Board logo

标题: 阿里云虚拟主机CPU占用100%,后台log提取与分析 [打印本页]

作者: 523066680    时间: 2019-1-31 16:06     标题: 阿里云虚拟主机CPU占用100%,后台log提取与分析

本帖最后由 523066680 于 2019-1-31 16:17 编辑

对网络还是太多的不了解,今天登陆后台发现CPU被刷爆了。但是我的网站又没什么人,哪个蛋疼的会去搞事?
通过后台了解到可以在wwwlogs目录获取日志,自己分析。

所以我写了一份Perl脚本分析 Log 日志(从zip中提取)
  1. =info
  2.     提取阿里云虚拟机日志信息,数据排序
  3.     按主地址(前三段)的请求次数排序,并列出最后一节地址列表/Agent信息
  4.     523066680/vicyang
  5.     2019-01
  6. =cut
  7. use Modern::Perl;
  8. use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
  9. use File::Slurp;
  10. use Encode;
  11. STDOUT->autoflush(1);
  12. my $zip = Archive::Zip->new();
  13. $zip->read( 'log20190131.zip' );
  14. my @fdata;
  15. for my $m ( $zip->members ) {
  16.     say $m->fileName;
  17.     push @fdata, [split /\r?\n/, $m->contents];
  18. }
  19. my %hash;
  20. for my $s ( @{$fdata[0]}, @{$fdata[1]} )
  21. {
  22.     #next unless $s=~/31\/Jan\/2019/;
  23.     die unless $s=~/([\d\.]+)\.(\d+)[ -]+.*"(.*)" xyu3241/;
  24.     if (exists $hash{$1}) {
  25.         $hash{$1}{ip}{$2} = 1;
  26.         $hash{$1}{times}++;
  27.     } else {
  28.         $hash{$1}{times} = 1;
  29.         $hash{$1}{agent} = $3;
  30.         $hash{$1}{ip} = {$2, 1};
  31.     }
  32. }
  33. my @sortkeys = sort { $hash{$a}{times} <=> $hash{$b}{times} } keys %hash;
  34. for my $e (@sortkeys)
  35. {
  36.     printf "IP: %12s, times:%3d - %s\n",
  37.             $e,
  38.             #$hash{$e}{times}, $hash{$e}{agent};
  39.             $hash{$e}{times}, join(",", sort { $a <=> $b } keys %{$hash{$e}{ip}});
  40. }
  41. __END__
  42. ```
  43. 220.181.108.119 - - [31/Jan/2019:03:28:49 +0800] \
  44. "GET /ucp.php?mode=register HTTP/1.1" 200 4795 "-" \
  45. "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" \
  46. xyu3241540001.my3w.com text/html "/usr/home/xyu3241540001/htdocs/ucp.php" 502988
  47. ```
复制代码
得到发起请求最多的几个地址段(最右的数字是ip最后一节地址列表,说明改IP段有多个子IP在发请求):
  1. IP:  220.181.108, times:440 - 75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,99,100,101,102,103,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,144,145,146,147,149,155,156,157,158,159,160,161,162,163,165,166,167,168,169,174,175,176,177,178,179,180,181,182,183,184,185,186,187
  2. IP:   123.125.71, times:477 - 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,36,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,60,74,75,76,77,78,79,85,86,87,88,89,90,91,92,94,95,96,97,98,99,100,105,106,107,108,109,110,111,112,113,114,115,116,117
  3. IP:   216.244.66, times:506 - 250
  4. IP:    42.236.10, times:1763 - 70,71,72,73,74,75,76,77,78,79,81,82,83,84,88,89,90,91,98,100,103,104,105,107,108,109,110,112,113,116,120,121,122,123
复制代码
列出 agent 信息
  1. IP:  220.181.108, times:440 - Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
  2. IP:   123.125.71, times:477 - Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
  3. IP:   216.244.66, times:506 - Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help@moz.com)
  4. IP:    42.236.10, times:1763 - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36; 360Spider
复制代码
看来应该就是蛋疼的 360Spider ……




欢迎光临 批处理之家 (http://bbs.bathome.net/) Powered by Discuz! 7.2