Hammered - Log Analysis

Which service did the attackers use to gain access to the system?

auth.log

What is the operating system of the targeted system?

cat kern.log  | grep more

What is the name of the compromised account?

cat auth.log | more

Consider that each unique IP represents a different attacker. How many attackers were able to get access to the system?

cat auth.log | grep "Accepted password"

Which IP address successfully logged into the system the most number of times?

cat auth.log "Accepted password" | uniq
219.150.161.20

How many requests were sent to the Apache Server?

cat www-access.log | wc -l

How many rules have been added to the firewall?

cat auth.log | grep "iptables -A" | wc -l

One of the downloaded files to the target system is a scanning tool. Provide the tool name.

# I think, one of the famous tool is nmap. But it is not answer. Wrong Thinking.
# We need to check installed files on log file. There are so many log files. We can filter our friendly tool nmap.
cat dpkg.log  | grep "nmap"

When was the last login from the attacker with IP 219.150.161.20? Format: MM/DD/YYYY HH:MM:SS AM

cat auth.log | grep "Accepted password" | grep "219.150.161.20"

The database displayed two warning messages, provide the most important and dangerous one.

# A daemon log is a program that runs in the background and is essential for system operations. These logs have their own category of logs and are seen as the heart of the logging operations for any system. The path for the system login daemon's configuration is /etc/syslog.
cat daemon.log | grep "mysql" | grep "WARNING"

Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15?

cat auth.log | grep "Apr 26 04:43:1"

Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?

cat www-access.log | more
193.109.122.56 - - [20/Apr/2010:00:00:01 -0700] "CONNECT 72.51.18.254:6677 HTTP/1.0" 301 - "-" "pxyscand/2.1" oFs91QoAAQ4AAAQFlmcA
AAAL 1213441