I was looking at log files generated by my pfSense firewall and noticed there were a few lines that included:
open()
… and then some directory path on my hard drive, followed by the word:
Failed!
.Clearly, someone was trying to access my network. This is no surprise as the open Internet is a dangerous place without encryption with seemingly everyone is scanning everyone else for vulnerabilities they can exploit. It’s why we have firewalls in the first place; to keep out the bad guys…and there are a lot of bad guys.
Prompt #1: Extract Text
I needed a grep statement that could extract the directory paths so I could see if it was a signature of a known attack. This seemed like a task I could ask an AI agent similarly to how I would turn to a buddy at work to ask for help with something. So I asked Microsoft’s Co-Pilot to help me:
PROMPT: Write a grep expression that extracts the text between "open()" and "failed"
ANSWER:
Certainly! To extract the text between “open()” and “failed” in a log file using grep, you can use the following command:
grep -o -P ‘(?<=open()).*?(?=failed)’ my_log.txt
Here’s what this command does:
The -o flag tells grep to only output the matched part of the line.
The -P flag enables Perl-compatible regular expressions.
The (?<=open()) is a positive lookbehind that matches the position right after “open()”.
The .*? matches any characters (zero or more times) in a non-greedy manner.
The (?=failed) is a positive lookahead that matches the position right before “failed”.
Replace my_log.txt with the actual name of your log file. This command will extract the text between “open()” and “failed” from each line in the file.
Feel free to adjust the command according to your specific log file format or requirements. If you have any more questions or need further assistance, feel free to ask! 😊
So I ran the command the Co-Pilot suggested and it worked without tweaking. This was the result once I de-duped the list:
/usr/local/www/robots.txt
/usr/local/www/sitemap.xml
/usr/local/www/robots.txt
/usr/local/www/dana-na/auth/url_default/welcome.cgi
/usr/local/www/mailman/listinfo/mailman
/usr/local/www/.env
/usr/local/www/.git/config
/usr/local/www/remote/login
/usr/local/www/cgi-bin/luci/;stok=/locale
/usr/local/www/owa/auth/logon.aspx
/usr/local/www/wp-content/plugins/kingcomposer/readme.txt
/usr/local/www/.well-known/security.txt
/usr/local/www/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
/usr/local/www/vpnsvc/connect.cgi
/usr/local/www/actuator/gateway/routes
/usr/local/www/autodiscover/autodiscover.json
/usr/local/www/sslmgr
/usr/local/www/global-protect/login.esp
/usr/local/www/owa/auth/x.js
/usr/local/www/version
/usr/local/www/actuator/health
/usr/local/www/aab8
/usr/local/www/aaa9
/usr/local/www/cgi-bin/nas_sharing.cgi
/usr/local/www/stub_status
/usr/local/www/cf_scripts/scripts/ajax/ckeditor/ckeditor.js
/usr/local/www/ReportServer
/usr/local/www/manager/html Prompt #2: Analyzed and Put the Results in a Table
Next, I wanted to know what each of those attempts could possibly be, so given the above list, I asked Co-pilot to analyze the list and put the results in a table:
PROMPT:
The following is a list of URL's that an attacker used to try to connect to my network. For each URL, tell me what it's trying to connect to and whether or not this is a known network attack. Put this list and your answers in a table.
Co-Pilot did it’s analysis and gave it’s answers is a table:
ANSWER:
| URL | Description |
| /usr/local/www/robots.txt | Robots.txt file: A standard file used by web crawlers to understand which pages to crawl or avoid. |
| /usr/local/www/sitemap.xml | Sitemap XML file: Provides information about the structure of a website for search engines. |
| /usr/local/www/dana-na/auth/url_default/welcome.cgi | Dana authentication welcome page: Likely related to a login or authentication system. |
| /usr/local/www/mailman/listinfo/mailman | Mailman mailing list information: Associated with the Mailman mailing list management system. |
| /usr/local/www/.env | Environment configuration file: Contains settings and variables for an application. |
| /usr/local/www/.git/config | Git configuration file: Configuration settings for a Git repository. |
| /usr/local/www/remote/login | Remote login page: Possibly related to remote access or login functionality. |
| /usr/local/www/cgi-bin/luci/;stok=/locale | Luci web interface with locale parameter: Web interface for router configuration. |
| /usr/local/www/owa/auth/logon.aspx | Outlook Web Access (OWA) login page: Used for accessing Microsoft Exchange email accounts. |
| /usr/local/www/wp-content/plugins/kingcomposer/readme.txt | KingComposer plugin readme file: Information about a WordPress plugin. |
| /usr/local/www/.well-known/security.txt | Well-known security file: Provides security-related information for web clients. |
| /usr/local/www/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application | Exchange export tool application: Related to Microsoft Exchange email export functionality. |
| /usr/local/www/vpnsvc/connect.cgi | VPN service connection page: Likely part of a VPN service. |
| /usr/local/www/actuator/gateway/routes | Actuator gateway routes: Associated with Spring Boot Actuator for monitoring and management. |
| /usr/local/www/autodiscover/autodiscover.json | Autodiscover JSON file: Used for automatic configuration of email clients. |
| /usr/local/www/sslmgr | SSL manager: Possibly related to SSL certificate management. |
| /usr/local/www/global-protect/login.esp | GlobalProtect login page: Part of Palo Alto Networks’ VPN solution. |
| /usr/local/www/owa/auth/x.js | OWA JavaScript file: Part of Outlook Web Access functionality. |
| /usr/local/www/version | Version information: May provide details about software versions. |
| /usr/local/www/actuator/health | Actuator health endpoint: Part of Spring Boot Actuator for system health checks. |
| /usr/local/www/aab8 | Unknown URL (aab8): No specific information available. |
| /usr/local/www/aaa9 | Unknown URL (aaa9): No specific information available. |
| /usr/local/www/cgi-bin/nas_sharing.cgi | NAS sharing CGI script: Likely related to network-attached storage (NAS) sharing. |
| /usr/local/www/stub_status | Nginx stub status page: Provides basic server status information for Nginx. |
| /usr/local/www/cf_scripts/scripts/ajax/ckeditor/ckeditor.js | CKEditor JavaScript file: Part of the CKEditor library for rich text editing. |
| /usr/local/www/ReportServer | ReportServer: Possibly related to a reporting or analytics system. |
| /usr/local/www/manager/html | Tomcat manager HTML page: Part of the Apache Tomcat web server management interface. |
This table gave me a quick overview of what’s most likely going on with these failed signon attempts. From here I can track down more. AI was quick help with a task I was trying to accomplish.