cPanel Monitoring & Management


Well-Known Member
Jan 16, 2007
Hey Guys,
I am quite new to server management having always had reseller accounts for all my clients. Now taking on the role of server admin of a dedicated server, and having had several customer account compromises already - I am looking at ways to make my life easier.

What do you guys use to monitor your servers - proactive & re-active solutions?

Something that monitors the mail queue for example, looking for excessive usage based on 'x' criteria for example. And/or a scanner that goes through customer accounts scanning for malware (on a schedule and/or reactive to 'x' criteria). etc. etc.

Thanks in advance!


Well-Known Member
May 25, 2011
New Jersey
cPanel Access Level
DataCenter Provider
For spam, its normally from a PHP script so you can use this one liner below in SSH, it will show you which directories are being used to send out email, you can easily tell which ones are malicious as they will be in the hundreds, thousands and even hundreds of thousands in extreme cases. Just go to that directory and you will find the PHP script, if there are many PHP scripts, you can easily tell which one it is by grepping the access logs to see which PHP script is being spam posted, Ill post that grep below:
# head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
# grep POST /home/$user/access-logs/*
To stay on top of spam though, I personally use CSF. More specifically I rely on:

This will alert you anytime a 'cwd' shows up in the mail logs which is that directory, if CSF see's it 25 times in an hour, it will alert you. To help a bit more, I also use:

You can create a bash script that is triggered anytime that LF_SCRIPT_LIMIT is met, I have a bash script that emails me useful information, Ill be happy to share:

I place that script in ~ and chmod it executable

# chmod +x ~/csf.lf_script_perm_action
I would advise reading over the documentation for CSF so you have a better understanding but that is the jist of it, for script alerts specifically, CSF goes way beyond that.

CSF will also alert you if the mail queue reaches a certain limit. Example:


As for malware, you can use clamav, its pretty good although do not rely on it 100% as it still doesn't pick up everything. Especially if your talking about a hacked WP site, don't ever just delete the malicious files and think the problem is resolved because it won't be. I wrote an article here that helps reinstall WP without loosing any data:

I can also provide you with some commands that I use to help find those malicious scripts as they are fairly common and use the same methods:

# find `pwd` -type f -iname '*.php' -exec echo {} \; -exec head -1 {} \; |grep -B1 'GLOBALS\|preg_replace\|array_diff_ukey\|gzuncompress\|gzinflate\|post_var'
With that command you would go into the infected cpanel accounts public_html and it will list all the files that contain more than likely malicious code on the first line.

The most common files you will find, for me anyways, are found using this:
for i in USER; do find /home/$i/public_html/ -type f -iname '*.php' | xargs grep -l 'sF=\|qV=' >> infected ; done
Just replace USER with the cpanel user, you can also do more than one like:
for i in USER USER2 USER3; do find /home/$i/public_html/ -type f -iname '*.php' | xargs grep -l 'sF=\|qV=' >> infected ; done
Where ever you run that command, it will create a file called infected with the exact path to the infected files.

Umm, so clamAV, you can install from SSH using:

/scripts/update_local_rpm_versions --edit target_settings.clamav installed
/scripts/check_cpanel_rpms --fix --targets=clamav

ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam
but you can also install it from WHM using "manage plugins".

If you want to scan manually using it, you can do:
clamscan -ri /home/USER/public_html/
There are lots more config options you can use but to much to go into, just google it :) but cPanel has a good write up here as well

Configure ClamAV Scanner - Documentation - cPanel Documentation

Check out the "ClamAV Scanner cron job" at the bottom of the page.

I hope this helps!
  • Like
Reactions: osirion


Staff member
Apr 11, 2011
Hello :)

In addition to the previous post, the following document is worth reading if you are just getting started with system administration:

Recommended Security Settings

Thank you.