On my webservers I always use an installation of munin, to track events on my servers that happened while I was sleeping. Today, I saw that around 6 in the morning there where a huge increase of mysql requests, around 6.5 times more than the average count of requests. Also the cpu usage increased that time around 7.8 times over the average. That problem last for about 10 minutes. So I had to investigate it a little bit.
What should I have to check? First of all I wanted to check the IP numbers that accessed my server. So, I found the apache access log file and I used the following commands:
grep '08/Nov/2011:06' /var/log/apache2/access.log | cut -f 2 -s --delimiter=" " | awk ' {print $1 }' | sort | uniq -c | sort -n
The above command gave me the opportunity to see which IPs and how many times accessed my server at the 8th of November from 6:00:59 until 6:59:59 in the morning. Really usefull.
You can change the hour and date in the grep command. Also, have in mind that you have to insert the path and filename of your access log file.
Unortunately, I don't have enabled the binary logs on my MySQL server installation, and this prevents me to see what exactly queries run that time at the webisites. I could although guess that by changing a little bit the above commands with the following:
grep '08/Nov/2011:06' /var/log/apache2/access.log | grep '1.2.3.4' | cut -f 1 -s --delimiter=" " | awk ' {print $0}' | sort | uniq -c | sort -n
With the above command you can find the domains that the suspected IP visited in a specific date and time.
You can also use the following commands to see which pages of the domains this IP visited.
grep '08/Nov/2011:06' /var/log/apache2/access.log | grep '1.2.3.4' | cut -f 8 -s --delimiter=" " | awk ' {print $0}' | sort | uniq -c | sort -n
If you conclude that the suspected IP might be an abuse attack, use the following command to find more information.
whois 1.2.3.4
The above commands might become helpful on a dark day that your server becomes a target.