Active over port 80
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Sorted by type
netstat -plant | awk '{print $6}' | sort | uniq -c | sort -n
Category Archives: malicious attacks
finding malicious activity on servers and cleaning it up
How to block IP address in Linux via ssh:
The following command will drop any packet coming from the IP address 1.2.3.4:
iptables -I INPUT -s 1.2.3.4 -j DROP
or
iptables -A INPUT -s 1.2.3.4 -j DROP
(-I inserts into config, -A appends)
Use the following syntax to block 10.0.0.0/8 on eth1 public interface:
iptables -i eth1 -A INPUT -s 10.0.0.0/8 -j DROP
Use the following command to view:
iptables -L -v
Use the following command to save:
service iptables save
Check log file for website “POST” entries
If you have a server that is not responding, there might be an attack on one of the domains. You can get a good idea if a normally low volume website is suddenly getting lots of traffic by running a few checks on the log files.
Count the number of posts to each unique file:
# grep POST /usr/local/apache2/logs/USER/DOMAIN-accesslog | awk ‘{print $7}’ | sort | uniq -c | sort -n
Count the number of times each IP posted to the domain:
# grep POST /usr/local/apache2/logs/USER/DOMAIN-accesslog | awk ‘{print $1}’ | sort | uniq -c | sort -n
Count the number of unique IP addresses that posted to the domain:
# grep POST /usr/local/apache2/logs/USER/DOMAIN-access_log | awk ‘{print $1}’ | sort | uniq | wc -l