge files:

  • kern.log

  • auth.log

  • daemon.log

  • dmesg

  • apache2

Q1 Which service did the attackers use to gain access to the system?

let's investigate auth.log file to see the authentication of accounts

cat auth.log | grep -F 'Failed'
sshd

by greping failed authentication attempets we can see that there are many attempts to login by sshd .

okay the service is ssh

Ans : ssh

Q2 What is the operating system version of the targeted system? (one word)

we can look in the kern.log file, as it contains information logged by the kernel

head kern.log
(Ubuntu 4.2.4-1ubuntu3)

Ans : 4.2.4-1ubuntu3

Q3 What is the name of the compromised account?

We can back to auth.log file to see which account was successfully login

cat auth.log | grep -F 'Accepted password'
root

Ans : root

Q4 Consider that each unique IP represents a different attacker. How many attackers were able to get access to the system?

let's grep failed auth ip

grep sshd auth.log| grep "authentication failure" | awk '{print $14}'  | sort | uniq -c | sort -n

and success ip

cat auth.log |grep "Accepted" | awk '{print $11}' | sort | uniq -c | sort -n

By comparing them we found it's 6 login to system

219.150.161.20, 222.66.204.246, 121.11.66.70, 222.169.224.197, 122.226.202.12, 61.168.227.12

Ans : 6

Q5 Which attacker's IP address successfully logged into the system the most number of times?

The two IP addresses 188.131.23.37 and 219.150.161.20 are the highest value

but 188.131.23.37 appears only six times in auth.log, and appears 219.150.161.20 many times.

grep "Accepted" auth.log| grep Accepted | grep root | awk '{print $11}' | sort | uniq -c | sort -n

Ans : 219.150.161.20

Q6 How many requests were sent to the Apache Server?

The requests store in www-access.log

Ans : 365

Q7 How many rules have been added to the firewall?

there are 6 rules that have been added.

Ans : 6

Q8 One of the downloaded files to the target system is a scanning tool. Provide the tool name.

We can Look for installed package in dpkg.log file

Ans : nmap

Q9 When was the last login from the attacker with IP 219.150.161.20? Format: MM/DD/YYYY HH:MM:SS AM

back to auth.log file and grep login success from the attacker ip address

 grep "Accepted password" auth.log | grep "219.150.161.20"

last log in Apr 19 05:56:05

Ans : 04/19/2010 05:56:05 AM

Q10 The database displayed two warning messages, provide the most important and dangerous one.

database information stores in daemon.log

The most dangerous one is creates root users without passwords

Ans : mysql.user contains 2 root accounts without password!

Q11 Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15?

grep the time in the Q

name=wind3str0y

Ans : wind3str0y

Q12 Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?

Grep User-Agent Value from www-access.log file

cat apache2/www-access.log | cut -d ' ' -f 12 | sort | uniq 
pxyscand/2.1

Ans : pxyscand/2.1 Thanks UUUUUUUUUUUUUUUUUU 🥰

Last updated