第二章日志分析 - apache日志分析

1

提交当天访问次数最多的IP，即黑客IP

(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "03/Aug/2023:08:" | awk '{print $1}' | sort | uniq -c | sort -nr | head -n 10
192.168.200.2
::1
192.168.200.38
192.168.200.48
192.168.200.211

flag{192.168.200.2}

2

黑客使用的浏览器指纹是什么，提交指纹的md5

提取出来目标地址所有的User-agent

(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "192.168.200.2" | awk -F'"' '{print $6}' | uniq -c
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0
curl/7.74.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

然后计算哈希

flag{2D6330F380F44AC20F3A02EED0958F66}

3

查看index.php页面被访问的次数，提交次数

(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "/index.php" | wc -l 
27

flag{27}

4

查看黑客IP访问了多少次，提交次数

(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "03/Aug/2023:08:" | awk '{print $1}' | grep "192.168.200.2" | sort | uniq -c
   6555 192.168.200.2
      1 192.168.200.211

flag{6555}

5

查看2023年8月03日8时这一个小时内有多少IP访问，提交次数

转换时间

2023年8月03日8时 --> 03/Aug/2023:08

筛选日志

(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "03/Aug/2023:08" | awk '{print $1}' | sort -nr | uniq -c
      1 192.168.200.48
      5 192.168.200.38
      1 192.168.200.211
   6555 192.168.200.2
     29 ::1
(remote) root@ip-10-0-10-4:/root# cat /var/log/apache2/access.log* | grep "03/Aug/2023:08" | awk '{print $1}' | sort -nr | uniq -c | wc -l
5

flag{5}

1​

2​

3​

4​

5​

1

2

3

4

5