I just thought I'd throw this in here. I was looking at a client's server as Apache was consistently becoming overloaded within seconds of restarting. My immediate suspicion was a DOS, since we have already tuned Apache and it should be pretty optimal.
So I figured I'd just throw out how I found the source of the Apache DOS:
netstat -plane | grep :80 | awk '{print $5}' | sort -n | awk -F : '{print $1}' | uniq -c | sort -n This just spits out the standard netstat -plane (PID, listening port, all interfaces, numeric addresses and extended information).
Piping to grep to filter for Apache connections (port 80).
Awk to grab the column with the source IP.
Sort numerically.
Awk to remove the remote port and just show the source IP.
Uniq to consolidate all the IPs and just output the number of entries for an individual IP.
And finally sort it again to give the numeric value for uniq.
With the above you should be able to find your web server (Apache in this instance) attacker. It'll be pretty obvious.
[link][8 comments]