0

On the log file it shows me that the a user is running a program called 'Hydra' which is a password cracking tool for attacking network protocols.

Log File

172.16.2.136 - - [05/Feb/2013:00:36:00 +0000] "GET /login.php?username=jsmith&password=EEZ HTTP/1.0" 302 490 "-" "Mozilla/5.0 (Hydra)"

From reading the log file i can see that they are running a login script. Which is running a password multiple passwords for a user account. I think the network protocol they are trying to break into is 'HTTP/1.0' but i don't understand what "302 490 "-" " is could anyone explain this to me please?

Daniel
  • 91
  • 1
  • 2
  • 12

1 Answers1

1

First important thing is to understand the format of the log line. There is documentation for that thing:

You use non-default format, which looks like this:

NCSA extended/combined log format

"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

Then in the start of page, you can see the description of all the formatting characters, you are interested in these:

%s Status. For requests that have been internally redirected, this is the status of the original request. Use %>s for the final status.

%b Size of response in bytes, excluding HTTP headers. In CLF format, i.e. a '-' rather than a 0 when no bytes are sent.

%{Referer}i is probably self-descriptive.

And to answer your original question:

What attack Method is being used in this log file?

The attacker is running simple brute-force attack, but probably on some very poorly written login form sending login information using GET method.

The HTTP response status code 302 Found is a common way of performing URL redirection. [Wikipedia]

Community
  • 1
  • 1
Jakuje
  • 24,773
  • 12
  • 69
  • 75