If you are ever using a cPanel server, here are some one-liners for the Command Line Interface.
Over Use of CPUs
Too many php-fpm requests
sudo netstat -an|grep :443|cut -d":" -f2|sort|uniq -c or sudo netstat -an|grep :80|cut -d":" -f2|sort|uniq -c
This has a look at all the connections running on https, parses the external IP address, sorts them then counts them. The result may look like this.
1 443 188.8.131.52
2 443 184.108.40.206
29 443 220.127.116.11
60 443 18.104.22.168
A quick check of https://www.abuseipdb.com/check/22.214.171.124 finds that this address has been reported for abuse in the past.
Ban the IP addresses 126.96.36.199 & 188.8.131.52 at the firewall level.
grep -d skip -e "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/*|cut -d/ -f6|cut -d":" -f1|sort|uniq -c
This gives an output of:
40 docsmenagerie.com-ssl_log 1506 epiphanychurch.co.nz 133 fallingforward.life-ssl_log
In the case of epiphany, I dug a bit deeper and found:
grep "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/epiphanychurch.co.nz|cut -d"-" -f1|sort|uniq -c 152 184.108.40.206 (Amazon) 1 220.127.116.11 1295 18.104.22.168 (Amazon)
There is no reason for an Amazon IP do be doing this unless it is a compromised website at this address.
Ban the IP addresses 22.214.171.124 & 126.96.36.199 at the firewall level.
Email Server under Attack
grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep 2020-11-17 | wc -l 136
You only have a few days worth of records, so I do this hourly and have an extended script that ends me an email if more than 400 emails are sent in a day.
If you end up with a large number you can run a script like this:
date +%Y-%m-%decho $today echo $today > /home/strider/scripts/emails.txt for i in
grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep "$today
" |cut -c21-36do cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt done cat /home/strider/scripts/emails.txt |sort|uniq -c echo cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt