Prompt
Analyze a VSFTPD log file that we obtained.
Walk-Through
This challenge involves analyzing the log file of a VSFTPD server. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.
VSFTPD stands for “Very Secure FTP Daemon” and is used on Linux servers to create a secure way to users to upload and download files. This type of server is implemented for different purposes, but the logs created from its use convey similar information like timestamps, process IDs (PID), event types, client IP addresses, as well as usernames.
To find an IP address of a specific user use grep
as shown:cat vsftpd.log | grep ftpuser
The actions performed by ftpuser (like making directories) can be filtered by searching the output of the previous command and using the head
command to see the first results. cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1
The same can be done with tail
to see actions performed by the user at a later time:
cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1
To determine what file type was most commonly uploaded, use grep
to get an idea of what the uploads look like. This will help determine how to structure a command to filter the log down such that only file extensions are output. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD'
As shown below, the file path where the file was uploaded contains the file extension. There is a comma used after the file path— this can be used to set a custom delimiter with the awk
command. Using awk
, the specific column of data segmented by the commas can be printed. The second column has the file path with the file extension.
To use a custom delimiter with awk
, use the -F
option and enter the keyboard character you want to use as a delimiter between two single quotes as follows:
cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2}' | head
Now lets isolate the file extension using the period as the delimiter. The output needed will come after the period, so be sure to use to tell awk
to print the second field. cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2}' | awk -F '.' '{print $2}' | head
From here, all that’s needed is to sort and print the unique file types using the following command:
cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort
awk
or cut
, but this is was not shown for brevity)To find other users that might be in this log file, look at what column contains the username field— this is in the 8th column. Use awk
to filter all log entries for this field. Be sure to use sort
and uniq
so you can more easily see how many different users are in the log file.
cat vsftpd.log | awk '{print $8}' | sort | uniq
Enter another command using grep
to find the IP address for this user.
To determine how many bytes are uploaded or downloaded by a particular user, lets grep
for the desired user, use grep
to determine if we’re looking for uploaded or downloaded files, and then use the commas as a delimiter to see the file size.
Those are just the bytes for each individual file, not the total. awk
can be used to get the total bytes using this command: awk '{s+=$1} END {print s}'
. This will take the value of the first column ($1
) and add it to variable s
— creating a running total through each line of the log. When the log file ends (END
), awk
will print the value of s
—the sum of the bytes.
cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3}'| awk '{s+=$1} END {print s}’
To identify the IP address associated with a suspicious login, or logins without any other activity, lets grep for successful logins, and then filter out the field with IP addresses.
cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq
Questions
1. What IP address did "ftpuser" first log in from?
cat vsftpd.log | grep ftpuser
2. What is the first directory that ftpuser created?
cat vsftpd.log | grep ftpuser | grep -i mkdir | head -n 1
ftpuser
account running the mkdir
command.3. What is the last directory that ftpuser created?
cat vsftpd.log | grep ftpuser | grep -i mkdir | tail -n 1
ftpuser
account running the mkdir
command.4. What file extension was the most used by ftpuser?
cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $2 }' | awk -F "." '{print $2}' | sort | uniq -c | sort
5. What is the username of the other user in this log?
To find other users that might be in this log file, look at what column contains the username field— this is in the 8th column. Use awk
to filter all log entries for this field.
cat vsftpd.log | awk '{print $8}' | sort | uniq
6. What IP address did this other user log in from?
cat vsftpd.log | grep jimmy
7. How many total bytes did this other user upload?
cat vsftpd.log | grep jimmy | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}'
8. How many total bytes did ftpuser upload?
cat vsftpd.log | grep ftpuser | grep 'OK UPLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}'
9. How many total bytes did ftpuser download?
cat vsftpd.log | grep ftpuser | grep 'OK DOWNLOAD' | awk -F ',' '{print $3 }' | awk '{s+=$1} END {print s}'
10. Identify the IP address of the suspicious login (the login with no subsequent activity)
cat vsftpd.log | grep 'OK LOGIN' | awk -F '"' '{print $2 }' | sort | uniq
©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.