How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server

1. Connect to the server via SSH.

2. Determine the source IP addresses and numbers of the connections:

   # ss -tan state established | grep ":80\|:443" | awk '{print $4}'| cut -d':' -f1 | sort -n | uniq -c | sort -nr

3. Find the domains which are currently under attack:

   # for log in /var/www/vhosts/system/*/logs/*access*log; do echo -n "$log "; tail -n10000 "$log" | grep -c 203.0.113.2; done | sort -n -k2

4. Check the number of connections in SYN_RECV state (possible syn-flood):

   # ss -tan state syn-recv | wc -l

5. If there are several IP addresses in Plesk, determine the target IP address under attack:

   # netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -nk 1

It is possible that there are not many established connections to the web server, however, there might be a lot of requests that were successfully served by nginx and transferred to Apache and at this point, Apache is under attack. To track these requests do the following:

1. Navigate to /var/www/vhosts/system:

   # cd /var/www/vhosts/system

2. Generate a file requests to fetch the number of requests that were made in the last hour using the command below.

   Note: As an example, 24/Jan/2022:20 will be used. Here ":20" is 8 p.m.

   # for i in *;do echo -n "$i "; grep '24/Jan/2022:20' $i/logs/access_ssl_log | awk '{print $1}' | wc -l;done > ~/requests

3. Check the generated file:

   # cat ~/requests | sort -k 2 -r -n | head
   example.com 24549
   example.net 18545
   test.com 3

1. Connect to the server via SSH.

2. Create an environment for investigation:

   # mkdir /root/inv
   # cd /var/www/vhosts/system
   # for i in *; do mkdir /root/inv/$i; done

3. Populate the environment with log files for the last few days:

   # for i in *; do find $i -mtime -3 -type f -exec cp -a {} /root/inv/$i \;; done

4. Unzip processed log-files:

   # cd /root/inv
   # for i in /root/inv/*/*; do [[ ${i:(-3)} == ".gz" ]] && gunzip $i ; done

5. Remove statistics and configuration files:

   # rm /root/inv/*/*.conf /root/inv/*/*.png /root/inv/*/*webalizer* /root/inv/*/*webstat */*html

6. Get entries from the day of attack to form a report:

   Note: As an example, 30/Oct/2017 will be used.

   # for i in *; do [[ -d $i ]] && grep -rh "\[30/Oct/2017" ./$i > $i.accessed; done

7. Sort the entries by size:

   # ls -laS | less

   Note: A size of a log file will be displayed. The higher the size of a log-file, the higher is the chance of it being targeted.

8. Find the most used IP addresses:

   # cut -f 1 -d ' ' *.accessed | sort -n | uniq -c | sort -nr | less

   Note: This command displays how many attempts to access a website each IP address performed in a time-frame specified on step 6.

9. Find the domains which were targeted by these IP addresses:

   # grep -rc 203.0.113.2 /root/inv/*/* | sort -n -k2 -t:

1. Connect to the server via RDP.

2. Start a command prompt and run the following commands to check the count of connections on ports 80 and 443:

   C:\> netstat -ano | find /c "80"

   C:\> netstat -ano | find /c "443"

   Note: If there is a large number of connections (hundreds or thousands) to the same port, the server is likely under a DDoS attack