Created
April 7, 2016 12:39
-
-
Save pistell/40b1bf74eccee422a7fa3943f088d6e2 to your computer and use it in GitHub Desktop.
Finds IPs accessing xmlrpc.php from Apache logs and sorts them by connection attempts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grep -i "xmlrpc\.php" other_vhosts_access.log.1 | awk '{print $2 " " $8}' | sort | uniq -c | sort -n | tail > hack_attempts.txt | |
1. cd into your apache logs directory (ex- /var/log/apache2) | |
2. Run the grep command | |
This will search the file "other_vhosts_access_log.1" for the string "xmlrpc.php | |
Awk will then print out column 2 (the incoming connection) and column 8 (the file accessed) | |
Sorts by unique IPs then numbers them by attempts | |
Data is output to hack_attempts.txt for analysis | |
Example output:: | |
32 46.148.18.162 /xmlrpc.php | |
33 185.130.5.203 /xmlrpc.php | |
45 46.148.22.18 /xmlrpc.php | |
144 185.112.102.164 /xmlrpc.php | |
150 162.158.88.84 /xmlrpc.php | |
299 185.106.92.53 /xmlrpc.php | |
502 185.106.92.160 /xmlrpc.php | |
1421 185.130.5.165 /xmlrpc.php | |
136458 89.248.167.131 /xmlrpc.php | |
248338 185.130.5.104 /xmlrpc.php | |
As the output shows, the last IP on the list tried to access my xmlrpc.php file 248,338 times! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment