Skip to content

Instantly share code, notes, and snippets.

@stefanpejcic
Forked from countryroadgraphics/Bash for cPanel
Created October 30, 2020 13:22
Show Gist options
  • Save stefanpejcic/415fe52a4eb546c5c956cc601f39ce1f to your computer and use it in GitHub Desktop.
Save stefanpejcic/415fe52a4eb546c5c956cc601f39ce1f to your computer and use it in GitHub Desktop.
Bash commands for cPanel servers
<h4>Use at your own risk. Some of these commands remove data and/or terminate processes.</h4>
<h1><b>Load
</b></h1>
<strong>WordPress attacks</strong>
<code>egrep -c '(wp-comments-post.php|wp-login.php|xmlrpc.php)' /usr/local/apache/domlogs/* |grep -v "_log" |sort -t: -nr -k 2 |head -5 |tee /tmp/delete_check |cut -d'/' -f6; for domlog in $(cut -d':' -f1 /tmp/delete_check); do echo; echo $domlog; echo; echo wp-login.php :: $(grep -c wp-login.php $domlog); echo; grep wp-login.php $domlog | cut -d' ' -f1|egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo xmlrpc.php :: $(grep -c xmlrpc.php $domlog); echo; grep xmlrpc.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo wp-comments-post.php :: $(grep -c wp-comments-post.php $domlog); echo; grep wp-comments-post.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; done</code>
<b>Check total number of connections</b>
<code>netstat -an |egrep -c '(:80|:443)'</code>
<b>Looking for IPs w/ multiple Connections</b>
<code>netstat -tn 2&gt;/dev/null | egrep '(:80|:443)' | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rn | head</code>
<b>Same as above, but piped to “less” for perusal</b>
<code>netstat -plant | egrep '(:80|:443)' | awk {'print $5'} | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rnk 1 |less</code>
<b>Same as above, but Live view. Refreshed every 2 seconds</b>
<code>watch "netstat -plant | egrep '(:80|:443)' | awk {'print \$5'} | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -nk 1"</code>
<b>Check connections at a given time:</b>(change hour variable)
<code>cd /usr/local/apache/domlogs</code>
hour=1;for domain in $(cat /etc/userdomains | grep -v nobody |cut -d’:’ -f1); do if [ -e “$domain” ]; then for minute in $(seq 10 59); do count=$(cat $domain | grep “$hour:$minute”|wc -l);if [ “$count” -gt 1 ]; then echo “$domain : $hour:$minute : $count” &gt;&gt; /home/domlogreport.$hour;fi;done;echo;echo;fi;done
cat /home/domlogreport.1 | sort -g -k 3
For Plesk:
<code>cat /var/www/vhosts/yourdomain.com/statistics/logs/access_log | sort -g -k 3</code>
<b>Get a list of top IPs accessing the server (some false positives)</b>
<code>cd /usr/local/apache/logs</code>
tail -n 50000 access_log | grep -o “[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}” | sort -n | uniq -c | sort -n
<b>Connections per IP by 10 min intervals </b>VVV change 16 to desired hour
swap_time=`date +%d`/`date +%b`/`date +%Y`:`date +%H`: ; for i in {0..5}; do echo $swap_time$i; done &gt; /tmp/delete_swaptime; for time in `cat /tmp/delete_swaptime`; do echo; echo $time; echo; grep “$time” /usr/local/apache/domlogs/*.* |awk ‘{print $1}’ |sort|uniq -c |sort -rnk1 |head; done
<b>Check sar entries by start and end time</b>
<code>sar -s 09:00:00 -e 10:30:00</code>
<b>Check for Crawlers:</b>
<code>find /usr/local/apache/domlogs/*/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y) |grep -i -E "crawl|bot|spider|yahoo|bing|google"|awk '{print $1}'|sort |uniq -c |sort -rn|head</code>
<b>Specific crawler info(add IP address in)</b>
<code>find /usr/local/apache/domlogs/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y) |grep -i -E "100.43.85.9"</code>
<b>Ram stick usage:</b>
<code>dmidecode -t 17</code>
<b>Kill Apache and PHP processes:</b>
<code>killall -9 httpd php
/etc/init.d/httpd restart</code>
<b>Commands that I stole from monitoring:</b>
<code>grep -c `date +%d`/`date +%b`/`date +%Y` /usr/local/apache/domlogs/*|sort -t: -nr -k 2|head</code>
<code>grep `date +%d`/`date +%b`/`date +%Y` /usr/local/apache/domlogs/yourdomain.com |awk '{print $1" "$11" "$6}'|sort|uniq -c|sort -nr|head</code>
<code>find /usr/local/apache/domlogs/*/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y):23:4|awk '{print $1, $11}'|sort|uniq -c|sort -nr|head</code>
<code>grep -s wp-login.php /usr/local/apache/domlogs/*|grep POST|grep "$(date +"%d/%b/%Y")"|cut -d: -f1|sort|uniq -c|sort -nr|head</code>
<b>Find Loadwatch Trips:</b>
<code>grep -B1 tripped /root/loadwatch/checklog</code>
<b>Plesk domlog parsing:</b>
<code>grep -c `date +%d`/`date +%b`/`date +%Y` /var/www/vhosts/*.*/statistics/logs/access_log|sort -t: -nr -k 2|head</code>
<b>MySQL total size of tables, sorted by engine</b>
<code>SELECT engine,
count(*) tables,
concat(round(sum(table_rows)/1000000,2),'M') rows,
concat(round(sum(data_length)/(1024*1024*1024),2),'G') data,
concat(round(sum(index_length)/(1024*1024*1024),2),'G') idx,
concat(round(sum(data_length+index_length)/(1024*1024*1024),2),'G') total_size,
round(sum(index_length)/sum(data_length),2) idxfrac
FROM information_schema.TABLES
GROUP BY engine
ORDER BY sum(data_length+index_length) DESC LIMIT 10;</code>
<h1><b>Outgoing spam</b></h1>
<b>Remove bouncebacks and mail in the queue from the authenticated senders:</b>
<code>find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id $USER|ident mailnull' | cut -d: -f1 | cut -d/ -f7 | sed 's/-H$//' | xargs exim -Mrm</code>
<b>Spammy script detection:</b>
<code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f4 | sort | uniq -c | sort -n</code>
OR
<code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f3 | sort | uniq -c | sort -rn</code>
<b>Clean up bouncebacks in the queue:</b>
<code>find /var/spool/exim/input -name '*-H' | xargs grep ident\ mailnull | cut -d: -f1 | cut -d/ -f7 | sed 's/-H$//g' | while read id; do exim -Mrm $id; done</code>
<b>Purge Queue &gt;50k EMails</b>
<code>find /var/spool/exim/input/ -type f -name '*-H' | sed -e 's#/var/spool/exim/input/[A-Z0-9a-z]/\([A-Z0-9a-z\-]\{16\}\)\-[HDJ].*#\1#' |xargs exim -Mrm</code>
<b>Purge Queue &lt;50k EMails</b>
<code>exiqgrep -i | xargs exim -Mrm</code>
<b>Purge Queue of eMail from USER</b>
<code>exim -bp | grep 'USER' | awk '{print $3}' | xargs exim -Mrm</code>
<code>find /var/spool/exim/input -name '*-H' | xargs grep '[email protected]' | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm</code>
<b>How much email is in the queue if exim -bpc takes forever to run??</b>
<code>find /var/spool/exim/input/*/ -name '*-H' |wc -l</code>
<b>Check to see if any scripts are still spamming:</b>
<code>tail -f /var/log/exim_mainlog |grep -i 'cwd=/home'</code>
<b>Send ALL the mail (from the queue)</b>
<code>exim -qff -v</code>
<b>Check for the script in the domlogs:</b>
<code>grep POST /usr/local/apache/domlogs/* | grep Apr/2015 | grep article.php | awk '{print $1, $7}' | sort | uniq -c | sort -rn</code>
Or:
<code>grep POST /usr/local/apache/domlogs/yourdomain.com |cut -d' ' -f7|sort|uniq -c|sort -nr</code>
<code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f3 | sort | uniq -c | sort -rn</code>
OR
<code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f4 | sort | uniq -c | sort -n</code>
<h1><b>Strace</b></h1>
<code>strace -s1024 -tt -p $PID</code>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment