Forensic Investigation Report: Operation 'Hammered' — Linux Log Analysis
Platform: CyberDefenders
Challenge: Hammered
Category: Endpoint Forensics / Log Analysis
Difficulty: Medium
Tools: Linux CLI (grep,awk,sed,sort,uniq)
Achievement: Proof of Completion
1. Executive Summary
A Linux web server acting as a honeypot was compromised via a brute-force attack targeting the SSH service. The attacker, operating primarily from IP 219.150.161.20, successfully compromised the root account due to weak passwords and a critical database misconfiguration.
Post-compromise, the attacker established persistence by creating a backdoor account (wind3str0y), modified firewall rules (iptables) to restrict or hide access, and utilized the compromised host to launch network scans (nmap) against external targets.
2. Artifact Overview: Understanding Linux Logs
Before detailed analysis, it is crucial to map the evidence files to their function.
| Log File | Primary Function | Forensic Value in this Case |
|---|---|---|
auth.log | Authorization & Security | Critical. Records successful/failed logins (SSH, su, sudo). Used to detect brute force and user creation. |
apache2/access.log | Web Server Traffic | High. Records HTTP requests. Used to identify the attacker’s C2 proxy tool (pxyscand). |
dpkg.log | Package Manager | Medium. Logs software installation. Revealed the installation of nmap. |
dmesg | Kernel Ring Buffer | Low/Medium. Records boot messages. Used to fingerprint the OS version and kernel build. |
daemon.log | Background Services | High. Records service messages. Revealed the critical MySQL “root no password” warning. |
3. Cyber Kill Chain Mapping
Applying the Lockheed Martin Cyber Kill Chain framework allows us to map the attacker’s actions to specific phases of the intrusion lifecycle.
| Phase | Description | Evidence in “Hammered” Scenario |
|---|---|---|
| 1. Reconnaissance | Identifying targets and vulnerabilities. | - Port Scanning: Attacker identified Open Port 22 (SSH). - OS Fingerprinting (Q2): Target identified as outdated Ubuntu (Kernel 2.6). |
| 2. Weaponization | Creating an exploit or payload. | Use of an automated Brute Force tool (e.g., Hydra) configured with a password wordlist. |
| 3. Delivery | Sending the weaponized payload. | Millions of login attempts sent to the SSH daemon, recorded in auth.log. |
| 4. Exploitation | Triggering the vulnerability. | Credential Stuffing Success. The attacker successfully guessed the root password.Timestamp: Apr 19 05:56:05 |
| 5. Installation | Installing malware/tools. | - Installation of Nmap (via dpkg.log).- Deployment of pxyscand proxy tool. |
| 6. C2 | Command & Control. | Interactive SSH session established. The pxyscand User-Agent suggests the server was controlled as a proxy bot. |
| 7. Actions on Objectives | Achieving the goal. | - Persistence: Created backdoor user wind3str0y.- Defense Evasion: Added 6 iptables rules.- Lateral Movement: Used the victim to scan other networks. |
4. Investigation Phases & Methodology
Phase I: Environmental Context (Reconnaissance)
Objective: Identify the victim system details.
Q2: Operating System Version
We analyzed dmesg (boot logs) to fingerprint the system.
1
head -n 10 dmesg
Finding: The kernel banner explicitly states: Linux version 2.6.24-26-server ... (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3)).
- Significance: An outdated kernel (2.6.x) suggests the system is vulnerable to local privilege escalation exploits.
Phase II: Initial Access (Delivery & Exploitation)
Objective: Determine how the attacker got in.
Q1: Attack Vector Identification
The auth.log file size (9.9MB) indicated a massive volume of logs. We checked the first few lines:
1
2
head -n 5 auth.log
# Output: sshd[...] Failed password for...
Finding: The service targeted was SSH.
Q3, Q4, Q5: Attacker Attribution
We filtered logs to find successful logins (Accepted) among the failures.
1
grep "Accepted password for root" auth.log | awk '{print $11}' | sort | uniq -c | sort -nr
- Command Explanation:
grep: Filters for successful root logins.awk '{print $11}': Extracts the IP address column.sort | uniq -c: Counts unique occurrences.sort -nr: Sorts by frequency (highest first).
Findings:
- Compromised Account:
root - Primary Attacker: IP
219.150.161.20(Highest login count). - Total Attackers: 6 unique external IPs successfully brute-forced the system.
Q9: Breach Timestamp
To pinpoint the exact time of the successful breach by the primary attacker:
1
grep "Accepted" auth.log | grep "219.150.161.20" | tail -n 1
Finding: 04/19/2010 05:56:05 AM (Year 2010 derived from file metadata).
Phase III: Post-Exploitation (Actions on Objectives)
Objective: Analyze the attacker’s activity on the system.
Q8: Tool Installation
We checked dpkg.log to see if software was installed via the package manager.
1
grep "install" dpkg.log
Finding: The attacker installed nmap (Network Mapper). This indicates they intended to use the compromised server to scan and attack other systems.
Q11: Persistence (Backdoor)
We checked for user creation events to see if the attacker left a way to get back in.
1
grep "new user" auth.log
Finding: On Apr 26 04:43:15, a user named wind3str0y was created. The name is a clear Indicator of Compromise (IOC).
Q7: Defense Evasion (Firewall)
We checked for changes to iptables rules.
1
grep "iptables" auth.log | grep "\-A"
- Command Explanation: The
-Aflag in iptables appends a new rule. Finding: 6 new rules were added to the firewall.
Q6 & Q12: Web Proxy Activity
We analyzed the web server logs (apache2/access.log) for suspicious User-Agents.
1
awk -F'"' '{print $6}' apache2/access.log | sort | uniq -c
Finding: A User-Agent named “pxyscand/2.1” was found. This is a proxy scanning tool, confirming the server was used as a proxy.
Phase IV: Root Cause Analysis
Objective: Identify the underlying security failure.
Q10: Critical Vulnerability
We searched system logs for warnings.
1
grep -r -i "warning" .
Finding: daemon.log contained a critical alert:
WARNING: mysql.user contains 2 root accounts without password!
This misconfiguration allowed unauthenticated administrative access to the database.
5. Reconstructed Attack Timeline
Based on the forensic artifacts, we can reconstruct the precise sequence of events:
| Date (2010) | Time (UTC) | Kill Chain Phase | Activity Description |
|---|---|---|---|
| Pre-incident | N/A | Reconnaissance | System exists with critical MySQL misconfiguration (Root:No Pass). |
| Apr 19 | 05:56:05 | Exploitation | Attacker 219.150.161.20 successfully brute-forces SSH root account. |
| Apr 24 | 20:03:06 | Actions on Obj. | Attacker begins modifying firewall rules (iptables -A). |
| Apr 26 | 04:43:15 | Persistence | Attacker creates backdoor account wind3str0y. |
| Apr 28 | Various | Actions on Obj. | Logs show activity from pxyscand user agent (Proxy scanning). |
| May 03 | N/A | Investigation | Logs are captured (ls -lh timestamp shows file dates). |
6. Conclusion
The “Hammered” investigation reveals a textbook example of a Brute Force compromise leading to full system takeover. The attacker moved systematically through the Kill Chain: identifying the open SSH port, weaponizing a password guesser, exploiting the root account, and finally establishing persistence via a backdoor user and firewall rules.
Key Takeaways for the SOC:
- Log Volume as an Indicator: The 9.9MB
auth.logwas the first sign of trouble. SOC analysts should alert on abnormal log growth. - Context is King: Identifying the “false positive” users vs. the real attackers (Q4) required correlating successful logins with prior failed attempts.
- Hardening is Essential: This entire incident could have been prevented by disabling SSH password authentication and setting a database password.
Analysis Date: December 13, 2025
Analyst: El OMARI Zakaria