Challenge #13 posted – web server intrusion analysis

We’ve posted the 13th challenge in the “Infosec Advent” series. This one is a web server intrusion case where we will ask you to analyze the logs and let us know what you find.

We have a set of web server logs that you can download here. Download and analyze the logs for signs of intrusion. Based on only the web log data (yes, we know that makes it harder) write a narrative that explains what happened.

Is this a realistic scenario to only have logs and not an image of the web server filesystem? Unfortunately, the answer is yes. Rendition Infosec worked a case this year where logs were available but the server image was unavailable. We would prefer more data to work with, but in infosec as in life, you have to play what you’ve got.

Please limit your submissions to 1500 words. The best characterization of this web server intrusion will receive a $25 Amazon gift card (subject to contest rules). The winner will be announced 20DEC17.

If you were looking for some Digital Forensics and Incident Response (DFIR) related challenges, here you go. Have fun!

If you don’t already have an account, you can register to play at