VSFTPD

Prompt

Analyze a VSFTPD log file that we obtained.

vsftpd.log411.1KB

Walk-Through

This challenge involves analyzing the log file of a VSFTPD server. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.

VSFTPD stands for “Very Secure FTP Daemon” and is used on Linux servers to create a secure way to users to upload and download files. This type of server is implemented for different purposes, but the logs created from its use convey similar information like timestamps, process IDs (PID), event types, client IP addresses, as well as usernames.

To find an IP address of a specific user use grep as shown:cat vsftpd.log | grep ftpuser

image

The actions performed by ftpuser (like making directories) can be filtered by searching the output of the previous command and using the head command to see the first results. cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1

The output has been partially redacted
The output has been partially redacted

The same can be done with tail to see actions performed by the user at a later time:

cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1

The output has been partially redacted
The output has been partially redacted

To determine what file type was most commonly uploaded, use grep to get an idea of what the uploads look like. This will help determine how to structure a command to filter the log down such that only file extensions are output. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD'

As shown below, the file path where the file was uploaded contains the file extension. There is a comma used after the file path— this can be used to set a custom delimiter with the awk command. Using awk, the specific column of data segmented by the commas can be printed. The second column has the file path with the file extension.

To use a custom delimiter with awk, use the -F option and enter the keyboard character you want to use as a delimiter between two single quotes as follows:

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2}' | head

image

Now lets isolate the file extension using the period as the delimiter. The output needed will come after the period, so be sure to use to tell awk to print the second field. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2}' | awk -F '.' '{print $2}' | head

image

From here, all that’s needed is to sort and print the unique file types using the following command:

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort

The output has been partially redacted. (Notice that the double quotes are still present. These can be filtered out with
The output has been partially redacted. (Notice that the double quotes are still present. These can be filtered out with awk or cut, but this is was not shown for brevity)

To find other users that might be in this log file, look at what column contains the username field— this is in the 8th column. Use awk to filter all log entries for this field. Be sure to use sort and uniq so you can more easily see how many different users are in the log file.

cat vsftpd.log | awk '{print $8}' | sort | uniq

Enter another command using grep to find the IP address for this user.

To determine how many bytes are uploaded or downloaded by a particular user, lets grep for the desired user, use grep to determine if we’re looking for uploaded or downloaded files, and then use the commas as a delimiter to see the file size.

image

Those are just the bytes for each individual file, not the total. awk can be used to get the total bytes using this command: awk '{s+=$1} END {print s}' . This will take the value of the first column ($1) and add it to variable s — creating a running total through each line of the log. When the log file ends (END), awk will print the value of s—the sum of the bytes. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3}'| awk '{s+=$1} END {print s}’

The output has been partially redacted.
The output has been partially redacted.

To identify the IP address associated with a suspicious login, or logins without any other activity, lets grep for successful logins, and then filter out the field with IP addresses.

cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq

The output has been partially redacted.
The output has been partially redacted.

Questions

1. What IP address did "ftpuser" first log in from?

cat vsftpd.log | grep ftpuser
Search for any entries that include “ftpuser”. One of these lines should include an IP address.

2. What is the first directory that ftpuser created?

cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1
Search for the first entry of the ftpuser account running the mkdir command.

3. What is the last directory that ftpuser created?

cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1
Search for the last entry of the ftpuser account running the mkdir command.

4. What file extension was the most used by ftpuser?

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort
Search for successful file upload entries from ftpuser, extract the file extension for those uploads, and then get the frequency count for each unique file extension

5. What is the username of the other user in this log?

To find other users that might be in this log file, look at what column contains the username field— this is in the 8th column. Use awk to filter all log entries for this field.

cat vsftpd.log | awk '{print $8}' | sort | uniq 

6. What IP address did this other user log in from?

cat vsftpd.log | grep jimmy
Search for any entries that include jimmy. One of these lines should include an IP address.

7. How many total bytes did this other user upload?

cat vsftpd.log | grep jimmy | grep 'OK UPLOAD' | awk -F ',' '{print  $3 }' | awk '{s+=$1} END {print s}'
Search for successful file upload entries from jimmy, extract the number of bytes transferred, then sum the bytes

8. How many total bytes did ftpuser upload?

cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print  $3 }' | awk '{s+=$1} END {print s}'
Search for successful file upload entries from ftpuser, extract the number of bytes transferred, then sum the bytes

9. How many total bytes did ftpuser download?

cat vsftpd.log | grep ftpuser | grep 'OK DOWNLOAD' | awk -F ',' '{print  $3 }' | awk '{s+=$1} END {print s}'
Search for successful file download entries from ftpuser, extract the number of bytes transferred, then sum the bytes

10. Identify the IP address of the suspicious login (the login with no subsequent activity)

cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq
Search for all of the successful login attempts, extracts the IP address used to log in, then sort and unique the IP addresses to identify IP addresses for manual inspection

©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.