Cthulhu
Administrator
- AKA
- Yop
I should go find a good log analyzer that can do things like count the number of requests / second, log cpu usage, that kinda thing. Actually I found a few neat commands that can run a simple analysis on the log to display requests per day, hour, so here we go:
So basically, about 20 - 24 hours ago, we had a pretty significant peak of 70 - 100K requests an hour, daily total of more than three times as much as normal. Counting requests done by IP address, we get a top 10 of most active IP addresses; I cross-referenced them with users for the lulz to see who whores TLS the most, or whether it's a spambot or whole country that needs to be banned .
So Ryu or his browser apparently did over 340K requests. Going over the logs, it looks like he's got the same problem as Red had - his browser, or an addon, causes the top 10 stats thing to go batshit and spam the shit out of it.
I'm tempted to just disable the plugin completely, IDK what's wrong with it besides it being five+ years old. I've disabled the plugin for Ryu for now - let me know if I should turn it off completely for everyone because somehow I'm sure it'll happen again.
Code:
# per day, 30 nov is duplicate because the command spans multiple log files
root@localhost:~# awk '{print $4}' /var/log/apache2/access* | cut -d: -f1 | uniq -c
117292 [24/Nov/2014
97741 [25/Nov/2014
97071 [26/Nov/2014
131478 [27/Nov/2014
97302 [28/Nov/2014
86147 [29/Nov/2014
25442 [30/Nov/2014
72419 [30/Nov/2014 # total about 100K
371585 [01/Dec/2014
136038 [02/Dec/2014
# per hour, omitted the uninteresting figures
root@localhost:~# grep "01/Dec" /var/log/apache2/access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
<snip>
3583 14:00
3156 15:00
8037 16:00
54661 17:00
7980 18:00
7233 19:00
8219 20:00
36071 21:00
97089 22:00
97202 23:00
root@localhost:~# grep "02/Dec" /var/log/apache2/access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
69212 00:00
5402 01:00
3885 02:00
<snip>
So basically, about 20 - 24 hours ago, we had a pretty significant peak of 70 - 100K requests an hour, daily total of more than three times as much as normal. Counting requests done by IP address, we get a top 10 of most active IP addresses; I cross-referenced them with users for the lulz to see who whores TLS the most, or whether it's a spambot or whole country that needs to be banned .
Code:
cat /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -n | tail
2377 58.179.x.x # Ghost X
2482 211.26.x.x # Also Ghost X
2501 68.180.x.x # no known member
2834 98.206.x.x # Skan
2902 98.93.x.x # Benoist
3185 172.250.x.x # Howl
3783 105.237.x.x # Airling & Darth
7262 84.208.x.x # Fangu wins
11116 217.44.x.x # Octo has a problem
340641 75.177.x.x # ...Ryushikaze
So Ryu or his browser apparently did over 340K requests. Going over the logs, it looks like he's got the same problem as Red had - his browser, or an addon, causes the top 10 stats thing to go batshit and spam the shit out of it.
I'm tempted to just disable the plugin completely, IDK what's wrong with it besides it being five+ years old. I've disabled the plugin for Ryu for now - let me know if I should turn it off completely for everyone because somehow I'm sure it'll happen again.