Nginx

Prompt

Analyze an nginx access log and answer questions about what happened.

access.log13.1KB

Tutorial Video

Walk-Through

This challenge involves analyzing an NGINX access log. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.

Questions

Q1. How many different IP addresses reached the server?

cat access.log | cut -d " " -f 1 | sort | uniq | wc -l
Extract the first field (with the IP addresses), sort the IP addresses, get the unique IP addresses, and then get a line count

Q2. How many requests yielded a 200 code?

cat access.log | cut -d '"' -f 3 | cut -d ' ' -f 2 | sort | uniq -c | sort -rn
Extract the third field (with the IP addresses), sort the IP addresses, get the unique values with a count of the occurrences of each IP address, and then sort in descending numeric order

Q3. How many requests yielded a 400 code?

Same as the question above

Q4. What IP address rang at the doorbell?

cat access.log | grep "bell"
Search the log for any lines that contain “bell”

Q5. What version of the Googlebot visited the website?

cat access.log | grep "Googlebot"
Search the log for any lines that contain “Googlebot”

Q6. Which IP address attempted to exploit the Shellshock vulnerability?

Search online for details about the Shellshock vulnerability. You should be able to find that the presence of this sequence of characters () { :; }; is an indication of an attempted exploitation of this vulnerability. 

cat access.log | grep '() { :; };'
Search the log for any lines that contain () { :; };

Q7. What was the most popular version of Firefox used for browsing the website?

cat access.log | egrep -o "Firefox/.*" | sort | uniq -c
Search the log for all lines that contain “Firefox” and the following characters which make up the version number, sort those values, and then get a unique count.

Q8. What is the most common HTTP method used?

cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn
Extract the 6th field (with the HTTP method), sort, get the unique values with a count of the occurrences of each value, and then sort in descending numeric order.

Q9. What is the second most common HTTP method used?

Same as the question above

Q10. How many requests were for \x04\x01\x00P\xC6\xCE\x0Eu0\x00?

cat access.log | grep '\\x04\\x01\\x00P\\xC6\\xCE\\x0Eu0\\x00' | wc -l
Search the log for all lines that contain that sequence of characters and then get a line count. Note that that command requires two backslashes for each original backslash to perform a proper escape sequence for the backslash.

©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.