troubleshooting Question

Help with shell script to count logins from different IPs (to same account) in exim_mainlog.

Avatar of ujoe
ujoe asked on
Web ServersApache Web ServerShell Scripting
11 Comments1 Solution1069 ViewsLast Modified:
I can figure out parts of this, but am having a difficult time putting it all together.

Here's the scenario:

This is a Redhat Linux server running a newer version of exim, with WHM/cPanel. I am the administrator with full root/shell access.

The exim_mainlog file contains multiple logins to the same email account from different IP addresses. This is an indication that the email user's password has been stolen and is being used to broadcast spam, depending of course on the number of different IP addresses logging in, within a short period of time. Here is a short example list of entries, just to illustrate this situation:

2012-03-10 16:31:19 1S6Uoo-0002d2-17 <= sales@customerdomain.com.au H=(customerdomain.com.au) [92.47.137.191] P=esmtpa A=courier_login:sales@customerdomain.com.au S=830
2012-03-10 16:31:24 1S6Uor-0002cc-V2 <= sales@customerdomain.com.au H=(customerdomain.com.au) [186.123.22.104] P=esmtpa A=courier_login:sales@customerdomain.com.au S=838
2012-03-10 16:31:27 1S6Uov-0002e3-KX <= sales@customerdomain.com.au H=(customerdomain.com.au) [201.29.210.105] P=esmtpa A=courier_login:sales@customerdomain.com.au S=839

Of course, these entries would be more numerous and mixed in with many other logins to many other email accounts on the server.

What I need to come up with is a shell script that counts the number of DIFFERENT IPs logging into the same account, e.g. within a tail of something like the last 100 entries.

I've found this line, which works great to count the number of exim logins per account:
egrep -o 'login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1

... and I can even get it to work for the last 100 entires, like this:
egrep -o 'login[^ ]+' /var/log/exim_mainlog | tail -100 | sort|uniq -c|sort -nk 1

But what I need is output that tells me how many DIFFERENT IPs have logged in to that account.

In other words, what I get from the script lines above is output like this:

     14 login:cccc@domainuber.com
     15 login:aaaa@domainlanka.com
     15 login:dddd@domaingreat.com

The leading number indicates the number of logins to each account.

But what I need to see instead is output something like the following:

14   2     login:jbs+domainuber.com
15   1     login:cmesa@domainlanka.com
15   12   login:rjc@domaingreat.com

... where the second number in each entry indicates the number of different IPs involved with the logins for each specific account.

I have also tried to work this out in a "for" loop, e.g.

#!/bin/bash
for i in `egrep -o 'login[^ ]+' /var/log/exim_mainlog | tail -100 | sort|uniq -c|sort -nk 1 | awk '{print $1}'`
do
if [ $i -gt 12 ]
then
echo $i
fi
done

Trying to establish 12 as a maximum threshold, but with this I am getting even less info than before, certainly not the number of DIFFERENT IP addresses logging into each account.

Any help would be greatly appreciated.

Thanks!
ASKER CERTIFIED SOLUTION
simon3270

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 11 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros