Created
March 6, 2018 13:06
-
-
Save countryroadgraphics/8dd16e05347d9a01212b71a0e4e99fef to your computer and use it in GitHub Desktop.
Bash commands for cPanel servers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <h4>Use at your own risk. Some of these commands remove data and/or terminate processes.</h4> | |
| <h1><b>Load | |
| </b></h1> | |
| <strong>WordPress attacks</strong> | |
| <code>egrep -c '(wp-comments-post.php|wp-login.php|xmlrpc.php)' /usr/local/apache/domlogs/* |grep -v "_log" |sort -t: -nr -k 2 |head -5 |tee /tmp/delete_check |cut -d'/' -f6; for domlog in $(cut -d':' -f1 /tmp/delete_check); do echo; echo $domlog; echo; echo wp-login.php :: $(grep -c wp-login.php $domlog); echo; grep wp-login.php $domlog | cut -d' ' -f1|egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo xmlrpc.php :: $(grep -c xmlrpc.php $domlog); echo; grep xmlrpc.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo wp-comments-post.php :: $(grep -c wp-comments-post.php $domlog); echo; grep wp-comments-post.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; done</code> | |
| <b>Check total number of connections</b> | |
| <code>netstat -an |egrep -c '(:80|:443)'</code> | |
| <b>Looking for IPs w/ multiple Connections</b> | |
| <code>netstat -tn 2>/dev/null | egrep '(:80|:443)' | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rn | head</code> | |
| <b>Same as above, but piped to “less” for perusal</b> | |
| <code>netstat -plant | egrep '(:80|:443)' | awk {'print $5'} | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rnk 1 |less</code> | |
| <b>Same as above, but Live view. Refreshed every 2 seconds</b> | |
| <code>watch "netstat -plant | egrep '(:80|:443)' | awk {'print \$5'} | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -nk 1"</code> | |
| <b>Check connections at a given time:</b>(change hour variable) | |
| <code>cd /usr/local/apache/domlogs</code> | |
| hour=1;for domain in $(cat /etc/userdomains | grep -v nobody |cut -d’:’ -f1); do if [ -e “$domain” ]; then for minute in $(seq 10 59); do count=$(cat $domain | grep “$hour:$minute”|wc -l);if [ “$count” -gt 1 ]; then echo “$domain : $hour:$minute : $count” >> /home/domlogreport.$hour;fi;done;echo;echo;fi;done | |
| cat /home/domlogreport.1 | sort -g -k 3 | |
| For Plesk: | |
| <code>cat /var/www/vhosts/yourdomain.com/statistics/logs/access_log | sort -g -k 3</code> | |
| <b>Get a list of top IPs accessing the server (some false positives)</b> | |
| <code>cd /usr/local/apache/logs</code> | |
| tail -n 50000 access_log | grep -o “[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}” | sort -n | uniq -c | sort -n | |
| <b>Connections per IP by 10 min intervals </b>VVV change 16 to desired hour | |
| swap_time=`date +%d`/`date +%b`/`date +%Y`:`date +%H`: ; for i in {0..5}; do echo $swap_time$i; done > /tmp/delete_swaptime; for time in `cat /tmp/delete_swaptime`; do echo; echo $time; echo; grep “$time” /usr/local/apache/domlogs/*.* |awk ‘{print $1}’ |sort|uniq -c |sort -rnk1 |head; done | |
| <b>Check sar entries by start and end time</b> | |
| <code>sar -s 09:00:00 -e 10:30:00</code> | |
| <b>Check for Crawlers:</b> | |
| <code>find /usr/local/apache/domlogs/*/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y) |grep -i -E "crawl|bot|spider|yahoo|bing|google"|awk '{print $1}'|sort |uniq -c |sort -rn|head</code> | |
| <b>Specific crawler info(add IP address in)</b> | |
| <code>find /usr/local/apache/domlogs/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y) |grep -i -E "100.43.85.9"</code> | |
| <b>Ram stick usage:</b> | |
| <code>dmidecode -t 17</code> | |
| <b>Kill Apache and PHP processes:</b> | |
| <code>killall -9 httpd php | |
| /etc/init.d/httpd restart</code> | |
| <b>Commands that I stole from monitoring:</b> | |
| <code>grep -c `date +%d`/`date +%b`/`date +%Y` /usr/local/apache/domlogs/*|sort -t: -nr -k 2|head</code> | |
| <code>grep `date +%d`/`date +%b`/`date +%Y` /usr/local/apache/domlogs/yourdomain.com |awk '{print $1" "$11" "$6}'|sort|uniq -c|sort -nr|head</code> | |
| <code>find /usr/local/apache/domlogs/*/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y):23:4|awk '{print $1, $11}'|sort|uniq -c|sort -nr|head</code> | |
| <code>grep -s wp-login.php /usr/local/apache/domlogs/*|grep POST|grep "$(date +"%d/%b/%Y")"|cut -d: -f1|sort|uniq -c|sort -nr|head</code> | |
| <b>Find Loadwatch Trips:</b> | |
| <code>grep -B1 tripped /root/loadwatch/checklog</code> | |
| <b>Plesk domlog parsing:</b> | |
| <code>grep -c `date +%d`/`date +%b`/`date +%Y` /var/www/vhosts/*.*/statistics/logs/access_log|sort -t: -nr -k 2|head</code> | |
| <b>MySQL total size of tables, sorted by engine</b> | |
| <code>SELECT engine, | |
| count(*) tables, | |
| concat(round(sum(table_rows)/1000000,2),'M') rows, | |
| concat(round(sum(data_length)/(1024*1024*1024),2),'G') data, | |
| concat(round(sum(index_length)/(1024*1024*1024),2),'G') idx, | |
| concat(round(sum(data_length+index_length)/(1024*1024*1024),2),'G') total_size, | |
| round(sum(index_length)/sum(data_length),2) idxfrac | |
| FROM information_schema.TABLES | |
| GROUP BY engine | |
| ORDER BY sum(data_length+index_length) DESC LIMIT 10;</code> | |
| <h1><b>Outgoing spam</b></h1> | |
| <b>Remove bouncebacks and mail in the queue from the authenticated senders:</b> | |
| <code>find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id $USER|ident mailnull' | cut -d: -f1 | cut -d/ -f7 | sed 's/-H$//' | xargs exim -Mrm</code> | |
| <b>Spammy script detection:</b> | |
| <code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f4 | sort | uniq -c | sort -n</code> | |
| OR | |
| <code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f3 | sort | uniq -c | sort -rn</code> | |
| <b>Clean up bouncebacks in the queue:</b> | |
| <code>find /var/spool/exim/input -name '*-H' | xargs grep ident\ mailnull | cut -d: -f1 | cut -d/ -f7 | sed 's/-H$//g' | while read id; do exim -Mrm $id; done</code> | |
| <b>Purge Queue >50k EMails</b> | |
| <code>find /var/spool/exim/input/ -type f -name '*-H' | sed -e 's#/var/spool/exim/input/[A-Z0-9a-z]/\([A-Z0-9a-z\-]\{16\}\)\-[HDJ].*#\1#' |xargs exim -Mrm</code> | |
| <b>Purge Queue <50k EMails</b> | |
| <code>exiqgrep -i | xargs exim -Mrm</code> | |
| <b>Purge Queue of eMail from USER</b> | |
| <code>exim -bp | grep 'USER' | awk '{print $3}' | xargs exim -Mrm</code> | |
| <code>find /var/spool/exim/input -name '*-H' | xargs grep '[email protected]' | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm</code> | |
| <b>How much email is in the queue if exim -bpc takes forever to run??</b> | |
| <code>find /var/spool/exim/input/*/ -name '*-H' |wc -l</code> | |
| <b>Check to see if any scripts are still spamming:</b> | |
| <code>tail -f /var/log/exim_mainlog |grep -i 'cwd=/home'</code> | |
| <b>Send ALL the mail (from the queue)</b> | |
| <code>exim -qff -v</code> | |
| <b>Check for the script in the domlogs:</b> | |
| <code>grep POST /usr/local/apache/domlogs/* | grep Apr/2015 | grep article.php | awk '{print $1, $7}' | sort | uniq -c | sort -rn</code> | |
| Or: | |
| <code>grep POST /usr/local/apache/domlogs/yourdomain.com |cut -d' ' -f7|sort|uniq -c|sort -nr</code> | |
| <code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f3 | sort | uniq -c | sort -rn</code> | |
| OR | |
| <code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f4 | sort | uniq -c | sort -n</code> | |
| <h1><b>Strace</b></h1> | |
| <code>strace -s1024 -tt -p $PID</code> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment