Server Log Analysis

2019, March, 02

Side ProjectPython

I have small cloud VM, which I use for personal projects. I use Nginx as web server.

Server access logs from last 2 weeks were available, so I decided to go through them.

I wrote a small python script to parse the log files and insert details in a database from where they could be easily queried. I also did a geo lookup based on IP addresses of the client machines in the logs.

I expected to find details about requests from myself and may be a few requests from web crawlers of search engines like Google.

But I found the following:

  • Total Requests: 7357

    A lot higher than expected, since there isn't much hosted on the server. Only around 10% of the requests seem to be generated by me.

  • 5325 requests were for *.php endpoints.

    I do not use php on my server, so all such requests ended up with 404s.

    No sure whether these requests were trying index pages or looking for security vulnerabilities.


    Top Requested *.php endpoints were:
php EndpointsRequests
/1.php74
/x.php64
/qq.php56
/test.php55
/confg.php55
/cmd.php42
/z.php41
/q.php40
/xx.php28
/help.php28
CountryRequests
China3585
India799
United States671
Hong Kong470
Sweden382
Korea374
Moldova294
Spain115
Italy112
Brazil79
Russia76
Denmark35

Most of the requests came from a few select organizations and ISPs based on IP addresses:

Organization/ISPCountryRequests
Shenzhen Tencent Computer Systems Company LimitedChina2735
Beijing Baidu Netcom Science and Technology Co., Ltd.China731
Atria Convergence Technologies Pvt. Ltd.India504
Korea TelecomKorea371
Bredband2 ABSweden366
New World Telephone Ltd.Hong Kong358
ETS TELEPHONE COMPANY, INC.US358
RM Engineering LLCMoldova292
National Internet BackboneIndia273
Google LLCUS137
Orange Espagne SASpain109
HKT LimitedHong Kong108
Network of data-centers SelectelRussia57
Aruba S.p.A.Italy55
Vodafone Italia S.p.A.Italy52
CHINANET-BACKBONEChina44
TELEFÔNICA BRASIL S.ABrazil34
Amazon.com, Inc.US33
  • Few of the requests were also from network mapping tools like nmap and MASSCAN.

I plan to keep analysing my server logs to find more trends.