Tags: iis grep logs awk access 

Rating:

## 3 - Backup Policy

> So it looks like the attacker scanned our site for old backups right? Did he get one?

Filtering the attack date and excluding the "404 - Not found" response code:

```bash
$ grep "2021-08-03 08:55" more.log | grep -v 404
2021-08-03 08:55:00 45.85.1.176 GET 8-es2015.9f210c2bd083cdacb0ee.js - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - 200 0 0 22
2021-08-03 08:55:00 45.85.1.176 GET dovercon/speakers-edition-2021 - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - 200 0 0 26
2021-08-03 08:55:00 45.85.1.176 GET backup.zip - 443 - 200.13.84.124 Mozilla/5.0+(Windows+NT+5.1;+RE97czNjcjN0X19fYWdlbnR9;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.90+Safari/537.36 - 200 0 0 25
2021-08-03 08:55:29 45.85.1.176 GET runtime-es5.43df09c2199138dc23a5.js - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) https://digitaloverdose.tech/dovercon/speakers-edition-2021 200 0 0 22
2021-08-03 08:55:29 45.85.1.176 GET assets/images/ctf/2021-01/offsec-logo.svg - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) https://digitaloverdose.tech/dovercon/speakers-edition-2021 200 0 0 27
2021-08-03 08:55:29 45.85.1.176 GET polyfills-es5.9fba121277a252cdf0fa.js - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) https://digitaloverdose.tech/dovercon/speakers-edition-2021 200 0 0 20
2021-08-03 08:55:29 45.85.1.176 GET dovercon/speakers-edition-2021 - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) https://digitaloverdose.tech/dovercon/speakers-edition-2021 200 0 0 21
2021-08-03 08:55:39 45.85.1.176 GET assets/images/ctf/2021-01/offsec-logo.svg - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) https://digitaloverdose.tech/dovercon/speakers-edition-2021 200 0 0 20
2021-08-03 08:55:39 45.85.1.176 GET polyfills-es2015.891d5b00ef96a8ae9449.js - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) https://digitaloverdose.tech/dovercon/speakers-edition-2021 200 0 0 30
2021-08-03 08:55:39 45.85.1.176 GET polyfills-es2015.891d5b00ef96a8ae9449.js - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) https://digitaloverdose.tech/dovercon/speakers-edition-2021 200 0 0 25
2021-08-03 08:55:39 45.85.1.176 GET dovercon/schedule-edition-2021 - 443 - 109.70.150.227 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) https://digitaloverdose.tech/dovercon/speakers-edition-2021 200 0 0 25
$ echo "RE97czNjcjN0X19fYWdlbnR9" | base64 -d
DO{s3cr3t___agent}
```

Original writeup (https://scavengersecurity.com/posts/digitaloverdose-loganalysis/#3---backup-policy).