Apache - Regular Expression - ( )


Expressões regulares para filtrar dados no arquivo de log do servidor apache.

	


*** Página melhor visualizada no " navegador Chrome "


A P A C H E


 cat /var/log/apache2/access.log 

or 

 tail -f /var/log/apache2/access.log 

123.59.141.148  - - [19/May/2017:22:12:57 -0300] "GET http://www.baidu.com/favicon.ico HTTP/1.1" 404 504 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"
68.63.198.72    - - [19/May/2017:22:52:51 -0300] "l" 501 290 "-" "-"
169.54.233.126  - - [20/May/2017:01:39:27 -0300] "GET / HTTP/1.0" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
212.47.227.163  - - [20/May/2017:02:24:10 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
212.47.227.163  - - [20/May/2017:03:26:17 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)"
91.236.75.4     - - [20/May/2017:03:30:02 -0300] "GET http://www.google.com/ HTTP/1.1" 200 441 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
212.47.227.163  - - [20/May/2017:06:03:57 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)"
212.47.227.163  - - [20/May/2017:06:24:33 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
163.172.109.120 - - [20/May/2017:06:32:58 -0300] "GET /recordings/index.php HTTP/1.1" 404 485 "-" "curl/7.29.0"
163.172.168.251 - - [20/May/2017:09:02:25 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"


 tail /var/log/apache2/access.log | grep 20/May 

169.54.233.126  - - [20/May/2017:01:39:27 -0300] "GET / HTTP/1.0" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
212.47.227.163  - - [20/May/2017:02:24:10 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
212.47.227.163  - - [20/May/2017:03:26:17 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)"
91.236.75.4     - - [20/May/2017:03:30:02 -0300] "GET http://www.google.com/ HTTP/1.1" 200 441 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
212.47.227.163  - - [20/May/2017:06:03:57 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)"
212.47.227.163  - - [20/May/2017:06:24:33 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
163.172.109.120 - - [20/May/2017:06:32:58 -0300] "GET /recordings/index.php HTTP/1.1" 404 485 "-" "curl/7.29.0"
163.172.168.251 - - [20/May/2017:09:02:25 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"


 tail /var/log/apache2/access.log | grep 20/May | grep 06:* 

212.47.227.163  - - [20/May/2017:06:03:57 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)"
212.47.227.163  - - [20/May/2017:06:24:33 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
163.172.109.120 - - [20/May/2017:06:32:58 -0300] "GET /recordings/index.php HTTP/1.1" 404 485 "-" "curl/7.29.0"


 grep "20/May"  /var/log/apache2/access.log  | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":06"}' | sort -n | uniq -c 

1 01:06
1 02:06
2 03:06
3 06:06 ***
1 09:06


 tail /var/log/apache2/access.log | awk '{print $4,$1}'  | uniq -c 

1 [19/May/2017:22:12:57 123.59.141.148
1 [19/May/2017:22:52:51 68.63.198.72
1 [20/May/2017:01:39:27 169.54.233.126
1 [20/May/2017:02:24:10 212.47.227.163
1 [20/May/2017:03:26:17 212.47.227.163
1 [20/May/2017:03:30:02 91.236.75.4
1 [20/May/2017:06:03:57 212.47.227.163
1 [20/May/2017:06:24:33 212.47.227.163
1 [20/May/2017:06:32:58 163.172.109.120
1 [20/May/2017:09:02:25 163.172.168.251


 tail /var/log/apache2/access.log |  awk '{print $1}' | cut -d'=' -f2 | sort | uniq 

123.59.141.148
163.172.109.120
163.172.168.251
169.54.233.126
212.47.227.163
68.63.198.72
91.236.75.4


 tail /var/log/apache2/access.log |  awk '{print $1}' | cut -d'=' -f2 | sort | uniq -c 

1 123.59.141.148
1 163.172.109.120
1 163.172.168.251
1 169.54.233.126
4 212.47.227.163
1 68.63.198.72
1 91.236.75.4


 awk '{print $1,$7}'  /var/log/apache2/access.log | cut -d? -f1 | sort | uniq -c |sort -nr 

5 212.47.227.163 http://www.bing.com
2 163.172.168.251 http://www.bing.com
1 93.174.93.136 http://www.baidu.com/cache/global/img/gs.gif
1 91.236.75.4 http://www.google.com/
1 222.186.21.154 /manager/html
1 178.161.147.38 /manager/html


 awk -F'[ "]+' '$7 == "/" { ipcount[$1]++ } END { for (i in ipcount) {printf "%15s - %d\n", i, ipcount[i] } }' /var/log/apache2/access.log 
 
 139.162.111.98 - 2
  139.162.79.87 - 1
 220.181.159.73 - 1
 198.50.212.191 - 7
 169.54.233.126 - 1
 191.54.253.109 - 1
  176.58.99.121 - 1
   1.231.77.184 - 1
    138.75.32.1 - 1
  83.157.218.78 - 1
 189.26.201.212 - 1
     5.45.86.16 - 1
  192.168.2.213 - 1
   168.1.128.35 - 1


 grep -o "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /var/log/apache2/access.log | sort -n | uniq -c | sort -n 

 1 103.37.145.248
 1 1.231.77.184
 1 123.59.141.148
 1 138.75.32.1
 1 139.162.79.87
 1 163.172.109.120
 1 163.172.109.187
 1 163.172.99.10
 1 168.1.128.35
 1 169.54.233.126
 1 176.58.99.121
 1 180.163.113.82
 1 180.97.106.37
 1 189.26.201.212
 1 191.54.253.109
 1 192.168.2.213
 1 5.45.86.16
 1 68.63.198.72
 1 83.157.218.78
 2 139.162.111.98
 2 213.202.233.196
 2 220.181.159.73
 3 93.174.93.136
 4 177.142.184.117
 7 1.9.0.6
 7 198.50.212.191
 9 91.236.75.4
13 163.172.168.251
13 61.164.149.209
15 212.47.227.163


 cat /var/log/apache2/access.log | grep `date '+%e/%b/%G'` | awk '{print $1}' | sort | uniq -c | wc -l 

5


 awk '{print $4}'  /var/log/apache2/access.log | cut -d: -f1 | uniq -c 

18 [16/May/2017
19 [17/May/2017
30 [18/May/2017
18 [19/May/2017
 8 [20/May/2017


 cat  /var/log/apache2/access.log  | awk '{print $1}' | sort | uniq -c | wc -l 

29


 cat /var/log/apache2/access.log | awk -F\" ' { print $6 } ' | sort | uniq -c | sort -rn | head -n 10 

13 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
12 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
12 -
 9 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
 9 Chrome/41.0.2228.0 Safari/537.36
 7 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
 7 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
 5 Apache/2.2.22 (Debian) (internal dummy connection)
 4 Wget(linux)
 3 Mozilla


 cat /var/log/apache2/access.log | awk '{ print $7 }' | sort | uniq -c | sort -rn | head -n 25 

28 http://www.bing.com
21 /
 9 www.linode.com:443
 9 http://www.google.com/
 5 501
 5 *
 4 http://www.server110.com/
 3 http://www.baidu.com/cache/global/img/gs.gif
 2 http://www.baidu.com/favicon.ico
 1 /tmUnblock.cgi
 1 /recordings//theme/main.css
 1 /recordings/index.php
 1 /../../../../../../../mnt/mtd/qt
 1 /language/Swedish${IFS}&&echo${IFS}610cker>qt&&tar${IFS}/string.js
 1 http://180.163.113.82/check_proxy
 1 /hndUnblock.cgi


 cat /var/log/apache2/access.log | awk '{print "requests from " $1}' | sort | uniq -c | sort 

13 requests from 163.172.168.251
13 requests from 61.164.149.209
15 requests from 212.47.227.163
 1 requests from 103.37.145.248
 1 requests from 1.231.77.184
 1 requests from 123.59.141.148
 1 requests from 138.75.32.1
 1 requests from 139.162.79.87
 1 requests from 163.172.109.120
 1 requests from 163.172.109.187
 1 requests from 163.172.99.10
 1 requests from 168.1.128.35
 1 requests from 169.54.233.126
 1 requests from 176.58.99.121
 1 requests from 180.97.106.37
 1 requests from 189.26.201.212
 1 requests from 191.54.253.109
 1 requests from 192.168.2.213
 1 requests from 5.45.86.16
 1 requests from 68.63.198.72
 1 requests from 83.157.218.78
 2 requests from 139.162.111.98
 2 requests from 213.202.233.196
 2 requests from 220.181.159.73
 3 requests from 93.174.93.136
 4 requests from 177.142.184.117
 5 requests from ::1
 7 requests from 198.50.212.191
 9 requests from 91.236.75.4


 grep 'google' /var/log/apache2/access.log  | awk '{ print $1 }' | sort | uniq -c | sort -rn  

9 91.236.75.4


 zcat /var/log/apache2/access.log.2.gz | awk '{print $7}' | sort | uniq -c | sort -n | tail -n 20 

 1 /w00tw00t.at.ISC.SANS.DFind:)
 2 501
 2 /amigos.php
 2 /HNAP1/
 2 http://m.search.yahoo.com/
 2 /teste.php
 2 /up3.php
 3 check.proxyradar.com:80
 3 http://www.baidu.com/favicon.ico
 3 /up1.php
 4 http://www.baidu.com/cache/global/img/gs.gif
 5 /up2.php
 7 /owncloud/core/img/favicon.ico
 9 /favicon.ico
10 /setup.cgi
11 408
12 /owncloud/index.php
24 http://www.bing.com
25 *
29 /


 zcat /var/log/apache2/access.log.2.gz | wc -c 

42919


 awk ' ( $4 ~ /22\/May\/2017/ ) ' /var/log/apache2/access.log 

212.47.227.163  - - [22/May/2017:00:29:32 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
163.172.168.251 - - [22/May/2017:06:34:14 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
163.172.168.251 - - [22/May/2017:08:13:35 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
212.47.227.163  - - [22/May/2017:09:14:51 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
212.47.227.163  - - [22/May/2017:10:03:18 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"


 awk '/23\/May/ {print $1};' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head 

3 204.44.65.4
2 163.172.168.251
1 93.174.93.136
1 221.194.44.142
1 212.47.227.163
1 189.172.201.139
1 169.54.233.124


 awk 'NR<=10000{a[$1]++}END{for (i in a) printf "%-6d %s\n",a[i], i|"sort -n"}' /var/log/apache2/access.log 

1  178.161.147.38
1  222.186.21.154
1  91.236.75.4
1  93.174.93.136
2  163.172.168.251
4  ::1
5  212.47.227.163


 cat /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr 

8 212.47.227.163
6 163.172.168.251
4 ::1
3 204.44.65.4
2 93.174.93.136
2 91.236.75.4
2 80.82.67.125
2 47.203.93.185
2 189.33.105.93
1 71.74.31.43
1 39.110.5.153
1 24.226.120.6
1 222.186.21.154
1 221.194.44.142
1 189.172.201.139
1 178.161.147.38
1 169.54.233.124


 cat /var/log/apache2/access.log  | awk '{ printf("%-15s\t%s\t%s\t%s\n", $1, $6, $9, $7) }' | uniq -c | sort 

1 103.37.145.248  "GET    404     http://www.baidu.com/favicon.ico
1 1.231.77.184    "GET    200     /
1 123.59.141.148  "GET    404     http://www.baidu.com/favicon.ico
1 138.75.32.1     "GET    200     /
1 139.162.111.98  "GET    200     /
1 139.162.111.98  "GET    200     /
1 139.162.79.87   "GET    200     /
1 163.172.109.120 "GET    404     /recordings/index.php
1 163.172.109.187 "\x16\x03\x01"  "-"     501
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.168.251 "GET    200     http://www.bing.com
1 163.172.99.10   "\x16\x03\x01"  "-"     501
1 168.1.128.35    "GET    200     /
1 169.54.233.126  "GET    200     /
1 176.58.99.121   "GET    200     /
1 177.142.184.117 "GET    400     /../../../../../../../mnt/mtd/qt
1 177.142.184.117 "GET    404     /hndUnblock.cgi
1 177.142.184.117 "GET    404     /language/Swedish${IFS}&&echo${IFS}${IFS}/string.js
1 177.142.184.117 "GET    404     /tmUnblock.cgi
1 180.97.106.37   "HEAD   404     http://180.163.113.82/check_proxy
1 189.26.201.212  "GET    200     /
1 191.54.253.109  "GET    200     /
1 192.168.2.213   "GET    200     /
1 212.47.227.163  "GET    200     http://www.bing.com
1 212.47.227.163  "GET    200     http://www.bing.com
1 212.47.227.163  "GET    200     http://www.bing.com
1 212.47.227.163  "GET    200     http://www.bing.com
1 212.47.227.163  "GET    200     http://www.bing.com
1 212.47.227.163  "GET    200     http://www.bing.com
1 213.202.233.196 "GET    404     /recordings//theme/main.css
1 213.202.233.196 "\x16\x03\x01"  "-"     501
1 220.181.159.73  "GET    200     /
1 220.181.159.73  "\x16\x03\x01"  "-"     501
1 5.45.86.16      "GET    200     /
1 61.164.149.209  "GET    200     http://www.server110.com/
1 61.164.149.209  "GET    200     http://www.server110.com/
1 61.164.149.209  "GET    200     http://www.server110.com/
1 61.164.149.209  "GET    200     http://www.server110.com/
1 68.63.198.72    "l"     "-"     501
1 83.157.218.78   "GET    200     /
1 91.236.75.4     "GET    200     http://www.google.com/
1 91.236.75.4     "GET    200     http://www.google.com/
1 91.236.75.4     "GET    200     http://www.google.com/
1 91.236.75.4     "GET    200     http://www.google.com/
1 91.236.75.4     "GET    200     http://www.google.com/
1 91.236.75.4     "GET    200     http://www.google.com/
1 91.236.75.4     "GET    200     http://www.google.com/
1 93.174.93.136   "GET    404     http://www.baidu.com/cache/global/img/gs.gif
1 93.174.93.136   "GET    404     http://www.baidu.com/cache/global/img/gs.gif
1 93.174.93.136   "GET    404     http://www.baidu.com/cache/global/img/gs.gif
2 163.172.168.251 "GET    200     http://www.bing.com
2 163.172.168.251 "GET    200     http://www.bing.com
2 212.47.227.163  "GET    200     http://www.bing.com
2 212.47.227.163  "GET    200     http://www.bing.com
2 212.47.227.163  "GET    200     http://www.bing.com
2 91.236.75.4     "GET    200     http://www.google.com/
3 212.47.227.163  "GET    200     http://www.bing.com
3 61.164.149.209  "CONNECT        405     www.linode.com:443
3 61.164.149.209  "CONNECT        405     www.linode.com:443
3 61.164.149.209  "CONNECT        405     www.linode.com:443
5 ::1             "OPTIONS        200     *
7 198.50.212.191  "GET    200     /


 cat /var/log/apache2/access.log  | awk '{ printf("%-15s\t%s\t%s\t%s\n", $1, $6, $9, $7) }' | uniq -c | sort | wc -c 

479

Visitas do dia.

 tail  /var/log/apache2/access.log 

222.186.21.154  - - [21/May/2017:10:05:31 -0300] "GET /manager/html HTTP/1.1" 404 477 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
212.47.227.163  - - [21/May/2017:10:51:32 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
212.47.227.163  - - [21/May/2017:17:29:29 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
91.236.75.4     - - [21/May/2017:18:34:14 -0300] "GET http://www.google.com/ HTTP/1.1" 200 441 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
93.174.93.136   - - [21/May/2017:20:20:00 -0300] "GET http://www.baidu.com/cache/global/img/gs.gif HTTP/1.1" 404 486 "-" "Mozilla"
178.161.147.38  - - [21/May/2017:22:12:16 -0300] "GET /manager/html HTTP/1.1" 404 506 "-" "Mozilla/5.0 Gecko/20100101"
212.47.227.163  - - [22/May/2017:00:29:32 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
163.172.168.251 - - [22/May/2017:06:34:14 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
163.172.168.251 - - [22/May/2017:08:13:35 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"
212.47.227.163  - - [22/May/2017:09:14:51 -0300] "GET http://www.bing.com HTTP/1.1" 200 460 "-" "Chrome/41.0.2228.0 Safari/537.36"


  cat  /var/log/apache2/access.log | grep `date '+%e/%b/%G'` | awk '{print $1}' | sort | wc -l 

4


Visitas do mês.

 cat /var/log/apache2/access.log  | grep `date '+%b/%G'` | awk '{print $1}' | sort | uniq -c | wc -l
7 awk ' ( $4 ~ /22\/May\/2017/ ) { print $1; COUNT++ } END { print COUNT }' /var/log/apache2/access.log 212.47.227.163 163.172.168.251 163.172.168.251 212.47.227.163 212.47.227.163 71.74.31.43 6 apt-get install geoip-bin cat /var/log/apache2/access.log | awk '{ print $1 }' | sort | uniq -c | sort -rn | head -n 25 | awk '{ printf("%5d\t%-15s\t", $1, $2); system("geoiplookup " $2 " | cut -d \\: -f2 ") }' 5 212.47.227.163 FR, France 2 163.172.168.251 GB, United Kingdom 1 93.174.93.136 NL, Netherlands 1 91.236.75.4 PL, Poland 1 71.74.31.43 US, United States 1 222.186.21.154 CN, China 1 178.161.147.38 RU, Russian Federation cat /var/log/apache2/access.log | cut -d '"' -f 6 | sort | uniq -c | sort -nr 9 Chrome/41.0.2228.0 Safari/537.36 6 - 4 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1 4 Apache/2.2.22 (Debian) (internal dummy connection) 2 Wget(linux) 2 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 (.NET CLR 3.5.30729) 2 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 2 Mozilla 2 curl/7.43.0 2 curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 1 python-requests/2.7.0 CPython/2.7.9 Windows/2003Server 1 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 1 Mozilla/5.0 Gecko/20100101 1 Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) tail -f /var/log/apache2/error.log [Wed May 17 03:39:33 2017] [error] [client 177.142.184.117] Invalid URI in request GET /../../../../mnt/mtd/qt HTTP/1.0 [Wed May 17 12:01:25 2017] [error] [client 163.172.99.10] Invalid method in request \x16\x03\x01 [Wed May 17 14:36:03 2017] [error] [client 180.97.106.37] File does not exist: /var/www/check_proxy [Wed May 17 17:42:01 2017] [error] [client 163.172.109.187] Invalid method in request \x16\x03\x01 [Thu May 18 07:24:28 2017] [error] [client 93.174.93.136] File does not exist: /var/www/cache [Thu May 18 08:16:44 2017] [error] [client 220.181.159.73] Invalid method in request \x16\x03\x01 [Fri May 19 11:42:22 2017] [error] [client 93.174.93.136] File does not exist: /var/www/cache [Fri May 19 22:12:57 2017] [error] [client 123.59.141.148] File does not exist: /var/www/favicon.ico [Fri May 19 22:52:51 2017] [error] [client 68.63.198.72] Invalid method in request l [Sat May 20 06:32:58 2017] [error] [client 163.172.109.120] File does not exist: /var/www/recordings top -p `pidof apache2 | awk '{gsub(/[ ]/,",");print}'` ps aux | grep apache2 root 2066 0.0 0.7 199916 13992 ? Ss May15 0:13 /usr/sbin/apache2 -k start www-data 5567 0.0 0.4 200384 8724 ? S May16 0:00 /usr/sbin/apache2 -k start www-data 5568 0.0 0.4 200384 8724 ? S May16 0:00 /usr/sbin/apache2 -k start www-data 5569 0.0 0.4 200384 8720 ? S May16 0:00 /usr/sbin/apache2 -k start www-data 5570 0.0 0.4 200384 8716 ? S May16 0:00 /usr/sbin/apache2 -k start www-data 5571 0.0 0.4 200384 8704 ? S May16 0:00 /usr/sbin/apache2 -k start www-data 5610 0.0 0.4 200384 8708 ? S May18 0:00 /usr/sbin/apache2 -k start www-data 12145 0.0 0.4 200384 8724 ? S May16 0:00 /usr/sbin/apache2 -k start root 19707 0.0 0.0 7844 844 pts/0 S+ 10:45 0:00 grep apache2 netstat -lnp6 | grep :8080 | sed 's#^[^\/]*/\([a-z0-9]*\)#\1#' apache2 netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n 1 established) 1 ESTABLISHED 1 Foreign 16 LISTEN netstat -alnp | grep ::80 tcp6 0 0 :::8080 :::* LISTEN 2066/apache2 netstat -an | grep -i listen tcp 0 0 0.0.0.0:43047 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN tcp6 0 0 :::139 :::* LISTEN tcp6 0 0 :::111 :::* LISTEN tcp6 0 0 :::50000 :::* LISTEN tcp6 0 0 :::8080 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::47612 :::* LISTEN tcp6 0 0 :::445 :::* LISTEN unix 2 [ ACC ] SEQPACKET LISTENING 5909 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 7238 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 6584 /var/run/rpcbind.sock unix 2 [ ACC ] STREAM LISTENING 7119 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 334293 /var/run/samba/unexpected unix 2 [ ACC ] STREAM LISTENING 6882 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 744 /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 7080 @/tmp/fam-root- netstat -putona Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer tcp 0 0 0.0.0.0:43047 0.0.0.0:* LISTEN 1596/rpc.statd off (0.00/0/0) tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2882/mysqld off (0.00/0/0) tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 31238/smbd off (0.00/0/0) tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1565/rpcbind off (0.00/0/0) tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2978/perl off (0.00/0/0) tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2339/sshd off (0.00/0/0) tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3576/exim4 off (0.00/0/0) tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 31238/smbd off (0.00/0/0) tcp 0 0 192.168.2.213:22 192.168.2.172:49312 ESTABLISHED 17375/sshd: jura [p keepalive (1507.35/0/0) tcp6 0 0 :::139 :::* LISTEN 31238/smbd off (0.00/0/0) tcp6 0 0 :::111 :::* LISTEN 1565/rpcbind off (0.00/0/0) tcp6 0 0 :::50000 :::* LISTEN 5718/proftpd: (acce off (0.00/0/0) tcp6 0 0 :::8080 :::* LISTEN 2066/apache2 off (0.00/0/0) tcp6 0 0 :::22 :::* LISTEN 2339/sshd off (0.00/0/0) tcp6 0 0 ::1:25 :::* LISTEN 3576/exim4 off (0.00/0/0) tcp6 0 0 :::47612 :::* LISTEN 1596/rpc.statd off (0.00/0/0) tcp6 0 0 :::445 :::* LISTEN 31238/smbd off (0.00/0/0) udp 0 0 0.0.0.0:10000 0.0.0.0:* 2978/perl off (0.00/0/0) udp 0 0 0.0.0.0:60254 0.0.0.0:* 1596/rpc.statd off (0.00/0/0) udp 0 0 0.0.0.0:892 0.0.0.0:* 1565/rpcbind off (0.00/0/0) udp 0 0 127.0.0.1:924 0.0.0.0:* 1596/rpc.statd off (0.00/0/0) udp 0 0 0.0.0.0:111 0.0.0.0:* 1565/rpcbind off (0.00/0/0) udp 0 0 192.168.2.255:137 0.0.0.0:* 31234/nmbd off (0.00/0/0) udp 0 0 192.168.2.213:137 0.0.0.0:* 31234/nmbd off (0.00/0/0) udp 0 0 0.0.0.0:137 0.0.0.0:* 31234/nmbd off (0.00/0/0) udp 0 0 192.168.2.255:138 0.0.0.0:* 31234/nmbd off (0.00/0/0) udp 0 0 192.168.2.213:138 0.0.0.0:* 31234/nmbd off (0.00/0/0) udp 0 0 0.0.0.0:138 0.0.0.0:* 31234/nmbd off (0.00/0/0) udp6 0 0 :::50688 :::* 1596/rpc.statd off (0.00/0/0) udp6 0 0 :::892 :::* 1565/rpcbind off (0.00/0/0) udp6 0 0 :::111 :::* 1565/rpcbind off (0.00/0/0) ---------------------------------------------------------------- ps aux | grep apache2 root 1997 0.0 1.0 187036 10360 ? Ss 14:23 0:00 /usr/sbin/apache2 -k start www-data 2018 0.0 0.6 187060 6344 ? S 14:23 0:00 /usr/sbin/apache2 -k start www-data 2019 0.0 0.6 187060 6344 ? S 14:23 0:00 /usr/sbin/apache2 -k start www-data 2020 0.0 0.6 187060 6344 ? S 14:23 0:00 /usr/sbin/apache2 -k start www-data 2021 0.0 0.6 187060 6344 ? S 14:23 0:00 /usr/sbin/apache2 -k start www-data 2022 0.0 0.6 187060 6344 ? S 14:23 0:00 /usr/sbin/apache2 -k start root 6956 0.0 0.0 7844 884 pts/0 S+ 14:52 0:00 grep --color apache2 service apache2 stop [....] Stopping web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName [ ok waiting . ps aux | grep apache2 root 7020 0.0 0.0 7840 880 pts/0 S+ 14:52 0:00 grep --color apache2 service apache2 start [....] Starting web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName . ok ps aux | grep apache2 root 7040 0.0 1.0 187036 10356 ? Ss 14:52 0:00 /usr/sbin/apache2 -k start www-data 7046 0.0 0.6 187060 6340 ? S 14:52 0:00 /usr/sbin/apache2 -k start www-data 7047 0.0 0.6 187060 6340 ? S 14:52 0:00 /usr/sbin/apache2 -k start www-data 7048 0.0 0.6 187060 6340 ? S 14:52 0:00 /usr/sbin/apache2 -k start www-data 7049 0.0 0.6 187060 6340 ? S 14:52 0:00 /usr/sbin/apache2 -k start www-data 7050 0.0 0.6 187060 6340 ? S 14:52 0:00 /usr/sbin/apache2 -k start root 7069 0.0 0.0 7840 884 pts/0 S+ 14:52 0:00 grep --color apache2 service apache2 restart [....] Restarting web server: apache2apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName ... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName . ok service apache2 status Apache2 is running (pid 7117). ---------------------------------------------------------------- ps aux | grep apache2 kill -9 PID ---------------------------------------------------------------- service apache2 stop apt-get purge apache2 apache2-utils apache2.2-bin apache2-common apt-get autoremove whereis apache2 rm -rf /etc/apache2 apt-get --purge remove apache2*

Is my apache under DDOS attack ?

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 1 192.168.2.172 1 192.168.2.181 11 19 0.0.0.0 netstat -n | grep :80 | wc -l 2 netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|wc -l 4 netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr 1 192.168.2.181 1 192.168.2.172 netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f 1 | sort|uniq -c | sort -nk 1 1 netstat -an | awk '/tcp/ {print $6}' | sort|uniq -c 2 ESTABLISHED 16 LISTEN netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 1 192.168.2.172 1 192.168.2.181 1 89.248.161.12 1 Address 1 servers) while :; do netstat -s| grep -i icmp | egrep 'received|sent' ; sleep 1; done 49 ICMP messages received 33 ICMP messages sent 49 ICMP messages received 33 ICMP messages sent 49 ICMP messages received 33 ICMP messages sent 49 ICMP messages received 33 ICMP messages sent netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1 netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1


"Wisdom is like a river, the deeper it is the less noise it makes"

Afim de aprender mais? Fale comigo: linux1.noip@gmail.com