$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find Common Admin Probe Paths

You need to find repeated requests for common administrative or login-looking paths in a web log.

Command

awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print $1, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head

What changed

Nothing changes. The command filters log lines by path keywords and counts repeated combinations.

Danger

safe

When to use it

Use this to spot broad internet background noise and decide whether a path is being repeatedly requested.

When not to use it

Do not assume a keyword match means compromise; this only shows requested paths.

Undo or recovery

No undo needed because the command is read-only.

Expected output

Counts with source IP, requested path, and HTTP status.

demo script

Disposable terminal steps

  1. awk '{print $7}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head
  2. awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print $1, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head
  3. awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print}' ./fixtures/nginx/access.log
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ awk '{print $7}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head
      5 /health
      3 /search?q=nginx&page=1
      3 /missing
      3 /api/report
      2 /download/site-backup.tar
      2 /api/profile
      1 /wp-login.php
      1 /wp-admin
      1 /login
      1 /docs
::exit-code::0
$ awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print $1, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head
      1 203.0.113.45 /login 403
      1 203.0.113.45 /admin 403
      1 203.0.113.44 /wp-login.php 404
      1 203.0.113.44 /wp-admin 404
::exit-code::0
$ awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print}' ./fixtures/nginx/access.log
203.0.113.44 - - [25/Jun/2026:10:01:07 +0000] "GET /wp-login.php HTTP/1.1" 404 140 "-" "ScannerBot/1.0"
203.0.113.44 - - [25/Jun/2026:10:01:09 +0000] "GET /wp-admin HTTP/1.1" 404 140 "-" "ScannerBot/1.0"
203.0.113.45 - - [25/Jun/2026:10:01:12 +0000] "GET /admin HTTP/1.1" 403 180 "-" "SyntheticAudit/0.1"
203.0.113.45 - - [25/Jun/2026:10:01:14 +0000] "GET /login HTTP/1.1" 403 180 "-" "SyntheticAudit/0.1"
::exit-code::0

YouTube Short

Find admin-looking probes.

Public web servers receive requests for software they do not run. This one-liner pulls out admin-looking paths so you can review the noise without changing anything.

LinkedIn hook

A site does not need WordPress to receive WordPress-looking probes.

Question: How much background admin-probe traffic do your public sites receive?

experiments

A/B tests to run

Metric: youtube_retention_15s

A: Your non-WordPress site still gets WordPress probes.

B: Requested paths are evidence to review, not panic.