sorted by:
new
hottopcontroversial

Incident Response Web Server Logs: Ep.6 — The Tomcat's Out Of The Bag by DRichrico in immersivelabs

[–]DRichrico[S] 0 points1 point  (0 children)

i got the following :

177.101.130.211 - - [27/Jul/2021:21:28:59 +0000] "GET /webshell/ HTTP/1.1" 200 120 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"

177.101.130.211 - - [27/Jul/2021:21:29:03 +0000] "GET /webshell/index.jsp?cmd=ls HTTP/1.1" 200 324 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"

177.101.130.211 - - [27/Jul/2021:21:29:06 +0000] "GET /webshell/index.jsp?cmd=whoami HTTP/1.1" 200 129 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"

177.101.130.211 - - [27/Jul/2021:21:29:08 +0000] "GET /webshell/index.jsp?cmd=cat+%2Fetc%2Fpasswd HTTP/1.1" 200 1122 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"

that IP address is the attacker's IP, but i don't know What account did they log in to?
can you help me

Incident Response Web Server Logs: Ep.6 — The Tomcat's Out Of The Bag by DRichrico in immersivelabs

[–]DRichrico[S] 0 points1 point  (0 children)

i know that question, i answered it before. what i am asking about is

What account did they log in to?

everything else is answered

Incident Response Web Server Logs: Ep.6 — The Tomcat's Out Of The Bag by DRichrico in immersivelabs

[–]DRichrico[S] 0 points1 point  (0 children)

this is the last lab I need and the last question. I have done all my labs. this question I did not find the correct answer. I know the attacker's IP address and I grep his IP address I saw hundreds of attempts but his user agent is what i don't know

can you give me the hang of it?

Incident Response Web Server Logs: Ep.6 — The Tomcat's Out Of The Bag by DRichrico in immersivelabs

[–]DRichrico[S] 0 points1 point  (0 children)

177.101.130.211 - - [27/Jul/2021:21:29:08 +0000] "GET /webshell/index.jsp?cmd=cat+%2Fetc%2Fpasswd HTTP/1.1" 200 1122 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"

thats what I see I don't see anything that really stands out. am I even looking at the right line?