The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Monitoring & Management

Discussion in 'General Discussion' started by osirion, Sep 27, 2015.

  1. osirion

    osirion Active Member

    Joined:
    Jan 16, 2007
    Messages:
    28
    Likes Received:
    1
    Trophy Points:
    3
    Hey Guys,
    I am quite new to server management having always had reseller accounts for all my clients. Now taking on the role of server admin of a dedicated server, and having had several customer account compromises already - I am looking at ways to make my life easier.

    What do you guys use to monitor your servers - proactive & re-active solutions?

    Something that monitors the mail queue for example, looking for excessive usage based on 'x' criteria for example. And/or a scanner that goes through customer accounts scanning for malware (on a schedule and/or reactive to 'x' criteria). etc. etc.

    Thanks in advance!
     
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    For spam, its normally from a PHP script so you can use this one liner below in SSH, it will show you which directories are being used to send out email, you can easily tell which ones are malicious as they will be in the hundreds, thousands and even hundreds of thousands in extreme cases. Just go to that directory and you will find the PHP script, if there are many PHP scripts, you can easily tell which one it is by grepping the access logs to see which PHP script is being spam posted, Ill post that grep below:
    Code:
    # head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
    # grep POST /home/$user/access-logs/*
    
    To stay on top of spam though, I personally use CSF. More specifically I rely on:
    LF_SCRIPT_ALERT = "1"
    LF_SCRIPT_LIMIT = "25"

    This will alert you anytime a 'cwd' shows up in the mail logs which is that directory, if CSF see's it 25 times in an hour, it will alert you. To help a bit more, I also use:

    LF_SCRIPT_ACTION
    You can create a bash script that is triggered anytime that LF_SCRIPT_LIMIT is met, I have a bash script that emails me useful information, Ill be happy to share:

    http://pastebin.com/N9jGE3Z1

    I place that script in ~ and chmod it executable

    Code:
    # chmod +x ~/csf.lf_script_perm_action
    I would advise reading over the documentation for CSF so you have a better understanding but that is the jist of it, for script alerts specifically, CSF goes way beyond that.

    CSF will also alert you if the mail queue reaches a certain limit. Example:

    LF_QUEUE_ALERT = "2000"

    As for malware, you can use clamav, its pretty good although do not rely on it 100% as it still doesn't pick up everything. Especially if your talking about a hacked WP site, don't ever just delete the malicious files and think the problem is resolved because it won't be. I wrote an article here that helps reinstall WP without loosing any data:

    https://www.bigscoots.com/portal/kn...install--a-wordpress-site-after-being-hacked/

    I can also provide you with some commands that I use to help find those malicious scripts as they are fairly common and use the same methods:

    Code:
    # find `pwd` -type f -iname '*.php' -exec echo {} \; -exec head -1 {} \; |grep -B1 'GLOBALS\|preg_replace\|array_diff_ukey\|gzuncompress\|gzinflate\|post_var'
    With that command you would go into the infected cpanel accounts public_html and it will list all the files that contain more than likely malicious code on the first line.

    The most common files you will find, for me anyways, are found using this:
    Code:
    for i in USER; do find /home/$i/public_html/ -type f -iname '*.php' | xargs grep -l 'sF=\|qV=' >> infected ; done
    Just replace USER with the cpanel user, you can also do more than one like:
    Code:
    for i in USER USER2 USER3; do find /home/$i/public_html/ -type f -iname '*.php' | xargs grep -l 'sF=\|qV=' >> infected ; done
    Where ever you run that command, it will create a file called infected with the exact path to the infected files.

    Umm, so clamAV, you can install from SSH using:

    Code:
    /scripts/update_local_rpm_versions --edit target_settings.clamav installed
    /scripts/check_cpanel_rpms --fix --targets=clamav
    
    ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
    ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam
    freshclam
    
    but you can also install it from WHM using "manage plugins".

    If you want to scan manually using it, you can do:
    Code:
    clamscan -ri /home/USER/public_html/
    There are lots more config options you can use but to much to go into, just google it :) but cPanel has a good write up here as well

    https://documentation.cpanel.net/display/ALD/Configure+ClamAV+Scanner

    Check out the "ClamAV Scanner cron job" at the bottom of the page.

    I hope this helps!
     
    osirion likes this.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page