Find IP address of malicious user Updated on August 16, 2021 by InMotion Hosting Contributor 2 Minutes, 20 Seconds to Read In this article we’ll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place. This guide is geared towards VPS (Virtual Private Server) and dedicated server customers that have SSH access to their servers. If you’ve noticed that your server’s load average has recently been running high, either from advanced server load monitoring, or if you setup a server load monitoring script to alert you via email these would be good steps to follow to ensure one malicious user isn’t causing these problems. Search for excessive requests The easiest way to determine if one user is possibly causing a large strain of resources on your server, is to look at your Apache access logs for duplicate requests coming from one IP address. You can follow the steps below in order to quickly find out this information. Login to your server via SSH. Navigate to the home directory for the website you’d like to investigate. In this example our cPanel username is userna5, and our domain name is example.com:cd /home/userna5/access-logs Next we want to use the awk command to only print the 1st column of the Apache log (which is the IP address), we will then pipe | that to the sort -n command so that all of the IPs get sorted numerically, we’ll then pipe that to the uniq -c command to uniquely count up how many times each IP occurs, then finally we’ll pipe all that back to the sort -n command so it sorts the IP addresses by how many total requests they had: awk '{print $1}' example.com | sort -n | uniq -c | sort -n You will get back something similar to this (I’m showing fake IP addresses here): 623 123.123.123.123 893 123.123.123.124 7889 123.123.123.125 Now that we know 123.123.123.125 has far more requests than any other IP address we can search for what those requests have been with this code:grep 123.123.123.125 example.com | cut -d" -f2 | awk '{print $1 " " $2}' | cut -d? -f1 | sort | uniq -c | sort -n | sed 's/[ ]*//' 1 GET /wp-login.php 7888 POST /wp-login.php In this case it’s pretty obvious that this user is trying to brute force their way into a WordPress site as they tried to get the wp-login.php page once, and then tried to POST to it 7888 times. Now you can go ahead and follow our guide on how to block unwanted users from your site using .htaccessin order to stop any further requests from this malicious IP address.The line you’d be using in this particular case would be: deny from 123.123.123.125 You should now know how to track down a possible malicious user’s IP address so that you can block them from causing further issues. Share this Article InMotion Hosting Contributor Content Writer InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals! More Articles by InMotion Hosting Related Articles How To Create a PHP Redirect (301, 302, and Dynamic Redirect Examples) Connect to SFTP for Shared Hosting Accounts Using FileZilla FTP Basics for Dedicated Servers How to Install Jekyll and Launch a New Site How to Host AI-Prompt Generated Websites on Shared Hosting What is your default PHP.ini file? Getting Started Guide: FTP Configuring your site in WS_FTP Schedule Social Media Posts With Buffer FTP Error – 421 Too Many Connections
