All posts by nixadmin

24Oct/15

Output alignment problem for ‘df’ command

Sometimes we need to get the output of df command in an arranged manner to use the output in some scripting or not. You can use the following command to view the output in properly formatted form.

df -Ph

   -P, --portability use the POSIX output format
   -h, --human-readable print sizes in human readable format (e.g., 1K 234M 2G)

You can check the following screenshots for more details.
Continue reading

14Sep/15

cPanel/WHM Successful logins

For getting the successful cPanel/WHM logins, using the following commands.

For getting the successful cPanel logins.

cat /usr/local/cpanel/logs/session_log | grep "myuser" | grep "NEW .*app=cpaneld" 
# "myuser" is cPanel username

xx.xx.xx.xx [09/11/2015:13:17:40 -0000] NEW myuser:bOMyuserz8hKvThis1XUgnISnh4AWMMXSampleKgHE3lString1JpnOSiK5a45t3 address=122.165.84.98,app=cpaneld,creator=myuser,method=handle_form_login,path=form,possessed=0

For gettign successful WHM logins

cat /usr/local/cpanel/logs/session_log | grep "root" | grep "NEW .*app=whostmgrd" 
# Use required WHM user instead of "root"

xx.xx.xx.xx [09/05/2015:07:22:39 -0000] NEW root:KGJsPXy_h243av2XchbPGBajfsSDj0eRz4ryHIj_tGZtYODFSZVb5s4rkdx20LJd address=xx.xx.xx.xx,app=whostmgrd,creator=root,method=handle_form_login,path=form,possessed=0
07May/15

Plesk Roundcube error :Unable to connect to the database

Sometimes you may come across with such an error displayed while going to webmail interface. This can be for both horde or roundcube.

DATABASE ERROR: CONNECTION FAILED!
Unable to connect to the database!
Please contact your server-administrator

To Fix this issue , you need to update the rouncube or horde user password in mysql.user table in the server.

In plesk servers you can do these with the below step

First try to get the version of roundcube

[root@host ~]# rpm -qa | grep -i roundcube
plesk-roundcube-0.9.5-cos6.build115131112.14.noarch
[root@host1~]# rpm -qa | grep -i  roundcube
plesk-roundcube-1.0.0-cos6.build1200140626.18.noarch

For versions below 1 , config file will be /usr/share/psa-roundcube/config/db.inc.php

For version 1 or above, config file will be /usr/share/psa-roundcube/config/config.inc.php

In my case it was /usr/share/psa-roundcube/config/config.inc.php. and content will look like the below

$config[‘db_dsnw’] = ‘mysql://roundcube:pass_from_config@localhost/roundcubemail’;

Note : replace “” pass_from_config “” with correct password from the config.inc.php

Now to fix this issue, Login to mysql as admin user  (as root if cpanel or any other control panel)

root@host1# mysql -uadmin -p`cat /etc/psa/.psa.shadow`
mysql> use mysql;
Database changed
mysql> UPDATE user SET password=PASSWORD('pass_from_config') WHERE user='roundcube';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

After this you should be able to see the webmail login page without any issues

For horde, you can get password for horde user from “/etc/psa-webmail/horde/.horde.shadow” file. To fix the login page issue

root@host1# mysql -uadmin -p`cat /etc/psa/.psa.shadow`
mysql> use mysql;
Database changed
mysql> update user set password=password("pass_from_horde.shadow_file") where user="horde";
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

After these steps the horde webmail interface should work like a charm !!!!

23Feb/15

Add extra swap to linux server

If every server had plenty of RAM in the real world that does not happen. If for some reason you have a server with too little SWAP or you are hitting the max of the swap. Here is a quick way to add 1GB swap to the server.

dd if=/dev/zero of=/usr/swapfilesys bs=1024 count=1024000
mkswap /usr/swapfilesys
swapon /usr/swapfilesys
swapon -s

Now add the following to the /etc/fstab and you are done.

/usr/swapfilesys	 swap	 swap	 defaults	 0 0
15Feb/15

Prevent .htaccess file modification while running easyapache

Most of the time, the recompilation process of Apache/php with Easyapache with WHM/cPanel server will be effected the users’ .htaccess file. Most probably the entries like “AddHandler” will be commented state.

We can prevent the .htaccess file modification from the WHM tweak settings.

In WHM-> Server Configuration -> Tweak Settings -> System
set
Depth to recurse for .htaccess checks = 0

23Jan/15

Change Site IP in cPanel

Change Site IP via WHM

Go to WHM > Change site’s IP Address , select the account, then select the IP

Change Site IP via Command Line in cPanel

/usr/local/cpanel/bin/setsiteip -u $USER $IP

For moving all accounts in a server from one Ip to another using the following script;

#!
# https://www.nixtree.com
# Contact support@nixtree.com
#
IP=0.0.0.0 #Set the required IP here
for USER in `cat /etc/trueuserdomains | cut -d: -f2` ;
do /usr/local/cpanel/bin/setsiteip -u $USER $IP ;
done
13Dec/14

Detecting WordPress Outbound Bruteforce attack

We have heard a lot about the WordPress inbound Bruteforce attacks. On checking we can see the inbound attack IP’s  may have cpanel installed and  are actually generating from some other server which is infected.

Two day before,we  got a message from a client of ours saying data center has informed them that server is infected and is generating attacks on other servers. Initially I am not able to get any of the details regarding the attack as no rogue process is running neither scan using gave me any valid clue on this attack .

I was just checking the result of tcpdump to see the what all data is being transferred from the server.

user@host ~ # tcpdump -A -i eth0 -s 1500 port not 22

While checking the results I can see something is going on and many wp-login.php entry was going on.

Sample tcpdump Output (changed domain and hostnames)

v.G....pPOST /restaurants/wp-login.php HTTP/1.0^M
Host: domain.com^M
Content-Type: application/x-www-form-urlencoded^M
Content-Length: 30^M
^M
log=admin&pwd=minedoruksay2940
06:15:22.056294 IP host5.domain.com > host6.domain.com48202: Flags [P.], seq 2779525802:2779527849, ack 2761432155, win 3216, options [nop,nop,TS val 166530731 ecr 1994475337], length 2047

I tried to stop apache and mysql ,psa, and still some process were running as www-data user and the process was some thing like the below.

www-data 1258 10.8 1.5 18327 1268 ? Ssl Dec10 129:10 /usr/bin/host 

I took the lsof result of this command and I got the culprit (account ) responsible for this attack 🙂 Thanks to lsof command to give me correct location and scripts.

Relevant output from lsof command

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
host 20636 username cwd DIR 9,2 4096 60874901 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js
host 20636 username rtd DIR 9,2 4096 2 /
host 20636 username txt REG 9,2 120240 68160132 /usr/bin/host
host 20636 username DEL REG 9,2 60817452 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/bruteforce.so
host 20636 username mem REG 9,2 22928 23855190 /lib/libnss_dns-2.11.3.so
host 20636 username mem REG 9,2 51728 23855282 /lib/libnss_files-2.11.3.so
host 20636 username mem REG 9,2 12582912 60827148 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/.frsdfg
host 20636 username DEL REG 9,2 60817412 /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/libworker.so
cwd : /var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js

The above entry from lsof means attack is being generated from this folder and scripts are located in this location.

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/bruteforce.so

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/.frsdfg

/var/www/vhosts/domain.com/site1/wordpress/wp-content/plugins/subscribe2/extension/readygraph/assets/js/libworker.so

Above 3 files are the main hack files in which /bruteforce.so was not present in the server at that time . This script was removed soon after the attack in initiated.

To fix this , I have removed the entire “js” folder and then kill all these process. Also asked client to remove the plugin. It will be good if we can remove the host binary (/usr/bin/host) file. If it is there, they can again come back with the attack and can kill the server reputation within few hours.

04Dec/14

Error : The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported the “” (255) error when it ended

This error was there in user’s cpanel section and no database, no db users etc were showing in the cpanel for the users.

On checking the /varlib/mysql/server.domain.com.err (mysql error log) I can see the mysql user table was corrupted and needed repair

141204 12:13:56 [ERROR] /usr/sbin/mysqld: Table ‘./mysql/user’ is marked as crashed and should be repaired

You can repair mysql database via command line

# mysqlcheck -r mysql

================
mysql.user
warning : Number of rows changed from 282 to 283
status : OK
================

You can see table mysql.user is crashed and after repairing the issue will get fixed.

23Nov/14

file error – cache failed to write licenseerror_whm.tmpl: Operation not permitted

Today we found such a strange error with one of the servers, and it was preventing us from accessing its cPanel. Though someone has intentionally did it to prevent server from renewing the certificate automatically, I thought to share this as someone may meet this error with some crazy servers 🙂 . So the file in error is /var/cpanel/template_compiles/usr/local/cpanel/base/unprotected/lisc/licenseerror_whm.tmpl and you should check its permission and attributes to make sure it is writable. In our case, it had immutable attribute set. Removing the attribute fixed it.