Monthly Archives: February 2009

How to track mail from PHP when run as nobody?

Problem:

One of the biggest problems with shared hosting is that PHP runs as the web server user rather than the user assigned in the virtualhost (unless your running PHP as CGI). This is a huge problem because when a site is compromised and a attacker is using your server to spam it can be very difficult to track down what site/script/page is causing the problem.

Solution:

The solution is a patch located at http://choon.net/php-mail-header.php. It modifies php’s mail.c file so that when the mail function is called from the web that it stores the following information.

X-PHP-Script: www.example.com/~user/testapp/send-mail.php for 10.0.0.1

in the headers so that when a spam report does come in, you can easily track where it came from.

Below is a how to for cPanel servers that shows how you can implement this patch.

Run the following as root:

PHP Code:
mkdir -p /var/cpanel/buildapache/scripts
cat >> phppost << EOF
#AUTO PATCH FROM http://choon.net/php-mail-header.php
PHPVER=`find -type d -iname "php-*"|sed "s/.///g"`
wget http://choon.net/opensource/php/$PHPVER-mail-header.patch
patch -p0 < $PHPVER-mail-header.patch
EOF

Once that’s done, run

PHP Code:
/scripts/easyapache

like you normally would.

CPU/Memory/MySQL Usage is blank in WHM

“CPU/Memory/MySQL Usage” page blank

This is a common error across all cPanel releases.

The most likely cause of this issue is related to the utility that actually generates the statistics.

When cPanel is installed, several entries are added into crontab for the root user.

The following is a list of the default crontab entries from a freshly installed cPanel server:

Code:
root@testbox [/etc/cron.hourly]# crontab -l
35 0 * * * /scripts/upcp
0 1 * * * /scripts/cpbackup
*/15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
2,58 * * * * /usr/local/bandmin/bandmin
0 0 * * * /usr/local/bandmin/ipaddrmap
50 22 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
22 2 * * * perl /root/rvadmin/auto_rvskin.pl
*/5 * * * * perl /root/rvadmin/rvmultiupdate.pl >/dev/null 2>&1
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1
root@testbox [/etc/cron.hourly]#

The bold entry in this list is the daemon that actually compiles the logs for the Usage page.
If your Usage page is blank, it is normally because this utility is not running on the schedule that it is supposed to.

The above crontab entry for dcpumon is set to run every five minutes, every hour.

Solution:
The most common resolution for this issue is to restart crond:

Code:
root@testbox [~]# /etc/init.d/crond restart
Stopping crond:[OK]
Starting crond:[OK]
root@testbox [~]#

The restart of cron should force all crontab entries to be processed normally again.

If after this you are still not seeing statistics on the Usage page, you should force a cpanel update from command line with “/scripts/upcp –force”.

This should download and install a new copy of the dcpumon binary.

How to configure Exim on a cPanel server to use a smart host?

A Smart Host is a SMTP server that will accept mail from another server and then deliver the mail for that server.

For example, server1 is setup to use server2 as a smart host.

Anytime someone sends e-mail on server1 it is automatically relayed to server2 regardless of the MX entrys for the domain.

Server2 then accepts this message, looks up the proper delivery host/IP and attempts to deliver the message to that host.

To configure a smart host, create

PHP Code:
/etc/exim.conf.local

and add the following lines.

Be sure to change to the hostname or ip of the smart host server:

PHP Code:
 @ROUTERSTART@
smart_route:
driver = manualroute
domains = !+local_domains
transport = remote_smtp
route_list = * host.name.of.smart.host.server

Next run

PHP Code:
/scripts/buildeximconf

Then run

PHP Code:
/scripts/restartsrv_exim

Thats it, watch the logs for a bit to make sure it’s working!

SSH Cpanel/WHM Command

/scripts/adddns Add a Dns Entry
/scripts/addfpmail Install Frontpage Mail Exts
/scripts/addservlets Add JavaServlets to an account (jsp plugin required)
/scripts/adduser Add a User
/scripts/admin Run WHM Lite
/scripts/apachelimits Add Rlimits (cpu and mem limits) to apache.
/scripts/dnstransfer Resync with a master DNS Server
/scripts/editquota Edit A User’s Quota
/scripts/finddev Search For Trojans in /dev
/scripts/findtrojans Locate Trojan Horses
/scripts/findtrojans < /var/log/trojans
/scripts/fixtrojans < /var/log/trojans
/scripts/fixcartwithsuexec Make Interchange work with suexec
/scripts/fixinterchange Fix Most Problems with Interchange
/scripts/fixtrojans Run on a trojans horse file created by findtrojans to remove them
/scripts/fixwebalizer Run this if a user’s stats stop working
/scripts/fixvaliases Fix a broken valias file
/scripts/hdparamify Turn on DMA and 32bit IDE hard drive access (once per boot)
/scripts/initquotas Re-scan quotas. Usually fixes Disk space display problems
/scripts/initsuexec Turn on SUEXEC (probably a bad idea)
/scripts/installzendopt Fetch + Install Zend Optimizer
/scripts/ipusage Display Ipusage Report
/scripts/killacct Terminate an Account
/scripts/killbadrpms Delete \”Security Problem Infested RPMS\”
/scripts/mailperm Fix Various Mail Permission Problems
/scripts/mailtroubleshoot Attempt to Troubleshoot a Mail Problem
/scripts/mysqlpasswd Change a Mysql Password
/scripts/quicksecure Kill Potential Security Problem Services
/scripts/rebuildippool Rebuild Ip Address Pool
/scripts/remdefssl Delete Nasty SSL entry in apache default httpd.conf
/scripts/restartsrv Restart a Service (valid services: httpd,proftpd,exim,sshd,cppop,bind,mysql )
/scripts/rpmup Syncup Security Updates from RedHat/Mandrake
/scripts/runlogsnow Force a webalizer/analog update.
/scripts/secureit Remove non-important suid binaries
/scripts/setupfp4 Install Frontpage 4+ on an account.
/scripts/simpleps Return a Simple process list. Useful for finding where cgi scripts are running from.
/scripts/suspendacct Suspend an account
/scripts/sysup Syncup Cpanel RPM Updates
/scripts/ulimitnamed RH 6 only. Install a version of bind to handle many many zones.
/scripts/unblockip Unblock an IP
/scripts/unsuspendacct UnSuspend an account
/scripts/upcp Update Cpanel
/scripts/updatenow Update /scripts
/scripts/wwwacct Create a New Account

Common SSH Commands or Linux Shell Commands

Common SSH Commands or Linux Shell Commands,
ls : list files/directories in a directory, comparable to dir in windows/dos.
ls -al : shows all files (including ones that start with a period), directories, and details attributes for each file.

cd : change directory · · cd /usr/local/apache : go to /usr/local/apache/ directory
cd ~ : go to your home directory
cd – : go to the last directory you were in
cd .. : go up a directory cat : print file contents to the screen

cat filename.txt : cat the contents of filename.txt to your screen

chmod: changes file access permissions
The set of 3 go in this order from left to right:
USER – GROUP – EVERONE

0 = — No permission
1 = –X Execute only
2 = -W- Write only
3 = -WX Write and execute
4 = R– Read only
5 = R-X Read and execute
6 = RW- Read and write
7 = RWX Read, write and execute

Usage:
chmod numberpermissions filename

chmod 000 : No one can access
chmod 644: Usually for HTML pages
chmod 755: Usually for CGI scripts

chown: changes file ownership permissions
The set of 2 go in this order from left to right:
USER – GROUP

chown root myfile.txt : Changes the owner of the file to root
chown root.root myfile.txt : Changes the owner and group of the file to root

tail : like cat, but only reads the end of the file
tail /var/log/messages : see the last 20 (by default) lines of /var/log/messages
tail -f /var/log/messages : watch the file continuously, while it’s being updated
tail -200 /var/log/messages : print the last 200 lines of the file to the screen

more: like cat, but opens the file one screen at a time rather than all at once
more /etc/userdomains : browse through the userdomains file. hit Spaceto go to the next page, q to quit

pico : friendly, easy to use file editor
pico /home/burst/public_html/index.html : edit the index page for the user’s website.

File Editing with VI ssh commands
vi : another editor, tons of features, harder to use at first than pico
vi /home/burst/public_html/index.html : edit the index page for the user’s website.
Whie in the vi program you can use the following useful commands, you will need to hit SHIFT + : to go into command mode

:q! : This force quits the file without saving and exits vi
:w : This writes the file to disk, saves it
:wq : This saves the file to disk and exists vi
:LINENUMBER : EG :25 : Takes you to line 25 within the file
:$ : Takes you to the last line of the file
:0 : Takes you to the first line of the file

grep : looks for patterns in files
grep root /etc/passwd : shows all matches of root in /etc/passwd
grep -v root /etc/passwd : shows all lines that do not match root

ln : create’s “links” between files and directories
ln -s /usr/local/apache/conf/httpd.conf /etc/httpd.conf : Now you can edit /etc/httpd.conf rather than the original. changes will affect the orginal, however you can delete the link and it will not delete the original.

last : shows who logged in and when
last -20 : shows only the last 20 logins
last -20 -a : shows last 20 logins, with the hostname in the last field

w : shows who is currently logged in and where they are logged in from.
who : This also shows who is on the server in an shell.

netstat : shows all current network connections.
netstat -an : shows all connections to the server, the source and destination ips and ports.
netstat -rn : shows routing table for all ips bound to the server.

top : shows live system processes in a nice table, memory information, uptime and other useful info. This is excellent for managing your system processes, resources and ensure everything is working fine and your server isn’t bogged down.
top then type Shift + M to sort by memory usage or Shift + P to sort by CPU usage

ps: ps is short for process status, which is similar to the top command. It’s used to show currently running processes and their PID.
A process ID is a unique number that identifies a process, with that you can kill or terminate a running program on your server (see kill command).
ps U username : shows processes for a certain user
ps aux : shows all system processes
ps aux –forest : shows all system processes like the above but organizes in a hierarchy that’s very useful!

touch : create an empty file
touch /home/burst/public_html/404.html : create an empty file called 404.html in the directory /home/burst/public_html/

file : attempts to guess what type of file a file is by looking at it’s content.
file * : prints out a list of all files/directories in a directory

du : shows disk usage.
du -sh : shows a summary, in human-readble form, of total disk space used in the current directory, including subdirectories.
du -sh * : same thing, but for each file and directory. helpful when finding large files taking up space.

wc : word count
wc -l filename.txt : tells how many lines are in filename.txt

cp : copy a file
cp filename filename.backup : copies filename to filename.backup
cp -a /home/burst/new_design/* /home/burst/public_html/ : copies all files, retaining permissions form one directory to another.
cp -av * ../newdir : Copies all files and directories recurrsively in the current directory INTO newdir

mv : Move a file command
mv oldfilename newfilename : Move a file or directory from oldfilename to newfilename

rm : delete a file
rm filename.txt : deletes filename.txt, will more than likely ask if you really want to delete it
rm -f filename.txt : deletes filename.txt, will not ask for confirmation before deleting.
rm -rf tmp/ : recursively deletes the directory tmp, and all files in it, including subdirectories. BE VERY CAREFULL WITH THIS COMMAND!!!

TAR
: Creating and Extracting .tar.gz and .tar files
tar -zxvf file.tar.gz : Extracts the file
tar -xvf file.tar : Extracts the file
tar -cf archive.tar contents/ : Takes everything from contents/ and puts it into archive.tar
gzip -d filename.gz : Decompress the file, extract it

ZIP Files: Extracting .zip files shell command
unzip file.zip

Firewall – iptables commands
iptables -I INPUT -s IPADDRESSHERE -j DROP : This command stops any connections from the IP address
iptables -L : List all rules in iptables
iptables -F : Flushes all iptables rules (clears the firewall)
iptables –save : Saves the currenty ruleset in memory to disk
service iptables restart : Restarts iptables

Apache Shell Commands
httpd -v : Outputs the build date and version of the Apache server.
httpd -l : Lists compiled in Apache modules
httpd status : Only works if mod_status is enabled and shows a page of active connections
service httpd restart : Restarted Apache web server

MySQL Shell Commands
mysqladmin processlist : Shows active mysql connections and queries
mysqladmin drop databasenamehere : Drops/deletes the selected database
mysqladmin create databasenamehere : Creates a mysql database

Restore MySQL Database Shell Command
mysql -u username -p password databasename < databasefile.sql : Restores a MySQL database from databasefile.sql

Backup MySQL Database Shell Command
mysqldump -u username -p password databasename > databasefile.sql : Backup MySQL database to databasefile.sql

kill: terminate a system process
kill -9 PID EG: kill -9 431
kill PID
EG: kill 10550
Use top or ps ux to get system PIDs (Process IDs)

EG:

PID TTY TIME COMMAND 10550 pts/3 0:01 /bin/csh 10574 pts/4 0:02 /bin/csh 10590 pts/4 0:09 APP
Each line represents one process, with a process being loosely defined as a running instance of a program. The column headed PID (process ID) shows the assigned process numbers of the processes. The heading COMMAND shows the location of the executed process.

Putting commands together
Often you will find you need to use different commands on the same line. Here are some examples. Note that the | character is called a pipe, it takes date from one program and pipes it to another.
> means create a new file, overwriting any content already there.
>> means tp append data to a file, creating a newone if it doesn not already exist.
< send input from a file back into a command.

grep User /usr/local/apache/conf/httpd.conf |more
This will dump all lines that match User from the httpd.conf, then print the results to your screen one page at a time.

last -a > /root/lastlogins.tmp
This will print all the current login history to a file called lastlogins.tmp in /root/

tail -10000 /var/log/exim_mainlog |grep domain.com |more
This will grab the last 10,000 lines from /var/log/exim_mainlog, find all occurances of domain.com (the period represents ‘anything’,
— comment it out with a so it will be interpretted literally), then send it to your screen page by page.

netstat -an |grep :80 |wc -l
Show how many active connections there are to apache (httpd runs on port 80)

mysqladmin processlist |wc -l
Show how many current open connections there are to mysql

Installing basic automatic protection from DoS and DDoS attacks to your server

DDoS-Deflate

DDoS-Deflate is a couple of bash scripts, that is run every X minutes, analyze the total number of connections to your server from every IP address using netstats command and temporarily blacklist IPs, that have more than Y active connections to your server at the moment, script runs. Blacklisting is done using either iptables or APF whichever you have installed. Simple!
Installation

To install ddos protection scripts just execute the following commands from console:
cd /usr/local
mkdir mytmp
wget http://underhost.com/pub/install.sh
chmod 0700 install.sh
./install.sh

Configuration

To configure DDOS-Deflate (that’s the name of this script) do the following:
cd /usr/local/ddos
edit ddos.conf

Last line opens ddos.conf file in editor. You can use vi if you like. I chose edit because I am a Windows user and Edit has an interface familiar to me.
Let’s consider all available settings one by one:

PROGDIR=”/usr/local/ddos”
PROG=”/usr/local/ddos/ddos.sh”
IGNORE_IP_LIST=”/usr/local/ddos/ignore.ip.list”
CRON=”/etc/cron.d/ddos.cron”
APF=”/etc/apf/apf”
IPT=”/sbin/iptables”

These above are about various software locations. I recommend you leave them as is. They should suite the majority of systems. BTW, if your system doesn’t have APF, it is ok. Script can work with iptables also.

FREQ=1

This setting affects how often (in minutes) you need to execute ddos protection script. After changing this param, please execute command
ddos –cron
to update cron sheduler.

NO_OF_CONNECTIONS=150

This is the maximum number of connections acceptable for your server. I recommend to set this value to about 20-40 depending on your server.
BTW, don’t repeat my mistake Should you decide to use softwares, that open really many connections to your server, like FileZilla FTP client (it spawns many FTP connections to upload your folder ASAP), you will get blocked

APF_BAN=1

If you have AFP, then set this to 1. If you have not, script will use iptables. To check if you have AFP or not, just execute command
afp
If you want to use IPTables, don’t forget to start service by
service iptables start
and to have it autoloading at system startup by\
chkconfig iptables on

KILL=1

If you just testing your script, set this to 0. In this case, IPs will not get banned.

EMAIL_TO=”root”

This email address will have messages about blacklisted IPs. Leave it to root to skip emailing.

BAN_PERIOD=600

Set this to a number of seconds, for how long to block entruder. I recommend to set this to 1800-3600 (30-60 minutes).
You can also add IPs to /usr/local/ddos/ignore.ip.list to whitelist them.
Uninstallation
You can always uninstall DDoS-Deflate by executing
cd /usr/local/mytmp
wget http://underhost.com/pub/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

That’s all!