1. Introduction
Someone has hacked your company and you expect to find the hacker within the company. All you know is that the hacker is using a yahoo email account to write emails. Your system administrator gave you an access.log from the squid proxy your company is using. You are asked to take a look at it and hopefully find a suspect. You can find the access.log from the RESOURCES.
Your task is to
- Find the IP address of someone with suspicious behavior.
- Report on what exactly the user did. Provide as many details as possible about the suspect’s browser and operating system.
We expect the following information in your solution. Please be as complete as possible to receive maximum points:
- What is the IP address of the suspect?
- Which sites has he visited?
- Which OS and browser has he been using?
2. Answers and solution
For my analysis I use an online tool, which looks pretty cool and handy for log analysis.
https://cloudvyzor.com/
Just upload the squid log file and start with my first query.
From the description we know that the attacker is using a yahoo based e-mail address.
Search term:
login.yahoo.com:443
We get 3 IP Addresses:
- 192.168.200.20 (Windows NT 6.1; WOW64; rv:2.0.1) –> Win7 / Firefox 4.0
- 192.168.200.22 (X11; Linux i686; rv:7.0.1) –> Linux / Firefox 7.0
- 192.168.200.50 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) –> Mac OSX 10.7 / Firefox 7.0
The following tool may be helpful to parse the user agent:
https://user-agents.net/parser
Next I’ll set a filter for each IP address:
192.168.200.20 http
URLS can then be checked manually or extracted with cyberchef:
Extract_URLs(true)
Unique('Line feed')
Extract_domains(true)
Unique('Line feed')Still some false entries, but a much better overview than before!
Result: Noting suspiscious found
I’ll do the same steps for the other two IP addresses
192.168.200.22 http
Result: Nothing suspiscious found
192.168.200.50 http
Result: Suspiscious URLS found: