These are real-looking access logs. Identify every attack and classify its severity. Answers in the Notes column.
| Time | IP | Method | Path | Status | Notes |
|---|---|---|---|---|---|
| 2024-11-15 02:14:33 | 185.220.101.45 | POST | /login | 200 | Brute force success — bot UA, odd hour, 200 after many 401s |
| 2024-11-15 02:14:01 | 185.220.101.45 | POST | /login | 401 | Brute force attempt |
| 2024-11-15 02:13:58 | 185.220.101.45 | POST | /login | 401 | Brute force attempt |
| 2024-11-15 09:22:14 | 10.0.1.55 | GET | /admin/users?id=1%27%20OR%201%3D1-- | 500 | SQL injection attempt — encoded ' OR 1=1-- |
| 2024-11-15 11:05:44 | 192.168.1.44 | GET | /download?file=../../../../etc/passwd | 200 | Path traversal SUCCESS — returned /etc/passwd |
| 2024-11-15 14:33:21 | 203.0.113.99 | POST | /upload | 200 | Suspicious upload — check what was uploaded |
| 2024-11-15 14:35:01 | 203.0.113.99 | GET | /uploads/shell.php?cmd=id | 200 | WEBSHELL EXECUTION — RCE confirmed |
| 2024-11-15 15:01:22 | 10.0.1.44 | GET | //etc/passwd | 404 | Nikto scanner — automated recon detected |
| 2024-11-15 15:01:22 | 10.0.1.44 | GET | /phpmyadmin/ | 404 | Nikto scanner |
| 2024-11-15 16:44:03 | 172.16.0.5 | POST | /api/data | 200 | Unusual response size — possible data exfiltration |
# Find all 4xx/5xx errors (attack indicators):
grep -E " (4[0-9]{2}|5[0-9]{2}) " access.log | awk '{print $1}' | sort | uniq -c | sort -rn
# Find brute force (same IP, many 401s):
awk '$9==401 {print $1}' access.log | sort | uniq -c | sort -rn | head
# Find SQL injection attempts:
grep -i "union\|select\|or 1=1\|drop table\|--\|%27\|%3d" access.log
# Find path traversal:
grep -i "\.\./\|etc/passwd\|%2e%2e" access.log
# Find scanning tools:
grep -i "nikto\|sqlmap\|nmap\|masscan\|zgrab\|dirbuster" access.log
# Find large responses (data exfiltration):
awk '$10 > 100000 {print $0}' access.log
# Top attacking IPs:
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head -20
# Timeline of attacks from one IP:
grep "185.220.101.45" access.log | awk '{print $4}' | sort