Coders Tent

Syed Ashik Mahmud - Pro System Admin and Malware Cleaner

How to run a CXS on a specific cpanel account

So you feel a site on your server may have been attacked – and you want to make sure it is clean – how do you go about it?

The following command will run a scan on the selected user directory on the server.

/usr/sbin/cxs –report /root/scan.log –baction high –bayes –breport medium –clamdsock /tmp/clamd –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –mail [email protected] –options mMOLfSGchexdnwZRD –qoptions Mv –sizemax 500000 –summary –sversionscan –timemax 30 –virusscan –voptions mfuhexT /home/accountname

NB: Please replace the [email protected] with your actual email address – and change the last part of the command to theuser directory you need to scan.

To use this command:

1) Open an SSH/putty session to your server

2) Login as root

3) type in and hit enter: freshclam

4) type in: screen -S Scan

5) copy and paste (right mouse in putty) the above command (but with your email address)

6) Hit enter.

Script To Fix Permissions And Ownership, on files and Directories, for cPanel Accounts

Fixing permission for a cpanel account doing manually is a difficult task. We can do it by running a script. For that follow below steps,

→Download the script using below command
wget https://raw.githubusercontent.com/PeachFlame/cPanel-fixperms/master/fixperms.sh

→To make it is executable please give execute permission for it.
chmod +x fixperms.sh

→We can run the script to fix a permission of a particular account by using below command
sh ./fixperms.sh -a USER-NAME

Replace the USER-NAME with the user that we want to fix the permission.

How to check Inode usage from cPanel and Command line?

Check from SSH Login.

Login to the server using ssh command.

Ensure that you are at the home directory with the following command.

cd ~

Following is the command to check the total Inodes on your server.

find . | wc -l

Hit the following command if you are looking to view the inode values directory wise.

find . -printf “%h\n” | cut -d/ -f-2 | sort | uniq -c | sort -rn

Database Error Connection Failed in RoundCube cPanel

RoundCube is a client based on Web IMAP and that is very easy to install & configure. RoundCube is open-source and free software that is subject to General Public License that except plugins and skins. The main feature of Roundcube is that all data are stored in the database and it does have the interface of the desktop. RoundCube has the well-known feature of the prevalent usage of Ajax technology.

Occasionally we might receive an error message, whenever RoundCube webmail tries to connect with its database. And the error occurs in cPanel server like “database error failed, unable to connect to the database. Please contact your server-administrator”.One of the main reasons for such an error is that the mailbox could have been getting corrected.

Here in this section, we are going to show how to overcome RoundCube database errors and how to fix the issues as well.

Fixing Database Error – RoundCube Webmail:

It is always advisable to check the database, server status and assure it is running and active. We can use various methods to resolve the problems. They are as follows,

Method 1: Restoring with the previous version of the mailbox database is one of the recommended and easiest ways to solve the issues.

Below mentioned the process to fix and restore the previous version of the mailbox database:

  • Either go to the folder of cPanel ‘/home/<cpanel_user>/etc/<domain>/’ and change the name of the file from <email_user>.rcube.db to <email_user>.rcube.db.bakor moving it out of that folder.

Change the name of the file from<email_user>.rcube.db.<number_stamp> (make use of the most recent copy based on the timestamp) to <email_user>.rcube.db.And now here we go, try to access your RoundCube.

Method 2: Another method of fixing an issue without restoring the previous settings is to restart the RoundCube from the beginning.

The following procedure shows how to fix this issue:

  • Either change the name of the file from <email_user>.rcube.db to <email_user>.rcube.db.bak or moving it out of that folder.

And now you can try to access the RoundCube again.

Normally for database storage like contacts, information, and other details, RoundCube makes use of SQLite or MySQL. Due to this, it is mandatory to RoundCube needs to be connected to its database in order to pick up the information. And in case of failure on the database connectivity may cause a “database error connection failed” error message displayed in the cPanel server. Using the different methods mentioned above we can overcome these kinds of issues.

How to Disable All cPanel LFD Alerts?

Clients are getting so many emails regarding all LFD alerts, “so if they wish to disable the alert please follow the below steps.

Steps to disable all LFD email Alerts.

1) Login to WHM.

2) Navigate to “ConfigServer Security & Firewall” under “Plugin” section.
3) Click on “Firewall Configuration” button to edit the CSF configuration file.
4) Search for “LF_EMAIL_ALERT” on the configuration file and change it from “On” to “Off” button.
5) Click on “Change” button to save the changes.

We need to restart csf and lfd services to enable all changes that we made in the above steps. So click on “Restart csf+lfd” button to restart both the services.

How to activate and using plugins with webmail in WHM

In order to enable/disable any of these plugins, you need to add/remove each plugin’s name to/from Roundcube’s configuration file. Here is how it’s done: (For demonstration we will enable the “password” plugin)

1- Open the main config file:

vi /usr/local/cpanel/base/3rdparty/roundcube/config/config.inc.php

2- Find this configuration option:

$config[‘plugins’] = array(‘cpanellogin’,’cpanellogout’,’archive’,’calendar’, ‘return_to_webmail’,’carddav’);

3- Add the name of the plugin that you wish to enable to the array above:

$config[‘plugins’] = array(‘cpanellogin’,’cpanellogout’,’archive’,’calendar’, ‘return_to_webmail’,’carddav’,’password’);

4- Save and exit the file

5- Reload Dovecot:

/scripts/restartsrv_dovecot

Change it :

zipdownload/config.ini.php

$rcmail_config[‘zipdownload_attachments’] = 1;
// Zip entire folders
$rcmail_config[‘zipdownload_folder’] = true;
// Zip selection of messages
$rcmail_config[‘zipdownload_selection’] = true;

https://support.cpanel.net/hc/en-us/articles/1500005353841-How-To-Enable-Disable-Roundcube-Plugins-

cPanel login invalid while using correct username and password

Sometimes you may get login invalid error while trying to login to your cPanel account. But the username and password that you are entering is correct. This will happen because of your IP address is blocked by cphulkd for BruteForce.

What is cPHulk ?

cPhulk is a similar feature like Firewall, with cphulk cPanel will give you and extra measure of protection from attacks like bruteforce.  Suppose someone is trying to compromise your server using random failed logins

So from the above description you can see that this is an important feature of cPanel/WHM so disabling this feature will not be a good idea, instead  you can white-list your IP address on the BruteForce protection. So it will allow connections from your IP address.

You can see the errors related to blocked connections by cphulkd for BruteForce from the cPanel error log itself,

/usr/local/cpanel/logs/error_log

And the error will be like pasted below,

main::badpass('faillog', 'brute force attempt (user iserversupport) has locked out IP xxx.xxx.xxx.xx...', 'skip_hulk', 1, 'msg_code', 'invalid_login') called at cpsrvd-ssl line 5790
        main::connect_cphulkd() called at cpsrvd-ssl line 5255
        main::handle_form_login() called at cpsrvd-ssl line 1131
        main::handle_one_connection() called at cpsrvd-ssl line 996

You can simply white-list the IP address on cphulkd by using the following script,

/scripts/cphulkdwhitelist

This script can be used along with the IP address that you need to white-list. See the sample command below,

/scripts/cphulkdwhitelist <IP-Address-for-whitelist>

This will allow your IP address through cphulk and now you will be able to login to the cPanel using correct password.

You can also do this from WHM. For that login to WHM and go to,

Home >> Security Center >> cPHulk Brute Force Protection

There will be options to  White/Black list IP addresses on cPHulk Brute Force Protection.

If you need our help to fix any issues on your server. Please feel free to contact us, simply email to [email protected]

 

How to See & Kill Processes From CPanel

CPanel Web host management software provides an intuitive interface for managing a website server. When running complex scripts on the server, you may occasionally need to stop a process from running to prevent a server crash. You can either stop all processes that a certain user is running, or you can stop a specific process by selecting it from a list of live processes.

Step 1

Type he server IP address followed by a colon and 2087 or follow your hosting server company or co-location center’s directions for accessing CPanel. Enter the administrator user name and password in the text fields when the CPanel login screen appears.

Step 2

Click System Health on the CPanel WHM home page; if you do not see the icon on your home screen, then locate System Health on the left sidebar menu.

Step 3

Click Process Manager and wait for the list of processes to appear.

Step 4

Kill all user processes by selecting the name from the Kill All Processes By User drop-down menu.

Step 5

Check the list of processes to see which processes might be using an inordinate amount of CPU resources or memory; the percentage of each is listed in the CPU and Memory columns for each process.

Step 6

Kill any individual processes by clicking the Kill prompt next to its process identification or PID number.

Step 7

Click the Back prompt that appears after the message “Killed (PID number)” to return to the list of processes. Kill additional processes as necessary.

Step 8

Test your server to make sure it works correctly. Restart the server if necessary.

How to Backup and Restore cPanel Accounts via SSH

Creating a cPanel Backup via SSH

To create a backup of your individual cPanel account using SSH, just follow these steps:

  1. First, log in to SSH as the Root user.
  2. Next, enter the following command string on the command line interface:

    /scripts/pkgacct username

  3. A backup of your account will be created and stored in the directory you are currently in.

 

Restoring a cPanel Backup via SSH

To restore a previously created backup of your cPanel account, just follow these steps:

  1. First, if you haven’t already, log in to SSH as the Root user.
  2. Navigate to the directory containing your backup file. *Note: In order to restore your data, you must be in the correct directory.
  3. Next, to restore your cPanel backup, enter the following command into the command line:

    /scripts/restorepkg username

And there you have it!

How to install MALDET Linux Malware Detect on cPanel Server?

Maldet is a malware detector and scanner for Linux based servers a project designed by R-fx networks project. It can be installed on shared hosting servers like cPanel WHM and linux plesk servers which works along with Clamav tool.

1. Download & Install Maldet –

cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz

2. Go to the maldetect directory and run the installer script ‘install.sh’ as root:

cd maldetect-1.5
./install.sh

3. Next, make a symlink to the maldet command in the /bin/ directory.

ln -s /usr/local/maldetect/maldet /bin/maldet
hash -r

4. Configure Maldet, Install Nano editor if its not installed ( yum install nano ) –

cd /usr/local/maldetect/
nano conf.maldet

5. Enable email alert by changing the value to ‘1’.

email_alert=”1″

6. Set your email address .

email_addr=”[email protected]

We will use the ClamAV clamscan binary as default scan engine because it provides a high-performance scan on large file sets. If its not installed you can install it using ( yum -y install clamav clamav-devel ) then update using ( freshclam ) command.

7. Change value to ‘1’ on line 114 – scan_clamscan=”1″

8. Next, enable quarantining to move malware to the quarantine automatically during the scan process. Change value to ‘1’ on line 180 – quarantine_hits=”1″

9. Change value to 1 on line 185 to enable clean based malware injections – quarantine_clean=”1″

10. Save and exit.

Use Real-Time Monitoring with Maldet for active monitoring.

The inotify monitoring feature is designed to monitor paths/users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default.

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.
e.g: maldet –monitor users
e.g: maldet –monitor /root/monitor_paths
e.g: maldet –monitor /home/mike,/home/ashton

Only find PHP files on an account

maldet –include-regex “.*.php$” -a /home/pronyxco/public_html

Full account
maldet –include-regex “.*.php$” -a /home/?/public_html

maldet -a /home/?

Reference :

How to install Linux Malware Detect


https://www.linuxcapable.com/how-to-install-maldet-linux-malware-detect-on-debian-11-bullseye/
https://dade2.net/kb/how-to-install-and-configuration-maldet-and-run-a-scan/
https://lionhost.gr/billing/knowledgebase/185/Maldet-Scan.html

« Older posts

© 2024 Coders Tent

Theme by Anders NorenUp ↑