Yearly Archives: 2009

How to change CPanel mail server IP address?

Quite few times your server’s main/shared IP address may get black listed by most of RBLs due to x reasons.

In such situations, it would be very difficult to receive/send some important emails due to this black list.

In such situation a quick solution is to route the emails through a secondary IP address on the same server which is not black listed under those RBLs.

The mail server on cpanel i.e exim allows you to change the default IP address used by the mail server so that you would be able to route all emails through this new secondary IP address.

Here are the step by step instructions for you to configure your exim mail server to use new IP address.

Step 1 : Shutdown the exim service.
# service exim stop or /etc/init.d/exim stop

Step 2 : Edit your exim configuration file.
# vi /etc/exim.conf

Step 3: go to “remote_smtp” section under “TRANSPORTS CONFIGURATION”.
By default it would look like below:
driver = smtp
interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{}}}{}}
helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_ho stname}}

Step 4 : Remove or comment line containing “interface” and “helo_data” and add new “interface” to match with that of your new IP address. It should look like as follows:
driver = smtp
interface = # Your IP address.

Step 5 : Save your changes and exit out from your exim configuration file.

Note : Dont forget to set read only attributes on exim configuration file, so that it wont get reset to default automatically.

You can do it using following command:
# chattr +aui /etc/exim.conf

Step 6 : start exim service on your server.
# service exim restart or /etc/init.d/exim restart

Step 7 : Make sure to set reverse DNS for this new IP address to point a valid FQDN.

Step 8 : Try sending a test email and you will find that, it was sent using this new IP address configured under your exim configuration.

You can verify it by checking the header of new email under exim’s log file i.e /var/log/exim_mainlog

Install ClamAV in Centos with Cpanel

Installing antivirus is most important if you run a VPS or dedicated server, because of so many worms and trojans get in to your server often without notice and could compromise the server.

Cpanel WHM Installation

The easiest way to install clam antivirus in cpanel is through install plugin option in Cpanel WHM .

Go > WHM > Cpanel Install Plugin > Enable Clamav Connector

Manual Installation


yum install clamd


yum install clamav

If it doesnt work use this

rpm -Uhv

follow this instructions here based on centos version (Locate B2 in that page)
after installing that you can issue

yum install clamd
 yum install clamav

either of those should work.
Once you have installed clamav in your centos…here are some of the basic commands using the software..

1. To update the antivirus database

> freshclam

2. To run antivirus

clamav -r /home

3. Running as Cron Daily Job

To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.

02 1 * * * root clamscan -R /home

This will run the cron job daily @ 1.02 AM by scanning your cPanel home directory.

You can change the folder to whatever you want for mail etc.

How to track mail from PHP when run as nobody?


One of the biggest problems with shared hosting is that PHP runs as the web server user rather than the user assigned in the virtualhost (unless your running PHP as CGI). This is a huge problem because when a site is compromised and a attacker is using your server to spam it can be very difficult to track down what site/script/page is causing the problem.


The solution is a patch located at It modifies php’s mail.c file so that when the mail function is called from the web that it stores the following information.

X-PHP-Script: for

in the headers so that when a spam report does come in, you can easily track where it came from.

Below is a how to for cPanel servers that shows how you can implement this patch.

Run the following as root:

PHP Code:
mkdir -p /var/cpanel/buildapache/scripts
cat >> phppost << EOF
PHPVER=`find -type d -iname "php-*"|sed "s/.///g"`
patch -p0 < $PHPVER-mail-header.patch

Once that’s done, run

PHP Code:

like you normally would.

CPU/Memory/MySQL Usage is blank in WHM

“CPU/Memory/MySQL Usage” page blank

This is a common error across all cPanel releases.

The most likely cause of this issue is related to the utility that actually generates the statistics.

When cPanel is installed, several entries are added into crontab for the root user.

The following is a list of the default crontab entries from a freshly installed cPanel server:

root@testbox [/etc/cron.hourly]# crontab -l
35 0 * * * /scripts/upcp
0 1 * * * /scripts/cpbackup
*/15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
2,58 * * * * /usr/local/bandmin/bandmin
0 0 * * * /usr/local/bandmin/ipaddrmap
50 22 * * * /usr/local/cpanel/whostmgr/docroot/cgi/ --notify
22 2 * * * perl /root/rvadmin/
*/5 * * * * perl /root/rvadmin/ >/dev/null 2>&1
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1
root@testbox [/etc/cron.hourly]#

The bold entry in this list is the daemon that actually compiles the logs for the Usage page.
If your Usage page is blank, it is normally because this utility is not running on the schedule that it is supposed to.

The above crontab entry for dcpumon is set to run every five minutes, every hour.

The most common resolution for this issue is to restart crond:

root@testbox [~]# /etc/init.d/crond restart
Stopping crond:[OK]
Starting crond:[OK]
root@testbox [~]#

The restart of cron should force all crontab entries to be processed normally again.

If after this you are still not seeing statistics on the Usage page, you should force a cpanel update from command line with “/scripts/upcp –force”.

This should download and install a new copy of the dcpumon binary.

How to configure Exim on a cPanel server to use a smart host?

A Smart Host is a SMTP server that will accept mail from another server and then deliver the mail for that server.

For example, server1 is setup to use server2 as a smart host.

Anytime someone sends e-mail on server1 it is automatically relayed to server2 regardless of the MX entrys for the domain.

Server2 then accepts this message, looks up the proper delivery host/IP and attempts to deliver the message to that host.

To configure a smart host, create

PHP Code:

and add the following lines.

Be sure to change to the hostname or ip of the smart host server:

PHP Code:
driver = manualroute
domains = !+local_domains
transport = remote_smtp
route_list = *

Next run

PHP Code:

Then run

PHP Code:

Thats it, watch the logs for a bit to make sure it’s working!

SSH Cpanel/WHM Command

/scripts/adddns Add a Dns Entry
/scripts/addfpmail Install Frontpage Mail Exts
/scripts/addservlets Add JavaServlets to an account (jsp plugin required)
/scripts/adduser Add a User
/scripts/admin Run WHM Lite
/scripts/apachelimits Add Rlimits (cpu and mem limits) to apache.
/scripts/dnstransfer Resync with a master DNS Server
/scripts/editquota Edit A User’s Quota
/scripts/finddev Search For Trojans in /dev
/scripts/findtrojans Locate Trojan Horses
/scripts/findtrojans < /var/log/trojans
/scripts/fixtrojans < /var/log/trojans
/scripts/fixcartwithsuexec Make Interchange work with suexec
/scripts/fixinterchange Fix Most Problems with Interchange
/scripts/fixtrojans Run on a trojans horse file created by findtrojans to remove them
/scripts/fixwebalizer Run this if a user’s stats stop working
/scripts/fixvaliases Fix a broken valias file
/scripts/hdparamify Turn on DMA and 32bit IDE hard drive access (once per boot)
/scripts/initquotas Re-scan quotas. Usually fixes Disk space display problems
/scripts/initsuexec Turn on SUEXEC (probably a bad idea)
/scripts/installzendopt Fetch + Install Zend Optimizer
/scripts/ipusage Display Ipusage Report
/scripts/killacct Terminate an Account
/scripts/killbadrpms Delete \”Security Problem Infested RPMS\”
/scripts/mailperm Fix Various Mail Permission Problems
/scripts/mailtroubleshoot Attempt to Troubleshoot a Mail Problem
/scripts/mysqlpasswd Change a Mysql Password
/scripts/quicksecure Kill Potential Security Problem Services
/scripts/rebuildippool Rebuild Ip Address Pool
/scripts/remdefssl Delete Nasty SSL entry in apache default httpd.conf
/scripts/restartsrv Restart a Service (valid services: httpd,proftpd,exim,sshd,cppop,bind,mysql )
/scripts/rpmup Syncup Security Updates from RedHat/Mandrake
/scripts/runlogsnow Force a webalizer/analog update.
/scripts/secureit Remove non-important suid binaries
/scripts/setupfp4 Install Frontpage 4+ on an account.
/scripts/simpleps Return a Simple process list. Useful for finding where cgi scripts are running from.
/scripts/suspendacct Suspend an account
/scripts/sysup Syncup Cpanel RPM Updates
/scripts/ulimitnamed RH 6 only. Install a version of bind to handle many many zones.
/scripts/unblockip Unblock an IP
/scripts/unsuspendacct UnSuspend an account
/scripts/upcp Update Cpanel
/scripts/updatenow Update /scripts
/scripts/wwwacct Create a New Account

Common SSH Commands or Linux Shell Commands

Common SSH Commands or Linux Shell Commands,
ls : list files/directories in a directory, comparable to dir in windows/dos.
ls -al : shows all files (including ones that start with a period), directories, and details attributes for each file.

cd : change directory · · cd /usr/local/apache : go to /usr/local/apache/ directory
cd ~ : go to your home directory
cd – : go to the last directory you were in
cd .. : go up a directory cat : print file contents to the screen

cat filename.txt : cat the contents of filename.txt to your screen

chmod: changes file access permissions
The set of 3 go in this order from left to right:

0 = — No permission
1 = –X Execute only
2 = -W- Write only
3 = -WX Write and execute
4 = R– Read only
5 = R-X Read and execute
6 = RW- Read and write
7 = RWX Read, write and execute

chmod numberpermissions filename

chmod 000 : No one can access
chmod 644: Usually for HTML pages
chmod 755: Usually for CGI scripts

chown: changes file ownership permissions
The set of 2 go in this order from left to right:

chown root myfile.txt : Changes the owner of the file to root
chown root.root myfile.txt : Changes the owner and group of the file to root

tail : like cat, but only reads the end of the file
tail /var/log/messages : see the last 20 (by default) lines of /var/log/messages
tail -f /var/log/messages : watch the file continuously, while it’s being updated
tail -200 /var/log/messages : print the last 200 lines of the file to the screen

more: like cat, but opens the file one screen at a time rather than all at once
more /etc/userdomains : browse through the userdomains file. hit Spaceto go to the next page, q to quit

pico : friendly, easy to use file editor
pico /home/burst/public_html/index.html : edit the index page for the user’s website.

File Editing with VI ssh commands
vi : another editor, tons of features, harder to use at first than pico
vi /home/burst/public_html/index.html : edit the index page for the user’s website.
Whie in the vi program you can use the following useful commands, you will need to hit SHIFT + : to go into command mode

:q! : This force quits the file without saving and exits vi
:w : This writes the file to disk, saves it
:wq : This saves the file to disk and exists vi
:LINENUMBER : EG :25 : Takes you to line 25 within the file
:$ : Takes you to the last line of the file
:0 : Takes you to the first line of the file

grep : looks for patterns in files
grep root /etc/passwd : shows all matches of root in /etc/passwd
grep -v root /etc/passwd : shows all lines that do not match root

ln : create’s “links” between files and directories
ln -s /usr/local/apache/conf/httpd.conf /etc/httpd.conf : Now you can edit /etc/httpd.conf rather than the original. changes will affect the orginal, however you can delete the link and it will not delete the original.

last : shows who logged in and when
last -20 : shows only the last 20 logins
last -20 -a : shows last 20 logins, with the hostname in the last field

w : shows who is currently logged in and where they are logged in from.
who : This also shows who is on the server in an shell.

netstat : shows all current network connections.
netstat -an : shows all connections to the server, the source and destination ips and ports.
netstat -rn : shows routing table for all ips bound to the server.

top : shows live system processes in a nice table, memory information, uptime and other useful info. This is excellent for managing your system processes, resources and ensure everything is working fine and your server isn’t bogged down.
top then type Shift + M to sort by memory usage or Shift + P to sort by CPU usage

ps: ps is short for process status, which is similar to the top command. It’s used to show currently running processes and their PID.
A process ID is a unique number that identifies a process, with that you can kill or terminate a running program on your server (see kill command).
ps U username : shows processes for a certain user
ps aux : shows all system processes
ps aux –forest : shows all system processes like the above but organizes in a hierarchy that’s very useful!

touch : create an empty file
touch /home/burst/public_html/404.html : create an empty file called 404.html in the directory /home/burst/public_html/

file : attempts to guess what type of file a file is by looking at it’s content.
file * : prints out a list of all files/directories in a directory

du : shows disk usage.
du -sh : shows a summary, in human-readble form, of total disk space used in the current directory, including subdirectories.
du -sh * : same thing, but for each file and directory. helpful when finding large files taking up space.

wc : word count
wc -l filename.txt : tells how many lines are in filename.txt

cp : copy a file
cp filename filename.backup : copies filename to filename.backup
cp -a /home/burst/new_design/* /home/burst/public_html/ : copies all files, retaining permissions form one directory to another.
cp -av * ../newdir : Copies all files and directories recurrsively in the current directory INTO newdir

mv : Move a file command
mv oldfilename newfilename : Move a file or directory from oldfilename to newfilename

rm : delete a file
rm filename.txt : deletes filename.txt, will more than likely ask if you really want to delete it
rm -f filename.txt : deletes filename.txt, will not ask for confirmation before deleting.
rm -rf tmp/ : recursively deletes the directory tmp, and all files in it, including subdirectories. BE VERY CAREFULL WITH THIS COMMAND!!!

: Creating and Extracting .tar.gz and .tar files
tar -zxvf file.tar.gz : Extracts the file
tar -xvf file.tar : Extracts the file
tar -cf archive.tar contents/ : Takes everything from contents/ and puts it into archive.tar
gzip -d filename.gz : Decompress the file, extract it

ZIP Files: Extracting .zip files shell command

Firewall – iptables commands
iptables -I INPUT -s IPADDRESSHERE -j DROP : This command stops any connections from the IP address
iptables -L : List all rules in iptables
iptables -F : Flushes all iptables rules (clears the firewall)
iptables –save : Saves the currenty ruleset in memory to disk
service iptables restart : Restarts iptables

Apache Shell Commands
httpd -v : Outputs the build date and version of the Apache server.
httpd -l : Lists compiled in Apache modules
httpd status : Only works if mod_status is enabled and shows a page of active connections
service httpd restart : Restarted Apache web server

MySQL Shell Commands
mysqladmin processlist : Shows active mysql connections and queries
mysqladmin drop databasenamehere : Drops/deletes the selected database
mysqladmin create databasenamehere : Creates a mysql database

Restore MySQL Database Shell Command
mysql -u username -p password databasename < databasefile.sql : Restores a MySQL database from databasefile.sql

Backup MySQL Database Shell Command
mysqldump -u username -p password databasename > databasefile.sql : Backup MySQL database to databasefile.sql

kill: terminate a system process
kill -9 PID EG: kill -9 431
kill PID
EG: kill 10550
Use top or ps ux to get system PIDs (Process IDs)


PID TTY TIME COMMAND 10550 pts/3 0:01 /bin/csh 10574 pts/4 0:02 /bin/csh 10590 pts/4 0:09 APP
Each line represents one process, with a process being loosely defined as a running instance of a program. The column headed PID (process ID) shows the assigned process numbers of the processes. The heading COMMAND shows the location of the executed process.

Putting commands together
Often you will find you need to use different commands on the same line. Here are some examples. Note that the | character is called a pipe, it takes date from one program and pipes it to another.
> means create a new file, overwriting any content already there.
>> means tp append data to a file, creating a newone if it doesn not already exist.
< send input from a file back into a command.

grep User /usr/local/apache/conf/httpd.conf |more
This will dump all lines that match User from the httpd.conf, then print the results to your screen one page at a time.

last -a > /root/lastlogins.tmp
This will print all the current login history to a file called lastlogins.tmp in /root/

tail -10000 /var/log/exim_mainlog |grep |more
This will grab the last 10,000 lines from /var/log/exim_mainlog, find all occurances of (the period represents ‘anything’,
— comment it out with a so it will be interpretted literally), then send it to your screen page by page.

netstat -an |grep :80 |wc -l
Show how many active connections there are to apache (httpd runs on port 80)

mysqladmin processlist |wc -l
Show how many current open connections there are to mysql

Installing basic automatic protection from DoS and DDoS attacks to your server


DDoS-Deflate is a couple of bash scripts, that is run every X minutes, analyze the total number of connections to your server from every IP address using netstats command and temporarily blacklist IPs, that have more than Y active connections to your server at the moment, script runs. Blacklisting is done using either iptables or APF whichever you have installed. Simple!

To install ddos protection scripts just execute the following commands from console:
cd /usr/local
mkdir mytmp
chmod 0700


To configure DDOS-Deflate (that’s the name of this script) do the following:
cd /usr/local/ddos
edit ddos.conf

Last line opens ddos.conf file in editor. You can use vi if you like. I chose edit because I am a Windows user and Edit has an interface familiar to me.
Let’s consider all available settings one by one:


These above are about various software locations. I recommend you leave them as is. They should suite the majority of systems. BTW, if your system doesn’t have APF, it is ok. Script can work with iptables also.


This setting affects how often (in minutes) you need to execute ddos protection script. After changing this param, please execute command
ddos –cron
to update cron sheduler.


This is the maximum number of connections acceptable for your server. I recommend to set this value to about 20-40 depending on your server.
BTW, don’t repeat my mistake Should you decide to use softwares, that open really many connections to your server, like FileZilla FTP client (it spawns many FTP connections to upload your folder ASAP), you will get blocked


If you have AFP, then set this to 1. If you have not, script will use iptables. To check if you have AFP or not, just execute command
If you want to use IPTables, don’t forget to start service by
service iptables start
and to have it autoloading at system startup by\
chkconfig iptables on


If you just testing your script, set this to 0. In this case, IPs will not get banned.


This email address will have messages about blacklisted IPs. Leave it to root to skip emailing.


Set this to a number of seconds, for how long to block entruder. I recommend to set this to 1800-3600 (30-60 minutes).
You can also add IPs to /usr/local/ddos/ignore.ip.list to whitelist them.
You can always uninstall DDoS-Deflate by executing
cd /usr/local/mytmp
chmod 0700 uninstall.ddos

That’s all!