In this article we’ll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.

This guide is geared towards VPS (Virtual Private Server) and dedicated server customers that have SSH access to their servers. If you’ve noticed that your server’s load average has recently been running high, either from advanced server load monitoring, or if you setup a server load monitoring script to alert you via email these would be good steps to follow to ensure one malicious user isn’t causing these problems.

Search for excessive requests

The easiest way to determine if one user is possibly causing a large strain of resources on your server, is to look at your Apache access logs for duplicate requests coming from one IP address. You can follow the steps below in order to quickly find out this information.

  1. Login to your server via SSH.
  2. Navigate to the home directory for the website you’d like to investigate. In this example our cPanel username is userna5, and our domain name is example.com:

    cd /home/userna5/access-logs

  3. Next we want to use the awk command to only print the 1st column of the Apache log (which is the IP address), we will then pipe | that to the sort -n command so that all of the IPs get sorted numerically, we’ll then pipe that to the uniq -c command to uniquely count up how many times each IP occurs, then finally we’ll pipe all that back to the sort -n command so it sorts the IP addresses by how many total requests they had:

    awk ‘{print $1}’ example.com | sort -n | uniq -c | sort -nYou will get back something similar to this (I’m showing fake IP addresses here):

    623 123.123.123.123
    893 123.123.123.124
    7889 123.123.123.125

  4. Now that we know 123.123.123.125 has far more requests than any other IP address we can search for what those requests have been with this code:

    grep 123.123.123.125 example.com | cut -d\” -f2 | awk ‘{print $1 ” ” $2}’ | cut -d? -f1 | sort | uniq -c | sort -n | sed ‘s/[ ]*//’

    1 GET /wp-login.php
    7888 POST /wp-login.php

    In this case it’s pretty obvious that this user is trying to brute force their way into a WordPress site as they tried to get the wp-login.php page once, and then tried to POST to it 7888 times.

  5. Now you can go ahead and follow our guide on how to block unwanted users from your site using .htaccess in order to stop any further requests from this malicious IP address.The line you’d be using in this particular case would be:

    deny from 123.123.123.125

You should now know how to track down a possible malicious user’s IP address so that you can block them from causing further issues.

Originally posted on October 21, 2015 @ 2:16 pm

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.