Who's attacking your web server today?

We're going to go a little off-book today for a segment I'd like to call, "Who's attacking my server today?"

I administer a few servers and they, like most anything connected to the Internet, are constantly under attack. Searching through my logs, I've seen a large number of pretty basic attacks trying to exploit a vulnerability in Parallels Plesk - a hosting control panel. If you're using hosting "in the cloud¹," you're bound to see a lot of this sort of thing. Mostly automated. And often launched from "the cloud" itself!

Here's a little command line I've been using on my server to find out who's attacked today:


for i in `cat /PATH/TO/MY/ACCESS_LOGS/MYACCESSLOG_0911*.txt |grep login_up |awk '{print $1}' |sort -u`; do nslookup $i|grep "name = "|awk '{print $4}'|sed s/.$// ; done;


What this crude little command line does is search through all of my logs from November (insert path to your log file there), searches for accesses of login_up - which is a hallmark of people trying to access the Parallels Plesk control panel, grabs the IP from the front of the line (the awk '{print $1}', sorts it and removes duplicates (plenty of these as they scan!), looks up the hostname using nslookup, greps out the hostname, and removes a trailing . that shows up in nslookup output. Crude, yes, but it gets me a nice little list of baddies like:

mail.lib.ua.edu
theman.cba.ua.edu
174.36.240.16-static.reverse.softlayer.com
174.36.254.180-static.reverse.softlayer.com
raq2.raqdedicados.com
212-174-14-27.ip.ciklet.net
advertinet03.shawneelink.net
rrcs-24-43-133-99.west.biz.rr.com
maps.2hn.com
win-268.ourcp.com
JoshKraker.com
mail.thallium-dns.net
f2.2.5d45.static.theplanet.com
triton15.lifeofandyman.info
ai.imb.br
ip-72-167-38-177.ip.secureserver.net
ip-72-167-45-11.ip.secureserver.net
72.232.228.82.svservers.com
214.104.233.72.static.reverse.ltdomains.com
ehcsla.com
serversemidedicado.joinhost.com.br
win3a-mail.ixirhost.com
mail.infocesme.com
mssql.infocesme.com
mysql.infocesme.com
webmail.infocesme.com
www.infocesme.com
infocesme.com
ftp.infocesme.com
mail.mersinhost.com
mail.finalpazarlama.com
u15180592.onlinehome-server.com
host-84-51-38-150.teletektelekom.com
38.160.isimtescil.net
ubihost.net
win3a-mail.ixirhost.com
win3a.ixirhost.com
202.249.hostcini.com
ip-97-74-194-192.ip.secureserver.net

And there we go, a list of who's attacking our Web server today!



¹"Cloud" is a fancy term we sometimes use; it too often just means "server is not in your basement."