Brains
Brains
Brains
🔍 Initial Reconnaissance
💻 First, I navigated to the web interface:
1
source="/var/log/auth.log" useradd "new user”
🕵️ Analyzing the Logs
📌 For this step, I had to dig a bit deeper:
💡 I filtered using the same time the attack occurred:
⚡ It looks like datacollector is the one:
7/4/24
10:32:37.000 PM
1
source="/opt/teamcity/TeamCity/logs/teamcity-activities.log" "plugin”
🏁 Finding the Plugin Activity
🔌 I used the same method. I think the next string is also a search query, although I have never used Splunk before:
| 7/4/2410:08:31.921 PM | [2024-07-04 22:08:31,921] INFO - s.buildServer.ACTIVITIES.AUDIT - plugin_uploaded: Plugin “AyzzbuXY” was updated by “user with id=11” with comment “Plugin was uploaded to /home/ubuntu/.BuildServer/plugins/AyzzbuXY.zip” |
This post is licensed under CC BY 4.0 by the author.















