1

I'm using grep for analysing my log-files after an attack. usually like that

grep -F "POST /xxxxx.php" ./access-log

Now someone attacked some of my websites but i don't know where the vulnerability, and also not, what the attackers ip address is. Now i want to find an ip-address, who sended a request to more than one of my websites, like that:

abcde.com-log:123.123.123.123 - - [12/Jan/2013:08:41:08 +0100] "POST /xxxxx.php HTTP/1.1" 200 1234 "-" "-"

wxyz.com-log:123.123.123.123 - - [12/Jan/2013:08:41:08 +0100] "POST /xxxxx.php HTTP/1.1" 200 1234 "-" "-"

but i don't know how i get grep or other unix tools to give me only that match, who matches is more than one log-file.

user1988431
  • 36
  • 4
  • Since you don't know where the vulnerability is, what characteristics can you provide to identify the attacking requests? Is it always a POST request? Always to a .php file? Without such data you would also match Google-Bot, for example, requestin the robots.txt from two of your sites. – Perleone Jan 18 '13 at 00:40

1 Answers1

0

Assuming the IP address you want is the one that appears as the first field in each log file, try this:

awk '
   /POST \/xxxxx\.php/ {
      ip=$1
      if ( !(ipFilePairs[ip,FILENAME]++) ) {
         ipFileCnt[ip]++
         ipFileList[ip] = ipFileList[ip] " " FILENAME
      }
   }
   END {
      for (ip in ipFileCnt)
         if (ipFileCnt[ip] > 1)
            print ip ":" ipFileList[ip]
   }
' *.log
Ed Morton
  • 188,023
  • 17
  • 78
  • 185