Seven Minute Server

Nov 19, 2009 - 2 minute read - Fun

Who's attacking your web server today?

We’re going to go a little off-book today for a segment I’d like to call, “Who’s attacking my server today?”

I administer a few servers and they, like most anything connected to the Internet, are constantly under attack. Searching through my logs, I’ve seen a large number of pretty basic attacks trying to exploit a vulnerability in Parallels Plesk - a hosting control panel. If you’re using hosting “in the cloud1,” you’re bound to see a lot of this sort of thing. Mostly automated. And often launched from “the cloud” itself!

Here’s a little command line I’ve been using on my server to find out who’s attacked today:

for i in `cat /var/log/httpd/my_access_log_nov |grep login_up |awk '{print $1}' |sort -u`; do nslookup $i|grep "name = "|awk '{print $4}'|sed s/.$// ; done;

What this crude little command line does is search through all of my logs from November (insert path to your log file there), searches for accesses of login_up - which is a hallmark of people trying to access the Parallels Plesk control panel, grabs the IP from the front of the line (the awk '{print $1}', sorts it and removes duplicates (plenty of these as they scan!), looks up the hostname using nslookup, greps out the hostname, and removes a trailing . that shows up in nslookup output. Crude, yes, but it gets me a nice little list of baddies.

And there we go, a list of who’s attacking our Web server today!

  1. “Cloud” is a fancy term we sometimes use; it too often just means “server is not in your basement.” [return]