第二章 日志分析 - apache日志分析
1
提交当天访问次数最多的IP,即黑客IP
(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "03/Aug/2023:08:" | awk '{print $1}' | sort | uniq -c | sort -nr | head -n 10
6555 192.168.200.2
29 ::1
5 192.168.200.38
1 192.168.200.48
1 192.168.200.211
flag{192.168.200.2}
2
黑客使用的浏览器指纹是什么,提交指纹的md5
提取出来目标地址所有的User-agent
(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "192.168.200.2" | awk -F'"' '{print $6}' | uniq -c
12 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0
1 curl/7.74.0
6543 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
然后计算哈希
flag{2D6330F380F44AC20F3A02EED0958F66}
3
查看index.php页面被访问的次数,提交次数
(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "/index.php" | wc -l
27
flag{27}
4
查看黑客IP访问了多少次,提交次数
(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "03/Aug/2023:08:" | awk '{print $1}' | grep "192.168.200.2" | sort | uniq -c
6555 192.168.200.2
1 192.168.200.211
flag{6555}
5
查看2023年8月03日8时这一个小时内有多少IP访问,提交次数
转换时间
2023年8月03日8时 --> 03/Aug/2023:08
筛选日志
(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "03/Aug/2023:08" | awk '{print $1}' | sort -nr | uniq -c
1 192.168.200.48
5 192.168.200.38
1 192.168.200.211
6555 192.168.200.2
29 ::1
(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "03/Aug/2023:08" | awk '{print $1}' | sort -nr | uniq -c | wc -l
5
flag{5}