In this article we'll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.

This guide is geared towards VPS (Virtual Private Server) and dedicated server customers that have SSH access to their servers. If you've noticed that your server's load average has recently been running high, either from advanced server load monitoring, or if you setup a server load monitoring script to alert you via email these would be good steps to follow to ensure one malicious user isn't causing these problems.

Search for excessive requests

The easiest way to determine if one user is possibly causing a large strain of resources on your server, is to look at your Apache access logs for duplicate requests coming from one IP address. You can follow the steps below in order to quickly find out this information.

  1. Login to your server via SSH.
  2. Navigate to the home directory for the website you'd like to investigate. In this example our cPanel username is userna5, and our domain name is example.com:

    cd /home/userna5/access-logs

  3. Next we want to use the awk command to only print the 1st column of the Apache log (which is the IP address), we will then pipe | that to the sort -n command so that all of the IPs get sorted numerically, we'll then pipe that to the uniq -c command to uniquely count up how many times each IP occurs, then finally we'll pipe all that back to the sort -n command so it sorts the IP addresses by how many total requests they had:

    awk '{print $1}' example.com | sort -n | uniq -c | sort -n

    You will get back something similar to this (I'm showing fake IP addresses here):

    623 123.123.123.123
    893 123.123.123.124
    7889 123.123.123.125

  4. Now that we know 123.123.123.125 has far more requests than any other IP address we can search for what those requests have been with this code:

    grep 123.123.123.125 example.com | cut -d\" -f2 | awk '{print $1 " " $2}' | cut -d? -f1 | sort | uniq -c | sort -n | sed 's/[ ]*//'

    1 GET /wp-login.php
    7888 POST /wp-login.php

    In this case it's pretty obvious that this user is trying to brute force their way into a WordPress site as they tried to get the wp-login.php page once, and then tried to POST to it 7888 times.

  5. Now you can go ahead and follow our guide on how to block unwanted users from your site using .htaccessin order to stop any further requests from this malicious IP address.

    The line you'd be using in this particular case would be:

    deny from 123.123.123.125

You should now know how to track down a possible malicious user's IP address so that you can block them from causing further issues.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!