VSFTPD

Prompt

Analyze a VSFTPD log file that we obtained.

vsftpd.log411.1KB

Walk-Through

This challenge involves analyzing the log file of a VSFTPD server. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.

Questions

Q1. What IP address did "ftpuser" first log in from?

cat vsftpd.log | grep ftpuser
Search for any entries that include “ftpuser”. One of these lines should include an IP address.

Q2. What is the first directory that ftpuser created? 

cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1
Search for the first entry of the ftpuser account running the mkdir command.

Q3. What is the last directory that ftpuser created?

cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1
Search for the last entry of the ftpuser account running the mkdir command.

Q4. What file extension was the most used by ftpuser?

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print  $2 }' | cut -d '"' -f 2 | awk -F "." '{print $NF }' | sort | uniq -c
Search for successful file upload entries from ftpuser, extract the file extension for those uploads, and then get the frequency count for each unique file extension

Q5. What is the username of the other user in this log?

Visually inspect the log file for any other usernames. One example can be found on line 249. 

cat vsftpd.log | grep '\[.*\] \[.*\]' | awk -F ' ' '{print $8}' | sort | uniq
Search for lines that contain the pattern [.*] [.*] as these lines contain the usernames. Then, extract the username column, sort, and then get the unique results. Note that the backslashes in the grep command are needed to escape the [ and ] characters.

Q6. What IP address did this other user log in from?

cat vsftpd.log | grep jimmy
Search for any entries that include jimmy. One of these lines should include an IP address.

Q7. How many total bytes did this other user upload?

cat vsftpd.log | grep jimmy | grep 'OK UPLOAD' | awk -F ',' '{print  $3 }' | cut -f 2 -d ' ' | awk '{s+=$1} END {printf "%.0f\n", s}'
Search for successful file upload entries from jimmy, extract the number of bytes transferred, then sum the bytes

Q8. How many total bytes did ftpuser upload?

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print  $3 }' | cut -f 2 -d ' ' | awk '{s+=$1} END {printf "%.0f\n", s}'
Search for successful file upload entries from ftpuser, extract the number of bytes transferred, then sum the bytes

Q9. How many total bytes did ftpuser download?

cat vsftpd.log | grep ftpuser | grep 'OK DOWNLOAD' | awk -F ',' '{print  $3 }' | cut -f 2 -d ' ' | awk '{s+=$1} END {printf "%.0f\n", s}'
Search for successful file download entries from ftpuser, extract the number of bytes transferred, then sum the bytes

Q10. Identify the IP address of the suspicious login (the login with no subsequent activity)

cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq
Search for all of the successful login attempts, extracts the IP address used to log in, then sort and unique the IP addresses to identify IP addresses for manual inspection

©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.