{"id":506,"date":"2013-01-15T21:16:38","date_gmt":"2013-01-16T02:16:38","guid":{"rendered":"https:\/\/www.inmotionhosting.com\/support\/2013\/01\/15\/find-ip-address-of-malicious-user\/"},"modified":"2021-08-16T23:24:00","modified_gmt":"2021-08-17T03:24:00","slug":"find-ip-address-of-malicious-user","status":"publish","type":"post","link":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/","title":{"rendered":"Find IP address of malicious user"},"content":{"rendered":"

In this article we’ll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.<\/p>\n

This guide is geared towards VPS (Virtual Private Server) and dedicated server customers that have SSH access to their servers. If you’ve noticed that your server’s load average has recently been running high, either from advanced server load monitoring<\/a>, or if you setup a server load monitoring script to alert you via email<\/a> these would be good steps to follow to ensure one malicious user isn’t causing these problems.<\/p>\n

Search for excessive requests<\/h2>\n

The easiest way to determine if one user is possibly causing a large strain of resources on your server, is to look at your Apache access logs for duplicate requests coming from one IP address. You can follow the steps below in order to quickly find out this information.<\/p>\n

    \n
  1. Login to your server via SSH<\/a>.<\/li>\n
  2. Navigate to the home directory for the website you’d like to investigate. In this example our cPanel username is userna5<\/strong>, and our domain name is example.com<\/strong>:cd \/home\/userna5\/access-logs<\/code><\/li>\n
  3. Next we want to use the awk<\/strong> command to only print the 1st column of the Apache log (which is the IP address), we will then pipe |<\/strong> that to the sort -n<\/strong> command so that all of the IPs get sorted numerically, we’ll then pipe that to the uniq -c<\/strong> command to uniquely count up how many times each IP occurs, then finally we’ll pipe all that back to the sort -n<\/strong> command so it sorts the IP addresses by how many total requests they had: awk '{print $1}' example.com | sort -n | uniq -c | sort -n <\/code>\n

    You will get back something similar to this (I’m showing fake IP addresses here):<\/p>\n

    623 123.123.123.123
    \n893 123.123.123.124
    \n7889 123.123.123.125<\/code><\/li>\n

  4. Now that we know 123.123.123.125<\/strong> has far more requests than any other IP address we can search for what those requests have been with this code:grep 123.123.123.125 example.com | cut -d\" -f2 |
    \nawk '{print $1 \" \" $2}' |
    \ncut -d? -f1 | sort | uniq -c |
    \nsort -n | sed 's\/[ ]*\/\/'<\/code><\/p>\n

    1 GET \/wp-login.php
    \n7888 POST \/wp-login.php<\/code><\/p>\n

    In this case it’s pretty obvious that this user is trying to brute force their way into a WordPress site as they tried to get the wp-login.php<\/strong> page once, and then tried to POST<\/strong> to it 7888<\/strong> times.<\/li>\n

  5. Now you can go ahead and follow our guide on how to block unwanted users from your site using .htaccess<\/a>in order to stop any further requests from this malicious IP address.The line you’d be using in this particular case would be:\n

    deny from 123.123.123.125<\/code><\/li>\n<\/ol>\n

    You should now know how to track down a possible malicious user’s IP address so that you can block them from causing further issues.<\/p>\n","protected":false},"excerpt":{"rendered":"

    In this article we’ll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place. This guide is geared towards VPS (Virtual Private Server) and dedicated server customers that have SSH access to their Read More ><\/a><\/p>\n","protected":false},"author":57014,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4288],"tags":[],"class_list":["post-506","post","type-post","status-publish","format-standard","hentry","category-website"],"acf":[],"yoast_head":"\nFind IP address of malicious user | InMotion Hosting<\/title>\n<meta name=\"description\" content=\"In this article we'll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Find IP address of malicious user | InMotion Hosting\" \/>\n<meta property=\"og:description\" content=\"In this article we'll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/\" \/>\n<meta property=\"og:site_name\" content=\"InMotion Hosting Support Center\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inmotionhosting\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-01-16T02:16:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-17T03:24:00+00:00\" \/>\n<meta name=\"author\" content=\"InMotion Hosting Contributor\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/InMotionHosting\" \/>\n<meta name=\"twitter:site\" content=\"@InMotionHosting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"InMotion Hosting Contributor\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/\"},\"author\":{\"name\":\"InMotion Hosting Contributor\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644\"},\"headline\":\"Find IP address of malicious user\",\"datePublished\":\"2013-01-16T02:16:38+00:00\",\"dateModified\":\"2021-08-17T03:24:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/\"},\"wordCount\":439,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"articleSection\":[\"Website\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/\",\"name\":\"Find IP address of malicious user | InMotion Hosting\",\"isPartOf\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\"},\"datePublished\":\"2013-01-16T02:16:38+00:00\",\"dateModified\":\"2021-08-17T03:24:00+00:00\",\"description\":\"In this article we'll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.inmotionhosting.com\/support\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Find IP address of malicious user\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#website\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"name\":\"InMotion Hosting Support Center\",\"description\":\"Web Hosting Support & Tutorials\",\"publisher\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#organization\",\"name\":\"InMotion Hosting\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"contentUrl\":\"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg\",\"width\":696,\"height\":696,\"caption\":\"InMotion Hosting\"},\"image\":{\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/inmotionhosting\/\",\"https:\/\/x.com\/InMotionHosting\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644\",\"name\":\"InMotion Hosting Contributor\",\"description\":\"InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/inmotion-hosting\/\",\"https:\/\/x.com\/https:\/\/twitter.com\/InMotionHosting\"],\"url\":\"https:\/\/www.inmotionhosting.com\/support\/author\/inmotion-hosting-contributor\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Find IP address of malicious user | InMotion Hosting","description":"In this article we'll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/","og_locale":"en_US","og_type":"article","og_title":"Find IP address of malicious user | InMotion Hosting","og_description":"In this article we'll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.","og_url":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/","og_site_name":"InMotion Hosting Support Center","article_publisher":"https:\/\/www.facebook.com\/inmotionhosting\/","article_published_time":"2013-01-16T02:16:38+00:00","article_modified_time":"2021-08-17T03:24:00+00:00","author":"InMotion Hosting Contributor","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/InMotionHosting","twitter_site":"@InMotionHosting","twitter_misc":{"Written by":"InMotion Hosting Contributor","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/#article","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/"},"author":{"name":"InMotion Hosting Contributor","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644"},"headline":"Find IP address of malicious user","datePublished":"2013-01-16T02:16:38+00:00","dateModified":"2021-08-17T03:24:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/"},"wordCount":439,"commentCount":0,"publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"articleSection":["Website"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/","url":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/","name":"Find IP address of malicious user | InMotion Hosting","isPartOf":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#website"},"datePublished":"2013-01-16T02:16:38+00:00","dateModified":"2021-08-17T03:24:00+00:00","description":"In this article we'll discuss how you can quickly find the IP address of a malicious user that could be impacting the performance of your website, or attempting to circumvent the security you have in place.","breadcrumb":{"@id":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.inmotionhosting.com\/support\/website\/find-ip-address-of-malicious-user\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inmotionhosting.com\/support\/"},{"@type":"ListItem","position":2,"name":"Find IP address of malicious user"}]},{"@type":"WebSite","@id":"https:\/\/www.inmotionhosting.com\/support\/#website","url":"https:\/\/www.inmotionhosting.com\/support\/","name":"InMotion Hosting Support Center","description":"Web Hosting Support & Tutorials","publisher":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inmotionhosting.com\/support\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.inmotionhosting.com\/support\/#organization","name":"InMotion Hosting","url":"https:\/\/www.inmotionhosting.com\/support\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/","url":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","contentUrl":"https:\/\/www.inmotionhosting.com\/support\/wp-content\/uploads\/2023\/02\/inmotion-hosting-logo-yoast.jpg","width":696,"height":696,"caption":"InMotion Hosting"},"image":{"@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inmotionhosting\/","https:\/\/x.com\/InMotionHosting"]},{"@type":"Person","@id":"https:\/\/www.inmotionhosting.com\/support\/#\/schema\/person\/f9a4fc454cd1df128ee8e898d30d4644","name":"InMotion Hosting Contributor","description":"InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!","sameAs":["https:\/\/www.linkedin.com\/company\/inmotion-hosting\/","https:\/\/x.com\/https:\/\/twitter.com\/InMotionHosting"],"url":"https:\/\/www.inmotionhosting.com\/support\/author\/inmotion-hosting-contributor\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"primary_category":null,"_links":{"self":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/users\/57014"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/comments?post=506"}],"version-history":[{"count":4,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/506\/revisions"}],"predecessor-version":[{"id":85078,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/posts\/506\/revisions\/85078"}],"wp:attachment":[{"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/media?parent=506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/categories?post=506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inmotionhosting.com\/support\/wp-json\/wp\/v2\/tags?post=506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}