Tutorial: List of shell / SSH commands to monitor server and other basic functions

Category: HOSTING ISSUES
Published: Saturday, 22 November 2008 10:34
Written by Super User
Hits: 32315
Print
Email

HERE ARE SOME USEFUL / VITAL SSH COMMANDS THAT ALLOW BEGINNERS TO MONITOR THE BASICS OF APACHE SERVER (HERE CENTOS 4), TO INQUIRE SERVER LOAD PROBLEMS, HANDLE CHMOD COMMANDS, DELETE HACKED / CORRUPT FILES AND FOLDERS, INQUIRE ABOUT SERVER ACTIVITY AND DISK USAGE... INSTEAD OF WAITING FOR SUPPORT IN AN ENDLESS COMMUNICATION WHIRLPOOL FOR SOMETIMES SIMPLE THINGS, HERE ARE SOME BASIC SSH COMMANDS TO KEEP A HAND ON YOUR SERVER OR VIPS AND USE SUPPORT THE MOST EFFICIENTLY POSSIBLE: ---- VERY USEFUL FOR JOOMLA USERS, MOST COMMANDS YOU NEED ARE HERE ----

EMERGENCY:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

iptables -I INPUT -s 5.39.216.0/21 -j DROP

iptables:

look for blocked IP:

grep 36.37.224.0 csf*

grep 36.37.224.0/20 csf.allow

grep 36.37.224.0/20 csf.deny

restart csf:

csf -r

ClamAV

clamscan /folder1 -ir --remove=yes

clamscan /folder1 -ir --move=/virus

*** LOGS: ***

Accessed IP: /usr/local/apache/domlogs

all logs: /var/log/messages

LINUX CENTOS USEFUL COMMANDS FOR DUMMIES

GENERAL SERVER HANDLING:

Getting General Command Help From Within SSH

With you are connected in with SSH, in most cases you can find help on a command by typing:

--help

eg. cd --help

If that doesn't work, you can also try:

man

eg. man iptables

Man stands for manual, like a help manual.

Common SSH Commands or Linux Shell Commands

cd : change directory · · cd /usr/local/apache : go to /usr/local/apache/ directory

cd ~ : go to your home directory

cd - : go to the last directory you were in

cd .. : go up a directory cat : print file contents to the screen

cat filename.txt : cat the contents of filename.txt to your screen

tail : like cat, but only reads the end of the file

tail /var/log/messages : see the last 20 (by default) lines of /var/log/messages

tail -f /var/log/messages : watch the file continuously, while it's being updated

tail -200 /var/log/messages : print the last 200 lines of the file to the screen

more : like cat, but opens the file one screen at a time rather than all at once

more /etc/userdomains : browse through the userdomains file. hit Spaceto go to the next page, q to quit

pico : friendly, easy to use file editor

pico /home/burst/public_html/index.html : edit the index page for the user's website.

File Editing with VI ssh commands

vi : another editor, tons of features, harder to use at first than pico

vi /home/burst/public_html/index.html : edit the index page for the user's website.

Whie in the vi program you can use the following useful commands, you will need to hit SHIFT + : to go into command mode

:q! : This force quits the file without saving and exits vi

:w : This writes the file to disk, saves it

:wq : This saves the file to disk and exists vi

:LINENUMBER : EG :25 : Takes you to line 25 within the file

:$ : Takes you to the last line of the file

:0 : Takes you to the first line of the file

grep : looks for patterns in files

grep root /etc/passwd : shows all matches of root in /etc/passwd

grep -v root /etc/passwd : shows all lines that do not match root

ln : create's "links" between files and directories

ln -s /usr/local/apache/conf/httpd.conf /etc/httpd.conf : Now you can edit /etc/httpd.conf rather than the original.

changes will affect the orginal, however you can delete the link and it will not delete the original.

Shell Text Editor (nano)

The best Linux text editor for SSH is nano (also known as pico but was renamed). You can create, edit and manipulate files of

all types as long as they are text based in this program. It is small and easy to use and install.

nano

eg. nano httpd.conf

rename / renaming file or folder:

mv file file2

Installing Nano (Text Editor) In SSH

wget download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/Fedora/RPMS/compat-openldap-2.1.30-2.i386.rpm

rpm --install compat-openldap-2.1.30-2.i386.rpm

wget ftp://rpmfind.net/linux/redhat/9/en/os/i386/RedHat/RPMS/pine-4.44-18.i386.rpm

rpm -Uhv ftp://mirror.switch.ch/mirror/scientificlinux/40rolling/i386/SL/RPMS/compat-libcom_err-1.0-5.i386.rpm

rpm --install pine-4.44-18.i386.rpm

If you're still use to using the pico command, you can add use the following to create a link.

This means so when you type pico it will link to the new command nano without you noticing.

cd /usr/bin

ln nano pico

Creating CPanel Account Backups from ssh:

/scripts/pkgacct hotelboo /home

So if I wish to make a backup for user test in the root directory:

/scripts/pkgacct test /root

Restore/restore/restoring the account hotelboo stored in /home:

1st, remove account:

/scripts/killacct USERNAME

cd /home

/scripts/restorepkg --force cpmove-hotelboo.tar.gz

accessing files: If you would like to look into any of those, just type:

less /home/beatbang/public_html/cache/com_jevents/NAME-OF-THE-FILE-FROM-/root/beatbang.list.files.txt-HERE

Making Files and Directories

There are lots of ways to create a file on the fly.

Best way is to use a text editor like nano:

nano filename.conf

I wouldn't recommend nano at all for file editing, I would recommend that you explore vi (or vim which is Vi IMproved ).

It might be more confusing to use at first but it is a very powerful editor.

vim (and its alias vi) is already installed as a part of the base installation

OR to put something quickly in a file use:

echo "my content" > test.txt

This will create an empty file.

Touch updates when a file was

last updated but in this case will also create it if it doesn't exist:

touch test.txt

Make a directory, you can use:

mkdir

chmod: changes file access permissions

The set of 3 go in this order from left to right:

USER - GROUP - EVERONE

Article provided by WebHostGear.com

0 = --- No permission

1 = --X Execute only

2 = -W- Write only

3 = -WX Write and execute

4 = R-- Read only

5 = R-X Read and execute

6 = RW- Read and write

7 = RWX Read, write and execute

Article provided by WebHostGear.com

Usage:

chmod numberpermissions filename

chmod 000 : No one can access

chmod 644: Usually for HTML pages

chmod 755: Usually for CGI scripts

chown: changes file ownership permissions

The set of 2 go in this order from left to right:

USER - GROUP

chown root myfile.txt : Changes the owner of the file to root

chown root.root myfile.txt : Changes the owner and group of the file to root

OPERATIONS:

CHMOD:

chmod -R 755 /home/hotelboo/public_html/*

chmod -R 777 *.*

chown -R user?.?grp location/*

chown -R user.group *

File System Permissions

Permissions in the file system are broken down into:

* File permissions

* Group permissions

Permissions can be assigned to files and directories.

File permissions can be adjusted with the CHMOD tool

(stands for change mode). Permissions are broken up to Read, Write, Execute.

These permissions can then be assigned to root (master user),

the group, and everyone (general public like web guests).

Permissions are represented by a number (CHMOD Numbers).

Digit rwx Result

0 --- no access

1 --x execute

2 -w- write

3 -wx write and execute

4 r-- read

5 r-x read and execute

6 rw- read and write

7 rwx read write execute

Remembering that permissions are assigned to three groups

(root, group and everyone) each group is assigned a number.

For example, 777 refers to full access for everyone.

Numbers 775 or 755 are the general permissions assigned to web directories and pages.

To change the CHMOD permissions:

chmod

eg. chmod 755 index.html

or for a directory:

eg. chmod 755 public_html

To mass change permissions, which you must be VERY careful of, you can use the -r parameter because it changes everything.

eg. chmod -r 755 public_html

Everything under public_html will now have the permission of 755

(root full access, group read and execute, public read and execute).

There is an excellent tutorial showing more in depth information

on mode and group permissions located at http://www.library.yale.edu/~lso/workstation/docs/permissions/

command --help

tab or tabtab

root@server [/]# chmod -R 755 /home/hotelboo/public_html/*

root@server [/]# chmod -R 644 /home/hotelboo/public_html/*.*

Here are commands to chmod all files and folders in users directory to 755 and files to 644.

#Chmod Directorys for 755

find /home/hotelcom/public_html -type d -exec chmod 755 {} \;

# Chmod Files for 644

find /home/hotelcom/public_html -type f -exec chmod 644 {} \;

THEN:

chmod 750 /home/hotelcom/public_html

and

chmod 444 /home/hotelcom/public_html/configuration.php

Here is how you would do this for every account, including the correct permissions for directories.

for x in `ls /var/cpanel/users` ; do cd /home/$x/public_html ; find -type d -exec chmod 755 '{}' \; find -type f -exec chmod 644 '{}' \; done

And here is how you change permissions for just files ending in php.

find /home/hotelcom/public_html -name "*php" -exec chmod 644 {} \;

Tutorial: List of shell / SSH commands to monitor server and other basic functions

Support Tutorials - HOSTING ISSUES

Here is a list of the most common and most used SSH commands on a Linux-Centos server

Here are commands to chmod all files and folders in users directory to 755 and files to 644.

#Chmod Directorys for 755

find /home/cransmon/public_html -type d -exec chmod 755 {} \;

# Chmod Files for 644

find /home/cransmon/public_html -type f -exec chmod 644 {} \;

Create FTP Account For New Location

adduser

passwd

On request enter the password and re-enter the password on request.

chmod -R 755 /home/

As required, change ownership to:

chown -R . /home/

Create FTP Account For Duplicate Location (eg. second user same path)

Scenario: site1 already exists and user33 needs access to site1 files.

adduser user33

passwd user33

On request enter the password and re-enter the password on request.

nano /etc/passwd

Change user33 path from /home/user33 to /home/site1

nano /etc/group

Change user33 to site1 group (eg. site1:x:501:user33)

Delete Users

One of these commands will delete a specified user:

userdel

deluser

rmuser

Ping

The popular ping command is used to check if a connection can be established with a server. It also measures the response times amongst a few other details. To run a ping use:

ping

Tracing

You can run a trace on any host providing you can connect to it. A trace, pings each hop of the connection and displays the information until it reaches the last node in the connection,

generally your server. Traces are generally used to test for network issues.

traceroute

WHOIS

The internet is built on IP addresses. However to make it easier to access a server, the domain name implemented. To record who owns what domain name all information is stored in a

large database generally referred to as the WHOIS database. You can run your own search by typing whois.

whois google.com

WHOIS look ups can also be done on IP addresses to see who they are registered to for things like reporting spam or abuse.

Simply use the same command but replace it with the IP address to query instead.

Some providers offer are more refined database of their own that they store customer information in. For example:

rwhois://rwhois.layeredtech.com:4321

This is one example of a referral server and you can query it and find our more information generally even reseller names and details.

eg. whois -h rwhois.layeredtech.com -p 4321

RDNS lookup (host)

To check what an IP resolves to (reverse DNS entry) use the host command.

host 72.14.207.99

Send Message In SSH

You can send messages or broadcast notices to other SSH users by using the wall command.

eg. wall

Find Service

You can you the where is command if you are unsure of paths:

eh. whereis mysql

What is fsck?

Stands for "File system check" - It checks the disk for corrupt sectors and attempts to repair. Can be used when errors like "seg fault" appear and other situations.

SERVER INFO, FILE LOCATION PATH

Common Paths and File Locations

MYSQL Config - /etc/my.cnf

MYSQL - /usr/local/mysql/

SSH Config - /etc/ssh/ (generally the conf file with sshd in it)

Apache (or httpd) - /usr/local/apache/ OR /etc/httpd

Apache Conf file - /usr/local/apache/conf/httpd.conf

Apache Daemon - /usr/local/apache/bin/apachectl

Logs - /var/log/

User Data - /home/

You can see installed php modules with command

php -m

you can also see the curl library version with command

curl -V

Restarting Services (Apache, Mysql, etc)

If setup, you can generally use the "service" command. eg:

service httpd restart

It's a shortcut method to accessing daemons.

HTTPD - service httpd restart OR service apache restart

MYSQL - service mysql restart

Running Scripts/Programs

You can do so in two ways:

Change directory to the correct path then execute:

cd /scripts

./scriptname

/scripts/scriptname

For sh scripts, you need to put sh in front of it:

cd /scripts

sh scriptname

sh /scripts/scriptname

Repairing Databases

pathtomysql/bin/mysqlcheck -B --repair

Generally the path to mysql is /usr/local/mysql/ but not always.

If you get an access denied error, you need to login first. If you have root access you can just add a -p on the end.

pathtomysql/bin/mysqlcheck -B -p --repair

Do not enter your password in the command. It will prompt you to login after you press enter. If you need to login with a user account (not root) add an -u for user.

pathtomysql/bin/mysqlcheck -B -u -p --repair

The -B parameter means select a single database or two or three. If you want to repair all of them, use -A instead (root required):

pathtomysql/bin/mysqlcheck -A -p --repair

Remember the different ways of accessing the program:

a) cd pathtomysql/bin/

./mysqlcheck -A -p --repair

b) /pathtomysql/bin/mysqlcheck -A -p --repair

c) mysqlcheck -A -p --repair

Sometimes servers are setup (sbin) so you don't have to type all the full paths or change to them.

Red IP Addresses/Sites Do Not Work Off Primary Shared IP (cPanel/WHM)

If you go to "Show or Delete Current IP Addresses" in WHM and you see red IP addresses, the ipaliases service has failed or been forced to stop.

This happens sometimes and their isn't a feature in WHM to restart it. You need to restart it via SSH:

service ipaliases restart

/etc/init.d/ipaliases restart

Easy way to find php.ini path

The easiest way to find the php.ini file (the file where all the general php settings are stored), short of not knowing it off

the top of your head; you can use a combination of commands.

Do note execute these commands yet! You can use the command:

php -i

This prints out all the php information as seen via a web browser when the phpinfo(); command is used. Within all this information is the path to

the php.ini file. So we're simply going to grep the information. You can use this command to find the path to the php.ini file:

php -i | grep php.ini

It will return something like this:

Configuration File (php.ini) Path => /usr/local/lib/php.ini

That's your file!

useful functions:

TAR: Creating and Extracting .tar.gz and .tar files

tar -zxvf file.tar.gz : Extracts the file

tar -xvf file.tar : Extracts the file

tar -cf archive.tar contents/ : Takes everything from contents/ and puts it into archive.tar

gzip -d filename.gz : Decompress the file, extract it

ZIP Files: Extracting .zip files shell command

unzip file.zip

using tar with server load limit:

cpuwatch # tar -xvzf backup.account.tar.gz

You would just need to change the # to the a load average that you would want the process to delay if the server went above this number. We usually run cpuwatch with 2 or 4 depending on what command we are having it monitor.

Useful symbols including wildcards

One powerful feature is the use of the symbols. They allow you to write information to and from a file.

eg. echo "my data" > test.conf

The above command will replace all the file content with "my data". If you want add to the bottom of the file:

eg. echo "my data" >> test.conf

It also works the other way too. For example if you have an sql back up in backup.sql, you can import it:

eg. mysqldump -B [database name] -u [username] -p < backup.sql

The * symbol refers to everything. For example to delete everything in the current folder use:

rm -rf ./*

download backup from backup drive:

- You can inspect it only using ssh access. After loggin in, you need to enter in command line:

cd /backups - enter backups partition

cd /cpbackups - enter folder

ls - it will show you all folders: daily, weekly, monthly, depending on what backups rotation you did enable

cd /daily - enter daily backups folder

ls - will show you all backups for all users.

SECURITY AND LOGS:

location of logs:

- cpanel error logs

- var/logs/messages

- etc/httpd/logs/error_log

view your servers current load and what processes and activity your server is currently running

You can log into your vps using ssh and use the commands

uptime

top -c

service httpd fullstatus

httpd fullstatus | less

top -c variations:

for user nobody:

top -c | grep nobody

You can try with grep -v "wordtoexclude" without quotes;

********************************

top -c | grep nobody | grep -v httpd

top -c | grep -v root

top -b -n 1

To list running daemons type the following in a terminal:

ps aux

check resources history:

[root@unknown ~]# sar

For monitoring the VPS status try:

free -m (memory usage)

top (overall processor/memory usage)

ps auxf

mysqladmin processlist

Monitoring server idle % by using the "sar" command

I see that you want to optimize your vps, by finding what makes load on your vps. For that top is not good enough,

because it shows current load (last 1, 5 and 15 minutes), and resources state distribution per live processes,

either running or sleeping. If some cron task is making spikes, you probably will never catch it with top,

but you need to arrange some more sophisticated monitoring system.

Handy thing for top is changing sort column with

< or >

(default sort column is %CPU),

but press

shift+< twice a

nd you will get processes sorted by cumulative time.

That's excellent for runing processes, but as I said above,

if process is strated from cron, you need other solution. I hope this answers your questions

MALDET:

Update maldet:

maldet -u

stop maldet:

maldet -k

monitor:

maldet --monitor users

maldet –monitor /root/monitor_paths

maldet –monitor /home/mike,/home/ashton

scan:

maldet -a /path/to/scan

OR maldet --scan-all /path/to/scan

View the scan report

# maldet -e SCAN ID

# maldet --report SCAN ID

Quarantine all malware results from a previous scan

# maldet -q SCAN ID

# maldet –quarantine SCANID

Clean on all malware results from a previous scan

# maldet -n SCAN ID

# maldet --clean SCAN ID

Restore a file that you have already quarantined

# maldet -s FILENAME

# maldet --restore FILENAME

Sometime it is not possible to restore by using the file name only. In such condition use the full path where the quarantined files stored, ie /usr/local/maldetect/quarantine

# maldet --restore /usr/local/maldetect/quarantine/FILENAME"

You can check all active Apache processes using this command:

service httpd fullstatus

That way you can see if some domain is getting too much traffic and using resources.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

That one lists IP's by connection number.

iptables -I INPUT -s IP -j DROP

That one blocks an IP.

You can check all active Apache processes using this command:

service httpd fullstatus

BLOCK IP:

What it means, is that an IP tried to get access, but failed.

The feature did it's job, and blocked the IP.

Also, I blocked this IP via SSH:

iptables -I INPUT -s 202.113.244.42 -j DROP

CRON JOB FOR RELEASE IP TABLES EACH MONTH:

.---------------- minute (0 - 59)

| .------------- hour (0 - 23)

| | .---------- day of month (1 - 31)

| | | .------- month (1 - 12) OR jan,feb,mar,apr ...

| | | | .----- day of week (0 - 7) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat

| | | | |

* * * * * command to be executed

Above is copy/paste from: http://en.wikipedia.org/wiki/Cron

So something along this line should work fine:

Edit

/var/spool/cron/root

0 1 8 * * for i in `cat /etc/csf/csf.deny | grep -v "^#" | grep -v \`date +%b\` | awk '{print $1}'`; do /usr/sbin/csf --denyrm $i; done

That would start your cron task on 1 AM 8th day of month, every month in year. You can adjust time to be 2, 3 or 4 AM, and day to be 6th-10th day of month, deleting data from previous month on 1st day on month would serve no use, after some 6-10 days is fine, and cron tasks are usually executed during night/early morning, when there is usually light load on server.

Search / find cron tasks and files on server

here you can find the location of your cron jobs.

# ls -1d /etc/cron*

/etc/cron.d/

/etc/cron.daily/

/etc/cron.deny

/etc/cron.hourly/

/etc/cron.monthly/

/etc/crontab

/etc/cron.weekly/

Also, for particular user it goes like this:

crontab -lu reeferfo

PREVENT BRUTE FORCE OF SERVER:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n (NUMBER BEFORE IP IS NB OF CONNECTIONS)

That one lists IP's by connection number.

iptables -I INPUT -s IP -j DROP

That one blocks a IP.

tail -f /var/log/secure

This can be used to see if someone is trying to brute force into your server.

last : shows who logged in and when

last -20 : shows only the last 20 logins

last -20 -a : shows last 20 logins, with the hostname in the last field

w : shows who is currently logged in and where they are logged in from.

who : This also shows who is on the server in an shell.

netstat : shows all current network connections.

netstat -an : shows all connections to the server, the source and destination ips and ports.

netstat -rn : shows routing table for all ips bound to the server.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n ((NUMBER BEFORE IP IS NB OF CONNECTIONS))

top : shows live system processes in a nice table, memory information, uptime and other useful info. This is excellent

for managing your system processes, resources and ensure everything is working fine and your server isn't bogged down.

top then type Shift + M to sort by memory usage or Shift + P to sort by CPU usage

ps: ps is short for process status, which is similar to the top command. It's used to show currently running processes

and their PID.

A process ID is a unique number that identifies a process, with that you can kill or terminate a running program on

your server (see kill command).

ps U username : shows processes for a certain user

ps aux : shows all system processes

ps aux --forest : shows all system processes like the above but organizes in a hierarchy that's very useful!

touch : create an empty file

touch /home/burst/public_html/404.html : create an empty file called 404.html in the directory /home/burst/public_html/

file : attempts to guess what type of file a file is by looking at it's content.

file * : prints out a list of all files/directories in a directory

Firewall - iptables commands

iptables -I INPUT -s IPADDRESSHERE -j DROP : This command stops any connections from the IP address

iptables -L : List all rules in iptables

iptables -F : Flushes all iptables rules (clears the firewall)

iptables --save : Saves the currenty ruleset in memory to disk

service iptables restart : Restarts iptables

Apache Shell Commands

httpd -v : Outputs the build date and version of the Apache server.

httpd -l : Lists compiled in Apache modules

httpd status : Only works if mod_status is enabled and shows a page of active connections

service httpd restart : Restarted Apache web server

MySQL Shell Commands

mysqladmin processlist : Shows active mysql connections and queries

mysqladmin drop databasenamehere : Drops/deletes the selected database

mysqladmin create databasenamehere : Creates a mysql database

Restore MySQL Database Shell Command

mysql -u username -p password databasename < databasefile.sql : Restores a MySQL database from databasefile.sql

Backup MySQL Database Shell Command

mysqldump -u username -p password databasename > databasefile.sql : Backup MySQL database to databasefile.sql

kill: terminate a system process

kill -9 PID EG: kill -9 431

kill PID EG: kill 10550

Use top or ps ux to get system PIDs (Process IDs)

EG:

PID TTY TIME COMMAND

10550 pts/3 0:01 /bin/csh

10574 pts/4 0:02 /bin/csh

10590 pts/4 0:09 APP

Each line represents one process, with a process being loosely defined as a running instance of a program. The column

headed PID (process ID) shows the assigned process numbers of the processes. The heading COMMAND shows the location

of the executed process.

Putting commands together

Often you will find you need to use different commands on the same line. Here are some examples.

Note that the | character is called a pipe, it takes date from one program and pipes it to another.

> means create a new file, overwriting any content already there.

>> means tp append data to a file, creating a newone if it doesn not already exist.

< send input from a file back into a command.

grep User /usr/local/apache/conf/httpd.conf |more

This will dump all lines that match User from the httpd.conf, then print the results to your screen one page at a time.

last -a > /root/lastlogins.tmp

This will print all the current login history to a file called lastlogins.tmp in /root/

tail -10000 /var/log/exim_mainlog |grep domain.com |more

This will grab the last 10,000 lines from /var/log/exim_mainlog, find all occurances of domain.com (the period represents 'anything',

-- comment it out with a so it will be interpretted literally), then send it to your screen page by page.

netstat -an |grep :80 |wc -l

Show how many active connections there are to apache (httpd runs on port 80)

mysqladmin processlist |wc -l

Check ports for processes

If you want to check what process is running on the server on a certain port you can use the lsof command. You can check everything by typing:

lsof

You can also check just a single port and protocol, using port 80 as an example:

lsof -i tcp:80

This will check port 80 on TCP protocol. Here's an example output:

root@server [/]# lsof -i tcp:80

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

httpd 3313 root 19u IPv4 8033 TCP *:http (LISTEN)

httpd 25553 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 25554 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 25555 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 25556 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 25557 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 25789 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 26410 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 27622 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 27625 nobody 19u IPv4 8033 TCP *:http (LISTEN)

httpd 28113 nobody 19u IPv4 8033 TCP *:http (LISTEN)

Flush Exim Queue

If you've got 2000 emails queued to be sent which you know are all spam, you can quickly clear the queue by typing:

exim -qff

You can also use it in debugging mode:

exim -qff -d9

Access Denied Error from phpMyAdmin via WHM (cPanel)

When you try and load phpMyAdmin from cPanel's Web Host Manage (WHM) a message saying access denied appears. There is a very simple solution to this.

From web host manager, under SQL Services click MySQL Root Password. Enter in a password and save it.

Try loading up phpMyAdmin again from web host manager and it should be fine. No SSH commands, no configuration files - type and click.

Locate files owned by nobody and delete

This is extremely useful for locating files that have been uploaded using an exploit and are still owned by the nobody user. Note this isn't

the solution to cleaning up an exploit, just a tool to assist in the clean up.

The below command will search all user document root for files owned by nobody and display them on the screen. This is one of the most

likely location of uploaded nobody files but its possible for files to be outside this directory. You'll need to adjust the scope of the command where necessary.

find /home/*/public_html -user nobody -print

The below command will search and delete all files in the users document root that are owned by the nobody user. It's recommended

you just do a find first, then if it's clear run the below command:

find /home/*/public_html -user nobody -print | xargs rm

To delete folders owned by nobody user too, use:

find /home/user/public_html -user nobody -print | xargs rm -Rf

delete all error_log files for all users

find /home -name error_log -print | xargs rm -rf

delete all server mails in account mailboxes

find /home/*/mail/new -name *server* -print | xargs rm -rf

find specific hacked files and folders:

find /home/*/public_html -name *zip* -print

find specific text in all files, example porn

find /home/*/public_html -exec grep -l '*porn*' {} \; >> /home/hostelbo/public_html/porn.txt

find /home/*/public_html -mtime -2 -type f -exec grep -sl porn {} \; >> /root/injected.txt

The mtime directive tells the find command to search only for files modified in the last two days.

cpuwatch 2 find /home/*/public_html -mtime -30 -type f -exec grep -sl jp {} \; >> /home/porn.txt

get dates of modified folders:

ls -l

Check Binded IP addresses

ifconfig

Under eth0 you'll see something like:

inet addr:xx.79.162.45 Bcast:xx.79.162.45 Mask:255.255.255.248

Gives you the IP details. The "lo" one is the loopback adapter, allows it to talk to itself. Insane hey?

Locate general spoofing files on all accoutns

find /home/*/public_html -name *.zip -print

find /home/*/public_html -name *www* -print

INQUIRING, DEBUGGING FILE AND FILE MANAGER

du : shows disk usage.

du -sh : shows a summary, in human-readble form, of total disk space used in the current directory, including subdirectories.

du -sh * : same thing, but for each file and directory. helpful when finding large files taking up space.

If you would like to do run a disk space usage breakdown,you can always try by positioning yourself into directory you want to count space on and run:

df -h list drives and will show disk usage very quickly

du --max-depth=1 -h

There are some variants on du (disk usage) command, if interested type: man du into a command line or browse on teh Internet for linux manual pages.

Anyhow, I created a file with list of all files under:

/root/beatbang.list.files.txt

for your inspection. If you would like to look into any of those, just type:

less /home/beatbang/public_html/cache/com_jevents/NAME-OF-THE-FILE-FROM-/root/beatbang.list.files.txt-HERE

Check what services are running on server:

For installed sevices --

/sbin/chkconfig --list | awk '{ print $1 }' | sort

For services configured to run --

/sbin/chkconfig --list | grep :on | sort

For current services' status --

/sbin/chkconfig --list | awk '/:on/ { print $1 }' | sort

If you lack facility with shell one-liners, awk, grep, etc. - just apply the available resources of eyeballs and gray matter to the output of

service --status-all

and

chkconfig --list

Listing Directory Content

BEST I FOUND IS:

ls -Xl

To list the files and folders inside a directory you can use the ls command.

eg. ls

For better display, you can use:

eg. ls -l

On some servers, if its setup you can simply type two L's and it will work like ls -l

eg. ll

For more advanced directory listing options type:

eg: ls --help

If you would like to run a filter over the results you can add a pipe, followed by the grep command and then your criteria..

eg. ll | grep index

eg. ll | grep .php

Don't forget if ll doesn't work, use the ls or ls -al commands. Wildcards are not needed. The grep command searches for pattens in things.

This is merly one example of its uses.

ls : list files/directories in a directory, comparable to dir in windows/dos.

ls -al : shows all files (including ones that start with a period), directories, and details attributes for each file.

file information command:

wc : word count

wc -l filename.txt : tells how many lines are in filename.txt

cp : copy a file

cp filename filename.backup : copies filename to filename.backup

cp -a /home/burst/new_design/* /home/burst/public_html/ : copies all files, retaining permissions form one directory to another.

cp -av * ../newdir : Copies all files and directories recurrsively in the current directory INTO newdir

mv : Move a file command

mv oldfilename newfilename : Move a file or directory from oldfilename to newfilename

Delete / remove files:

rm : delete a file

rm filename.txt : deletes filename.txt, will more than likely ask if you really want to delete it

rm -f filename.txt : deletes filename.txt, will not ask for confirmation before deleting.

rm -rf tmp/ : recursively deletes the directory tmp, and all files in it, including subdirectories. BE VERY CAREFULL WITH THIS COMMAND!!!

Delete the folder and everything under it:

rm -r

To delete everything without prompting for delete add a -f in there too:

rm -rf

Delete a file:

Delete file without prompt:

rm -f

rm -rf sess* when inside a directory, delete (remove) all files starting with "sess"

So to delete everything under the "cache" directory you could:

Example 1:

cd /home/user1/public_html/

rm -rf cache

This would delete the download directory, without prompt and everything under it.

Example 2:

cd /home/user1/public_html/download

rm -rf ./*

for emergency delete files of folder can't access:

find -name \*.cache -exec rm -rf {} \.

Most efficient to force delete::

find |grep '.cache'|xargs rm -rf

which works like this

the find string lists all files in this directory and below.

the grep string searches the output for all files that contain the character ".cache" then prints only those to output

the xargs runs the command rm -rf on the output output

This is a slightly longer way to run the command, however is more reliable.

test DNS:

http://leafdns.com/index.cgi?testid=CE9ABD63&lock

test for rootshosting.net.