Analyzing log files is generally a tedious task, especially when you are hunting for anomalies without an initial lead or indication of evil. Trying to remove all the legitimate entries while leaving the malicious ones requires not only knowledge of common attacker techniques but a flexible tool. In this post, we’re going to cover analysis of Apache Tomcat access logs and Catalina logs using a text editor called “Sublime Text 3” (https://www.sublimetext.com/).
The Scenario
To make things semi-realistic, i’ve deployed Apache Tomcat on top of Windows Server 2012 with ports 80,443 and 8080 exposed. For now, we’re not going to deploy any apps such as WordPress, Drupal or Jenkins. In our scenario, the customer (who owns this Tomcat server) has tasked our team with analyzing both the Apache and Catalina logs to help identify some suspicious activity.
In many real world cases, web applications are usually in a DMZ on their own, behind a load balancer, inside a docker container or directly connected to the internet with very little protections such as a Web Application Firewall (WAF). Many applications are not kept up-to-date, resulting in web application compromises and often web shells more on web shells here.
Sublime Text
Sublime Text is a cross platform text editor that exposes a Python API and supports a variety of programming languages’ formatting and highlighting. Sublime also supports third-party plugins; there is a…
