4 min readOct 9, 2022
Vault: Linux Incident Response
Tags: Incident Response
Linux Incident Response:You will use the auth.log file for your analysis. The file can be found here:https://github.com/swiftintellect/ctfroom.repo/tree/main/cybercon2022/Linux%20Incident%20Response
- Use the auth.log file for this analysis. Whats the IP with the highest authentication failures count
For this we need to be smart since the file has many lines, we cant go through it manually :(
so we craft a bash one liner that looks like this
➜ linux_IR strings auth.log | grep "Failed password for root from "|grep -v "ssh2]" | uniq -c | awk '{print $12}' | uniq -c | awk '$1 >= 5 {print $2}'
so we are doing this :
a) we use strings to get all the strings in the auth.log file
b) we are using grep to search for a certain string
c) we are using grep with switch -v to ignore any string with the specified string from our search
d) we are using uniq utility with switch -c to get the number of times the string occurred
e) we are using awk utility to print out the 12th column
f) step d is repeated
g) we use an awk if condition to filter for the highest occurring strings
No we have some IPs to try: Answer is 61.177.173.512. When was the last time the IP tried to authenticate? Enter the day only as a number eg 1 (25pts)
This should be pretty easy:➜ linux_IR strings auth.log|grep 61.177.173.51 | tail
** answer is 23
3 .When was the first time the IP previously identified tried to authenticate? Enter the day only as a number eg 1 (25pts)
This also should be pretty easy:
➜ linux_IR strings auth.log|grep 61.177.173.51 | head
** answer is 18
4. Which user was the IP previously identified using to authenticate (25pts)
This should also be pretty easy:
➜ linux_IR strings auth.log| grep 61.177.173.51 | tail
** answer is root
5. The attacker tried to use invalid usernames to login. Get the all the username and group them based on their usage. Enter the third username with the highest count (30pts)
This is a tricky one :(
➜ linux_IR strings auth.log| grep "Failed password for invalid user" | awk '{ print $11}' | uniq -c | awk '$1 >= 2 {print $2}' | uniq -u > users.txt
first we grep for users that appear to be tried frequently on the log file and store them in file users.txt
➜ linux_IR strings uwi |uniq -u | uniq -c
Next we can print them according to their frequency of appearance 
The third user is test and that's our answer😍6.Which IP managed to successfully login via SSH?
➜ linux_IR strings auth.log| grep "Accepted password for"
** answer is 197.237.16.210
7.Just before the successful login, which was the IP with failed login (30pts)
well we can print some lines before the successful login right?🌚
➜ linux_IR strings auth.log| grep -B 2 "Accepted password for"
** answer is 61.177.172.98
8. Based on the IP previously identified, which country is it originating from ? (30pts)
This one is easy , we can use whois utility
We can see its from CHINAThank you for your time :)
