玄机第二章日志分析-apache日志分析

0x01 question

知识

首先我们要知道日志两种

access.log\error.log

当然有备份.1也是正常的

在哪里

1. /var/log/httpd/
2. /var/log/apache/
3. /var/log/apache2/

OK那我们就可以开始了

action

首先进来查找发现是有备份文件的

find / -name "*access.log*" 2>/dev/null

/var/log/apache2/access.log.1
/var/log/apache2/access.log
/var/log/apache2/other_vhosts_access.log

有服务器的小伙伴都知道是类似于这种

206.168.34.214 - - [30/Oct/2024:14:11:08 +0000] "GET / HTTP/1.1" 403 134 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
206.168.34.214 - - [30/Oct/2024:14:11:09 +0000] "PRI * HTTP/2.0" 400 166 "-" "-"

IP+时间+请求头

root@ip-10-0-10-1:~# grep '03/Aug/2023' /var/log/apache2/access.log.1 | awk '{print $1}' | sort | uniq -c | sort -nr | head -n 1
   6555 192.168.200.2

还有就是看所有IP

root@ip-10-0-10-1:~# awk '{print $1}' /var/log/apache2/access.log.1 | uniq -c | sort -n
      1 
      1 ::1
      1 ::1
      1 192.168.200.211
      1 192.168.200.48
      5 192.168.200.38
     12 192.168.200.2
     27 ::1
    539 192.168.200.2
    763 192.168.200.2
   5241 192.168.200.2

查找黑客IP指纹

grep -Ea "192.168.200.2" /var/log/apache2/access.log.1

192.168.200.2 - - [03/Aug/2023:08:46:45 +0000] "GET /id_rsa.pub HTTP/1.1" 404 492 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"

指纹值为这个

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

flag{2d6330f380f44ac20f3a02eed0958f66}

然后查看index.php被访问了多少次

root@ip-10-0-10-1:~# grep -Ea '/index.php' /var/log/apache2/access.log.1 | wc -l
27

wc -l用来统计有多少行

root@ip-10-0-10-1:~# grep -Ea "^192.168.200.2 - -" /var/log/apache2/access.log.1 | wc -l
6555

root@ip-10-0-10-1:~# grep '03/Aug/2023:08:' /var/log/apache2/access.log.1 | awk '{print $1}' | sort | uniq | wc -l
5

0x02 小结

还是命令的使用，多知道了一点常识