at the first we have to know something about what is the inside this logs
1- /var/log/auth.log โ Contains system authorization information, including user logins and authentication machinsm that were used, successful and failed attemps.
2- /var/log/apache/access.log is a log file that stores information about incoming requests
3- '/var/log/dmesg' file provides a snapshot of the kernel messages at boot time
4- var/log/kern.log: stores information from the Ubuntu Linux kernel
4- /var/log/daemon Daemon logs contains information about events related running the Linux operation.
5- /var/log/apt/term.log: store records of actions such as package installations and updates. , history of apt command
the only log file will help us to know which service attacker used for gain access (auth.log)
because it Contains system authorization information, including user logins and authentication machinsm that were used.
we will use this command to gain more info about it
cat auth.log | grep "Failed"
the attacker was been using brute force attack to gain access using ssh service
in this Q we can recognition about the operating system with two ways
first one we will check dmesg file ( dmesg' file provides a snapshot of the kernel messages at boot time )
with command line cat dmesg | less
we will see the the operating system version is 4.2.4-1ubuntu3
second one we will check kern.log
with command line cat kern.log | less
we will see the the operating system version is 4.2.4-1ubuntu3
in this Q we need to know which accound was compromised so only log file will help us is auth.log because it
Contains system authorization information, including user logins and authentication machinsm that were used.
we will use command line cat auth.log | grep 'Accepted password'
so root account was compromised
how we detect it if we go back to this command cat auth.log | grep "Failed"
we will see the ip 219.150.161.20
At Apr 19 05:38:37 gain Failed password more than one time that mean the attacker was been using brute force attack to gain access until
did it and compromised root account At Apr 19 05:55:20
Q4 Consider that each unique IP represents a different attacker. How many attackers were able to get access to the system?
we need to know how many attackers were able to get access to the system so we need to know how many
ip get Failed password for root Then get Accepted password for root
with comparing to commands we will get the number of attackers were able to get access to the system
cat auth.log | grep 'Failed password for root' | awk '{print $11}' | sort | uniq -c
cat auth.log | grep 'Accepted password for root' | awk '{print $11}' | sort | uniq -c
we will see 6
to know how many requsests were sent to the apache server
we will find it inside access.log because it is stores information about incoming requests
wc -l will count number of lines then we get number of requestes
command line wc -l www-access.log
Iptables is a standard firewall included in most Linux distributions by default.
command line cat auth.log | grep 'iptable'
will help us in this Q to know which tool downloaded is term.log ( store records of actions such as package installations and updates.)
we will use this command cat term.log | grep -A 5 -B 5 'install'
nmap is most popular scanning tools
using this command cat auth.log | grep 'Accepted password for root' will know last login
but we will not see the year get it from auth.log properties
data about database will stored in daemon.log (Daemon logs contains information about events related running the Linux operation.)
with command line cat daemon.log grep 'WARNING'
we will search in auth.log about new user with this command cat auth.log | grep 'new user' | grep 'Apr 26 04:43:1'
Q12 Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?
The HTTP CONNECT method starts two-way communications with the requested resource. It can be used to open a tunnel.
command line cat www-access.log | grep 'CONNECT'
ans pxyscand/2.1