stefanpejcic/Bash for cPanel

## Bash for cPanel
<h4>Use at your own risk. Some of these commands remove data and/or terminate processes.</h4>
<h1><b>Load
</b></h1>
<strong>WordPress attacks</strong>
<code>egrep -c '(wp-comments-post.php|wp-login.php|xmlrpc.php)' /usr/local/apache/domlogs/* |grep -v "_log" |sort -t: -nr -k 2 |head -5 |tee /tmp/delete_check |cut -d'/' -f6; for domlog in $(cut -d':' -f1 /tmp/delete_check); do echo; echo $domlog; echo; echo wp-login.php :: $(grep -c wp-login.php $domlog); echo; grep wp-login.php $domlog | cut -d' ' -f1|egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo xmlrpc.php :: $(grep -c xmlrpc.php $domlog); echo; grep xmlrpc.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo wp-comments-post.php :: $(grep -c wp-comments-post.php $domlog); echo; grep wp-comments-post.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; done</code>

<b>Check total number of connections</b>
<code>netstat -an |egrep -c '(:80|:443)'</code>

<b>Looking for IPs w/ multiple Connections</b>
<code>netstat -tn 2&gt;/dev/null | egrep '(:80|:443)' | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rn | head</code>

<b>Same as above, but piped to “less” for perusal</b>
<code>netstat -plant | egrep '(:80|:443)' | awk {'print $5'} | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rnk 1 |less</code>

<b>Same as above, but Live view. Refreshed every 2 seconds</b>
<code>watch "netstat -plant | egrep '(:80|:443)' | awk {'print \$5'} | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -nk 1"</code>

<b>Check connections at a given time:</b>(change hour variable)
<code>cd /usr/local/apache/domlogs</code>

hour=1;for domain in $(cat /etc/userdomains | grep -v nobody |cut -d’:’ -f1); do if [ -e “$domain” ]; then for minute in $(seq 10 59); do count=$(cat $domain | grep “$hour:$minute”|wc -l);if [ “$count” -gt 1 ]; then echo “$domain : $hour:$minute : $count” &gt;&gt; /home/domlogreport.$hour;fi;done;echo;echo;fi;done

cat /home/domlogreport.1 | sort -g -k 3

For Plesk:
<code>cat /var/www/vhosts/yourdomain.com/statistics/logs/access_log | sort -g -k 3</code>

<b>Get a list of top IPs accessing the server (some false positives)</b>
<code>cd /usr/local/apache/logs</code>

tail -n 50000 access_log | grep -o “[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}” | sort -n | uniq -c | sort -n

<b>Connections per IP by 10 min intervals </b>VVV change 16 to desired hour
swap_time=`date +%d`/`date +%b`/`date +%Y`:`date +%H`: ; for i in {0..5}; do echo $swap_time$i; done &gt; /tmp/delete_swaptime; for time in `cat /tmp/delete_swaptime`; do echo; echo $time; echo; grep “$time” /usr/local/apache/domlogs/*.* |awk ‘{print $1}’ |sort|uniq -c |sort -rnk1 |head; done

<b>Check sar entries by start and end time</b>
<code>sar -s 09:00:00 -e 10:30:00</code>

<b>Check for Crawlers:</b>
<code>find /usr/local/apache/domlogs/*/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y) |grep -i -E "crawl|bot|spider|yahoo|bing|google"|awk '{print $1}'|sort |uniq -c |sort -rn|head</code>

<b>Specific crawler info(add IP address in)</b>
<code>find /usr/local/apache/domlogs/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y) |grep -i -E "100.43.85.9"</code>

<b>Ram stick usage:</b>
<code>dmidecode -t 17</code>

<b>Kill Apache and PHP processes:</b>
<code>killall -9 httpd php
/etc/init.d/httpd restart</code>

<b>Commands that I stole from monitoring:</b>
<code>grep -c `date +%d`/`date +%b`/`date +%Y` /usr/local/apache/domlogs/*|sort -t: -nr -k 2|head</code>

<code>grep `date +%d`/`date +%b`/`date +%Y` /usr/local/apache/domlogs/yourdomain.com |awk '{print $1" "$11" "$6}'|sort|uniq -c|sort -nr|head</code>

<code>find /usr/local/apache/domlogs/*/ -type f|grep -v -E $'(_|-)log|.gz'|xargs -i tail -5000 {}|grep $(date +%d/%b/%Y):23:4|awk '{print $1, $11}'|sort|uniq -c|sort -nr|head</code>

<code>grep -s wp-login.php /usr/local/apache/domlogs/*|grep POST|grep "$(date +"%d/%b/%Y")"|cut -d: -f1|sort|uniq -c|sort -nr|head</code>

<b>Find Loadwatch Trips:</b>
<code>grep -B1 tripped /root/loadwatch/checklog</code>

<b>Plesk domlog parsing:</b>
<code>grep -c `date +%d`/`date +%b`/`date +%Y` /var/www/vhosts/*.*/statistics/logs/access_log|sort -t: -nr -k 2|head</code>

<b>MySQL total size of tables, sorted by engine</b>

<code>SELECT engine,
count(*) tables,
concat(round(sum(table_rows)/1000000,2),'M') rows,
concat(round(sum(data_length)/(1024*1024*1024),2),'G') data,
concat(round(sum(index_length)/(1024*1024*1024),2),'G') idx,
concat(round(sum(data_length+index_length)/(1024*1024*1024),2),'G') total_size,
round(sum(index_length)/sum(data_length),2) idxfrac
FROM information_schema.TABLES
GROUP BY engine
ORDER BY sum(data_length+index_length) DESC LIMIT 10;</code>
<h1><b>Outgoing spam</b></h1>
<b>Remove bouncebacks and mail in the queue from the authenticated senders:</b>

<code>find /var/spool/exim/input/ -name '*-H' | xargs egrep 'auth_id $USER|ident mailnull' | cut -d: -f1 | cut -d/ -f7 | sed 's/-H$//' | xargs exim -Mrm</code>

<b>Spammy script detection:</b>
<code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f4 | sort | uniq -c | sort -n</code>
OR
<code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f3 | sort | uniq -c | sort -rn</code>

<b>Clean up bouncebacks in the queue:</b>
<code>find /var/spool/exim/input -name '*-H' | xargs grep ident\ mailnull | cut -d: -f1 | cut -d/ -f7 | sed 's/-H$//g' | while read id; do exim -Mrm $id; done</code>

<b>Purge Queue &gt;50k EMails</b>
<code>find /var/spool/exim/input/ -type f -name '*-H' | sed -e 's#/var/spool/exim/input/[A-Z0-9a-z]/\([A-Z0-9a-z\-]\{16\}\)\-[HDJ].*#\1#' |xargs exim -Mrm</code>

<b>Purge Queue &lt;50k EMails</b>
<code>exiqgrep -i | xargs exim -Mrm</code>

<b>Purge Queue of eMail from USER</b>
<code>exim -bp | grep 'USER' | awk '{print $3}' | xargs exim -Mrm</code>

<code>find /var/spool/exim/input -name '*-H' | xargs grep 'user@domain.com' | cut -d: -f1 | cut -d/ -f7 | cut -d- -f1-3 | xargs exim -Mrm</code>

<b>How much email is in the queue if exim -bpc takes forever to run??</b>
<code>find /var/spool/exim/input/*/ -name '*-H' |wc -l</code>

<b>Check to see if any scripts are still spamming:</b>

<code>tail -f /var/log/exim_mainlog |grep -i 'cwd=/home'</code>

<b>Send ALL the mail (from the queue)</b>
<code>exim -qff -v</code>

<b>Check for the script in the domlogs:</b>

<code>grep POST /usr/local/apache/domlogs/* | grep Apr/2015 | grep article.php | awk '{print $1, $7}' | sort | uniq -c | sort -rn</code>

Or:
<code>grep POST /usr/local/apache/domlogs/yourdomain.com |cut -d' ' -f7|sort|uniq -c|sort -nr</code>

<code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f3 | sort | uniq -c | sort -rn</code>
OR
<code>grep cwd=\/home\/ /var/log/exim_mainlog| cut -d' ' -f4 | sort | uniq -c | sort -n</code>
<h1><b>Strace</b></h1>
<code>strace -s1024 -tt -p $PID</code>
	<h4>Use at your own risk. Some of these commands remove data and/or terminate processes.</h4>
	<h1><b>Load
	</b></h1>
	<strong>WordPress attacks</strong>
	<code>egrep -c '(wp-comments-post.php\|wp-login.php\|xmlrpc.php)' /usr/local/apache/domlogs/* \|grep -v "_log" \|sort -t: -nr -k 2 \|head -5 \|tee /tmp/delete_check \|cut -d'/' -f6; for domlog in $(cut -d':' -f1 /tmp/delete_check); do echo; echo $domlog; echo; echo wp-login.php :: $(grep -c wp-login.php $domlog); echo; grep wp-login.php $domlog \| cut -d' ' -f1\|egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' \|sort \|uniq -c \|sort -nr \| head; echo; echo xmlrpc.php :: $(grep -c xmlrpc.php $domlog); echo; grep xmlrpc.php $domlog \|cut -d' ' -f1 \|egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' \|sort \|uniq -c \|sort -nr \| head; echo; echo wp-comments-post.php :: $(grep -c wp-comments-post.php $domlog); echo; grep wp-comments-post.php $domlog \|cut -d' ' -f1 \|egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' \|sort \|uniq -c \|sort -nr \| head; echo; done</code>

	<b>Check total number of connections</b>
	<code>netstat -an \|egrep -c '(:80\|:443)'</code>

	<b>Looking for IPs w/ multiple Connections</b>
	<code>netstat -tn 2>/dev/null \| egrep '(:80\|:443)' \| awk '{print $5}' \| grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' \| sort \| uniq -c \| sort -rn \| head</code>

	<b>Same as above, but piped to “less” for perusal</b>
	<code>netstat -plant \| egrep '(:80\|:443)' \| awk {'print $5'} \| grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' \| sort \| uniq -c \| sort -rnk 1 \|less</code>

	<b>Same as above, but Live view. Refreshed every 2 seconds</b>
	<code>watch "netstat -plant \| egrep '(:80\|:443)' \| awk {'print \$5'} \| grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' \| sort \| uniq -c \| sort -nk 1"</code>

	<b>Check connections at a given time:</b>(change hour variable)
	<code>cd /usr/local/apache/domlogs</code>

	hour=1;for domain in $(cat /etc/userdomains \| grep -v nobody \|cut -d’:’ -f1); do if [ -e “$domain” ]; then for minute in $(seq 10 59); do count=$(cat $domain \| grep “$hour:$minute”\|wc -l);if [ “$count” -gt 1 ]; then echo “$domain : $hour:$minute : $count” >> /home/domlogreport.$hour;fi;done;echo;echo;fi;done

	cat /home/domlogreport.1 \| sort -g -k 3

	For Plesk:
	<code>cat /var/www/vhosts/yourdomain.com/statistics/logs/access_log \| sort -g -k 3</code>

	<b>Get a list of top IPs accessing the server (some false positives)</b>
	<code>cd /usr/local/apache/logs</code>

	tail -n 50000 access_log \| grep -o “[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}” \| sort -n \| uniq -c \| sort -n

	<b>Connections per IP by 10 min intervals </b>VVV change 16 to desired hour
	swap_time=`date +%d`/`date +%b`/`date +%Y`:`date +%H`: ; for i in {0..5}; do echo $swap_time$i; done > /tmp/delete_swaptime; for time in `cat /tmp/delete_swaptime`; do echo; echo $time; echo; grep “$time” /usr/local/apache/domlogs/. \|awk ‘{print $1}’ \|sort\|uniq -c \|sort -rnk1 \|head; done

	<b>Check sar entries by start and end time</b>
	<code>sar -s 09:00:00 -e 10:30:00</code>

	<b>Check for Crawlers:</b>
	<code>find /usr/local/apache/domlogs/*/ -type f\|grep -v -E $'(_\|-)log\|.gz'\|xargs -i tail -5000 {}\|grep $(date +%d/%b/%Y) \|grep -i -E "crawl\|bot\|spider\|yahoo\|bing\|google"\|awk '{print $1}'\|sort \|uniq -c \|sort -rn\|head</code>

	<b>Specific crawler info(add IP address in)</b>
	<code>find /usr/local/apache/domlogs/ -type f\|grep -v -E $'(_\|-)log\|.gz'\|xargs -i tail -5000 {}\|grep $(date +%d/%b/%Y) \|grep -i -E "100.43.85.9"</code>

	<b>Ram stick usage:</b>
	<code>dmidecode -t 17</code>

	<b>Kill Apache and PHP processes:</b>
	<code>killall -9 httpd php
	/etc/init.d/httpd restart</code>

	<b>Commands that I stole from monitoring:</b>
	<code>grep -c `date +%d`/`date +%b`/`date +%Y` /usr/local/apache/domlogs/*\|sort -t: -nr -k 2\|head</code>

	<code>grep `date +%d`/`date +%b`/`date +%Y` /usr/local/apache/domlogs/yourdomain.com \|awk '{print $1" "$11" "$6}'\|sort\|uniq -c\|sort -nr\|head</code>

	<code>find /usr/local/apache/domlogs/*/ -type f\|grep -v -E $'(_\|-)log\|.gz'\|xargs -i tail -5000 {}\|grep $(date +%d/%b/%Y):23:4\|awk '{print $1, $11}'\|sort\|uniq -c\|sort -nr\|head</code>

	<code>grep -s wp-login.php /usr/local/apache/domlogs/*\|grep POST\|grep "$(date +"%d/%b/%Y")"\|cut -d: -f1\|sort\|uniq -c\|sort -nr\|head</code>

	<b>Find Loadwatch Trips:</b>
	<code>grep -B1 tripped /root/loadwatch/checklog</code>

	<b>Plesk domlog parsing:</b>
	<code>grep -c `date +%d`/`date +%b`/`date +%Y` /var/www/vhosts/./statistics/logs/access_log\|sort -t: -nr -k 2\|head</code>

	<b>MySQL total size of tables, sorted by engine</b>

	<code>SELECT engine,
	count(*) tables,
	concat(round(sum(table_rows)/1000000,2),'M') rows,
	concat(round(sum(data_length)/(102410241024),2),'G') data,
	concat(round(sum(index_length)/(102410241024),2),'G') idx,
	concat(round(sum(data_length+index_length)/(102410241024),2),'G') total_size,
	round(sum(index_length)/sum(data_length),2) idxfrac
	FROM information_schema.TABLES
	GROUP BY engine
	ORDER BY sum(data_length+index_length) DESC LIMIT 10;</code>
	<h1><b>Outgoing spam</b></h1>
	<b>Remove bouncebacks and mail in the queue from the authenticated senders:</b>

	<code>find /var/spool/exim/input/ -name '*-H' \| xargs egrep 'auth_id $USER\|ident mailnull' \| cut -d: -f1 \| cut -d/ -f7 \| sed 's/-H$//' \| xargs exim -Mrm</code>

	<b>Spammy script detection:</b>
	<code>grep cwd=\/home\/ /var/log/exim_mainlog\| cut -d' ' -f4 \| sort \| uniq -c \| sort -n</code>
	OR
	<code>grep cwd=\/home\/ /var/log/exim_mainlog\| cut -d' ' -f3 \| sort \| uniq -c \| sort -rn</code>

	<b>Clean up bouncebacks in the queue:</b>
	<code>find /var/spool/exim/input -name '*-H' \| xargs grep ident\ mailnull \| cut -d: -f1 \| cut -d/ -f7 \| sed 's/-H$//g' \| while read id; do exim -Mrm $id; done</code>

	<b>Purge Queue >50k EMails</b>
	<code>find /var/spool/exim/input/ -type f -name '-H' \| sed -e 's#/var/spool/exim/input/[A-Z0-9a-z]/\([A-Z0-9a-z\-]\{16\}\)\-[HDJ].#\1#' \|xargs exim -Mrm</code>

	<b>Purge Queue <50k EMails</b>
	<code>exiqgrep -i \| xargs exim -Mrm</code>

	<b>Purge Queue of eMail from USER</b>
	<code>exim -bp \| grep 'USER' \| awk '{print $3}' \| xargs exim -Mrm</code>

	<code>find /var/spool/exim/input -name '*-H' \| xargs grep 'user@domain.com' \| cut -d: -f1 \| cut -d/ -f7 \| cut -d- -f1-3 \| xargs exim -Mrm</code>

	<b>How much email is in the queue if exim -bpc takes forever to run??</b>
	<code>find /var/spool/exim/input// -name '-H' \|wc -l</code>

	<b>Check to see if any scripts are still spamming:</b>

	<code>tail -f /var/log/exim_mainlog \|grep -i 'cwd=/home'</code>

	<b>Send ALL the mail (from the queue)</b>
	<code>exim -qff -v</code>

	<b>Check for the script in the domlogs:</b>

	<code>grep POST /usr/local/apache/domlogs/* \| grep Apr/2015 \| grep article.php \| awk '{print $1, $7}' \| sort \| uniq -c \| sort -rn</code>

	Or:
	<code>grep POST /usr/local/apache/domlogs/yourdomain.com \|cut -d' ' -f7\|sort\|uniq -c\|sort -nr</code>

	<code>grep cwd=\/home\/ /var/log/exim_mainlog\| cut -d' ' -f3 \| sort \| uniq -c \| sort -rn</code>
	OR
	<code>grep cwd=\/home\/ /var/log/exim_mainlog\| cut -d' ' -f4 \| sort \| uniq -c \| sort -n</code>
	<h1><b>Strace</b></h1>
	<code>strace -s1024 -tt -p $PID</code>