0

Yesterday night around 2:00, I occasionally try out a snippet:

netstat -ntu | tail -n +3|awk '{ print $5}' | cut -d : -f 1 | sort | uniq -c| sort -n -r | head -n 5

Then it turns out one IP is having almost 120+ entries (I am not sure whether this word is appropriate)! The server where I ran the script above doesn't have much interesting stuff, just server with blogs which are almost never visited by people besides my friends. I think the phenomenon is really suspicious.

How can I find out what the user from the suspicious ip is doing? I don't any person who can have such a high interest in those blogs deep in the night. By the way, I checked the IP and found the ip is in my country, so it's not time-zone problem.

Kenny Rasschaert
  • 9,045
  • 3
  • 42
  • 58
allanruin
  • 11
  • 1
  • What service were they connecting to? – David Schwartz Mar 11 '12 at 13:35
  • Sadly I forgot about that! Just now I can check the command again and the output is quite normal now. – allanruin Mar 11 '12 at 13:38
  • You should always keep logs like this, and make sure to also keep a timestamp of when the log was created that is as exact as possible (with the time zone). – David Schwartz Mar 11 '12 at 13:45
  • You are totally right. I just keep track of output of the script mentioned, but forget to record the result of netstat -ntu ... – allanruin Mar 11 '12 at 13:49
  • 2
    Start with a `whois ${IP_Address}` and see what that returns, it's probably a webcrawler or script kiddie. Either way, really nothing to be done. – Chris S Mar 11 '12 at 15:08

1 Answers1

2

You should check the access logs of your web server to find out more.

If you are using Apache you can find them in the /var/log/apache2 or /var/log/httpd/ directory.

You probably shouldn't be too worried. It's probably just a search engine crawling your websites and blogs. They tend to be very thorough.

Kenny Rasschaert
  • 9,045
  • 3
  • 42
  • 58