Server Log Analysis
2019, March, 02
I have small cloud VM, which I use for personal projects. I use Nginx as web server.
Server access logs from last 2 weeks were available, so I decided to go through them.
I wrote a small python script to parse the log files and insert details in a database from where they could be easily queried. I also did a geo lookup based on IP addresses of the client machines in the logs.
I expected to find details about requests from myself and may be a few requests from web crawlers of search engines like Google.
But I found the following:
Total Requests: 7357
A lot higher than expected, since there isn't much hosted on the server. Only around 10% of the requests seem to be generated by me.
5325 requests were for *.php endpoints.
I do not use php on my server, so all such requests ended up with 404s.No sure whether these requests were trying index pages or looking for security vulnerabilities.
Top Requested *.php endpoints were:
php Endpoints | Requests |
---|---|
/1.php | 74 |
/x.php | 64 |
/qq.php | 56 |
/test.php | 55 |
/confg.php | 55 |
/cmd.php | 42 |
/z.php | 41 |
/q.php | 40 |
/xx.php | 28 |
/help.php | 28 |
Requests were from 623 different IP addresses of 75 countries.
Top countries were:Wasn't expecting this either.
Country | Requests |
---|---|
China | 3585 |
India | 799 |
United States | 671 |
Hong Kong | 470 |
Sweden | 382 |
Korea | 374 |
Moldova | 294 |
Spain | 115 |
Italy | 112 |
Brazil | 79 |
Russia | 76 |
Denmark | 35 |
Most of the requests came from a few select organizations and ISPs based on IP addresses:
Organization/ISP | Country | Requests |
---|---|---|
Shenzhen Tencent Computer Systems Company Limited | China | 2735 |
Beijing Baidu Netcom Science and Technology Co., Ltd. | China | 731 |
Atria Convergence Technologies Pvt. Ltd. | India | 504 |
Korea Telecom | Korea | 371 |
Bredband2 AB | Sweden | 366 |
New World Telephone Ltd. | Hong Kong | 358 |
ETS TELEPHONE COMPANY, INC. | US | 358 |
RM Engineering LLC | Moldova | 292 |
National Internet Backbone | India | 273 |
Google LLC | US | 137 |
Orange Espagne SA | Spain | 109 |
HKT Limited | Hong Kong | 108 |
Network of data-centers Selectel | Russia | 57 |
Aruba S.p.A. | Italy | 55 |
Vodafone Italia S.p.A. | Italy | 52 |
CHINANET-BACKBONE | China | 44 |
TELEFÔNICA BRASIL S.A | Brazil | 34 |
Amazon.com, Inc. | US | 33 |
- Few of the requests were also from network mapping tools like nmap and MASSCAN.
I plan to keep analysing my server logs to find more trends.