Skip to content

Instantly share code, notes, and snippets.

@alejoasotelo

alejoasotelo/detectar-ddos-wordpress-en-apache.md

Last active June 24, 2021 16:49
Show Gist options
  • Save alejoasotelo/3ba41b56fb61dd81f872b593628da852 to your computer and use it in GitHub Desktop.
Save alejoasotelo/3ba41b56fb61dd81f872b593628da852 to your computer and use it in GitHub Desktop.
Download ZIP
Detectar IPs del log de Apache intentando buscar una instalación de Wordpress
Raw
detectar-ddos-wordpress-en-apache.md

Detectar IPs del log de Apache que intengn acceder a una insalación de Wordpress:

cat ssl_access_log* | grep 'wp-(admin|content|include|login)' -E | cut -d' ' -f1 | sort | uniq -c | sort

Este script de linea de comandos en bash, funciona de la siguiente manera:

  1. Lees con cat archivos donde el nombre empiece con "ssl_access_log"
  2. Busca con grep urls que tengan el texto: wp-admin, wp-content, wp-include y wp-login
  3. Separa las lineas por espacios con cut y devuelve la primer parte (ip)
  4. Ordena con sort todas las lineas alfabeticamente para que luego uniq funcione bien.
  5. Unifica las IPs iguales y las contabiliza con uniq -c
  6. Ordena por nombre de nuevo para tener los resultados ordenados con sort.

Ejemplo de log:

82.165.185.18 - - [24/Jun/2021:04:35:59 -0300] "GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1" 302 281 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
82.165.185.18 - - [24/Jun/2021:04:35:59 -0300] "GET /shop/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1" 404 28365 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
82.165.185.17 - - [24/Jun/2021:04:36:14 -0300] "GET /wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1" 302 281 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"
82.165.185.20 - - [24/Jun/2021:04:36:23 -0300] "GET /shop/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php HTTP/1.1" 200 7764 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36"

Resultado de ejemplo:

1 82.165.185.17
1 82.165.185.20
2 82.165.185.18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment