If you are ever using a cPanel server, here are some one-liners for the Command Line Interface.
Over Use of CPUs
Too many php-fpm requests
sudo netstat -an|grep :443|cut -d":" -f2|sort|uniq -c or sudo netstat -an|grep :80|cut -d":" -f2|sort|uniq -c
This has a look at all the connections running on https, parses the external IP address, sorts them then counts them. The result may look like this.
1 443 207.46.13.234
2 443 207.46.13.4
29 443 24.253.147.45
60 443 3.112.253.65
A quick check of https://www.abuseipdb.com/check/3.112.253.65 finds that this address has been reported for abuse in the past.
Remedy
Ban the IP addresses 24.253.147.45 & 3.112.253.65 at the firewall level.
WordPress Attacks
Attacking xmlrpc.php
grep -d skip -e "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/*|cut -d/ -f6|cut -d":" -f1|sort|uniq -c
This gives an output of:
40 docsmenagerie.com-ssl_log 1506 epiphanychurch.co.nz 133 fallingforward.life-ssl_log
In the case of epiphany, I dug a bit deeper and found:
grep "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/epiphanychurch.co.nz|cut -d"-" -f1|sort|uniq -c 152 3.112.253.65 (Amazon) 1 3.113.159.115 1295 3.22.117.97 (Amazon)
Remedy
There is no reason for an Amazon IP do be doing this unless it is a compromised website at this address.
Ban the IP addresses 3.122.253.65 & 3.22.117.97 at the firewall level.
Email Server under Attack
Sent today
grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep 2020-11-17 | wc -l 136
You only have a few days worth of records, so I do this hourly and have an extended script that ends me an email if more than 400 emails are sent in a day.
If you end up with a large number you can run a script like this:
today=date +%Y-%m-%d
echo $today echo $today > /home/strider/scripts/emails.txt for i ingrep "R=send_via_sendgrid" /var/log/exim_mainlog | grep "
$today" |cut -c21-36
do cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt done cat /home/strider/scripts/emails.txt |sort|uniq -c echo cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt