Various Commands

Just a melting pot of various commands:



How to see what cluster a domain is in, switch to that user and run

for cluster in `find /var/cpanel/cluster/root/config/ -type f | egrep -v “cache|dnsrole” | awk -F\/ ‘{print $NF}’`; do host $cluster; done


How to check database connection in shell

mysql -p -u mysql_username db_name

How to check document root from command line for any domain name:

sudo cat /usr/local/apache/conf/httpd.conf | grep -3


To scan for shell-type hacks, cd to the folder you want to scan (usually public_html) and run the following:

BAK=$IFS; IFS=$(echo -en “\n\b”); for i in `find . -type f -regex “.*php\|.*pl\|.*txt\|.*html\|.*htm”`; do echo “$i :: `awk ‘/FilesMan|gzinflate\(base64_decode\(|phps(eclib|hell)\.sourceforge|(r57|c99|Dx|Crystal)[Ss]h[e3]ll|eval\(.*decode_base64\(|eval\(.*base64_decode\(|eval\(.*gzuncompress\(.*base64_decode\\(|[Ee]xecute [Cc]ommand:.*&#60input|keywordsRegex|method=\”post\”.*name=\”uploader\”|\$a=.bas.*eval\(\$a/’ “$i” | head -1`”; done | awk -F ‘::’ ‘$2 !~ /^ *$/ {print $1}’; for i in `find . -type f -name “.htaccess”`; do echo “$i :: `awk ‘/php_value auto_append_file|Add(Type|Handler) .*(php|perl).* .*(gif|jpg|png|bmp|css|apng|pdf|jpeg)/’ “$i”`”; done | awk -F ‘::’ ‘$2 !~ /^ *$/ {print $0}’; IFS=$BAK


How to enable slow query logging (has to be run as root):

echo “log-slow-queries = /var/log/slowqueries” >> /etc/my.cnf && echo “long_query_time = 3” >> /etc/my.cnf &&touch /var/log/slowqueries && chown mysql:mysql /var/log/slowqueries && chmod 664 /var/log/slowqueries && service mysql restart


How to drop all tables from a database:

echo -n “Enter Database: “; read DB ; echo -n “Enter DB User: “; read USER ; echo -n “Enter Pass: “; read PASS ;for i in $(mysql -u $USER -p$PASS -D $DB -e ‘show tables’ | grep -v “Tables_in”| awk {‘print $1’}); do echo “Deleting table $i”;mysql -u $USER -p$PASS -D $DB -e “drop table $i”; done;


How to check the mod_security logs:

grep “`grep USERNAME /etc/userdomains |awk -F’:’ ‘{print $1}’`” /usr/local/apache/logs/error_log |grep “ModSecurity” |less


Need to make a bogus file with a certain size? Use the following command and tweak as necessary. In this example, the file created will be 70MB:

dd if=/dev/urandom of=/path/to/file/filename bs=1M count=70


How to search folder for largest files/folders (You can change ‘1’ to see further)

du -h –max-depth=1 /path/to/sort/ | sort -n -r


How to delete all the contents of the folder you are currently in (useful for deleting tons of email when it won’t let you do a regular “rm”)

ls | xargs -I {} rm -rf {}


Word Press theme is having problems and won’t let you login? Change the theme back to default. Login to phpMyAdmin and click “SQL” and run these commands:

UPDATE wp_options SET option_value = ‘default’ WHERE option_name = ‘template’;

UPDATE wp_options SET option_value = ‘default’ WHERE option_name = ‘stylesheet’;

UPDATE wp_options SET option_value = ‘default’ WHERE option_name = ‘current_theme’;


To see the size of an account, switch to the user’s home directory and run the following (being sure to replace “userna5” with the actual cpanel username):

cat ./.cpanel/datastore/_usr_bin_quota_-v_userna5 |tail -1 |awk ‘{print $2/1000″MB”}’


To run a load intensive command without driving the load up, see how many processors it has:

grep pro /proc/cpuinfo -c

Then subtract one from that and put that number in place of ‘N’:

/usr/local/cpanel/bin/cpuwatch N YOUR_COMMAND_HERE

What this does is pause the command if the load reaches ‘N’

If you need to implement this on a command that is already running, use the following
making sure to replace the values of ‘N’ and ‘PID’:

/usr/local/cpanel/bin/cpuwatch N -p PID > /dev/null 2>&1 &

To search files for a particular phrase/hack use the following:
(where “FILENAME” is the filename to find and send the outputs to a file called ‘HACKS’)

find `pwd` -type f -name FILENAME -exec grep -irl PHRASE_TO_FIND{} \; > HACKS

Once that is done running, you can rename the hacked files to have the phrase “hacked” in it using this:

for hackedFile in `cat HACKS`; do mv $hackedFile $hackedFile"-HACKED"; done

To delete all the files now ending in -HACKED run the following:

find `pwd` -type f -name \*HACKED -exec rm -f {} \;

To get rid of base64 hacks (tweak as necessary):

grep -Rl “3.5j3” ~/public_html/ |xargs -I {} sed -i ‘s/<script>d.*\/script>//g’ {}

and then run

grep -lr -e "eval(base64_decode('ZXJyb3Jfcm" ~/public_html/|xargs -I {} sed -i 's/eval(base64_decode(.*));//g' {}

Here is a “one-liner” that will get rid of base64 hacks. Be sure to update the actual phrase and make sure the quotes match:

find ~/public_html/ -name \*\.php -exec grep -l -e ‘eval(base64_decode(“DQplcnJvcl9yZXB’ {} \;|xargs -I {} sed -i ‘s/eval(base64_decode(.*)DQplcnJvcl9yZXB(.*)));//g’ {}

If the load on the server is high and you want to see what is causing it, run the following:

[root@server~]$ top

(Ctrl+C to stop) Then see which process is the highest and note the process ID.
Then run the following command replacing “PID” with the actual process ID.

[root@server~]$ ps aux | grep PID

That will tell you the location of whatever is getting out of hand.

If you are getting the #bash fork: “Resource is temporarily unavailable” error, then
run the following to get the list of PID for that user. Essentially it means there are
over 20 processes running for that user (Make sure to update values for $USER and

for i in $(ps aux|grep $USER|awk {'print $2'});do echo -n "$i ";done

Then you can run a

kill -9 $PID

If you are getting an error about an RSA key changing, type the following (making sure to change “server###”):

sed -i ‘/server###/d’ .ssh/known_hosts

Run the following command to see current number of MySQL connections

echo -n "Currently: ";netstat -an|egrep "ESTABLISHED|CONNECTED"|egrep -c ":3306|mysql";echo -n "Allowed: ";grep max_connections /etc/my.cnf|cut -d= -f3


To see a detailed report of the MySQL connections

netstat -an |egrep “mysql|:3306”

Netstat Report of IPs:

netstat -plan |awk '/.*[0-9]+.[0-9]+.[0-9]+.[0-9].*/{gsub(/::ffff:/,"",$0);print $4"\t" $5}'|cut -sd. -f 1->netstat.log;clear;echo "Netstat report";echo;echo "Number of Connections to each port:";cat netstat.log |awk {'print $1'}|cut -d: -f 2|sort|uniq -c|sort -nk 1|tail;echo;echo "Number of connections from each IP:";cat netstat.log |awk {'print $2'}|cut -d: -f 1|sort|uniq -c|sort -nk 1|tail;echo;echo "The number of instances of a particular IP connecting to particular port";cat netstat.log |awk {'print $1 "\t" $2'}|cut -d: -f 2|sort|uniq -c|sort -nk 1|tail;

Note that this creates a file called “netstat.log.” When you are done, make sure to delete this file.

Show sent mail per hour for a domain:

DOMAIN='';o1=`for i in $(sudo grep $DOMAIN /var/log/exim_mainlog|egrep "A=fixed|A=courier_login|dovecot_plain|P=local"|awk {'print $4'}|sort|uniq);do sudo grep $i /var/log/exim_mainlog;done|grep -v "retry time not reached for any host"|egrep "=>|->|\*\*"`;unset DOMAIN;for i in $(echo "$o1"|awk {'print $1'}|sort -n|uniq);do echo $i":";o2=`echo "$o1"|grep $i|awk {'print $2'}|cut -d: -f1|sort|uniq -c`;echo " COUNT HOUR";echo "$o2";unset o2;done;unset o1;

When did Apache restart?

grep Apache/ /usr/local/apache/logs/error_log|grep -v “resuming normal operations”|cut -d[ -f2|cut -d\] -f1

Run this on the server to see why an SSL was revoked

openssl s_client -showcerts -connect

What are the available PHP handlers on the server?

/usr/local/cpanel/bin/rebuild_phpconf –current

See a detailed report of iNode usage:

printf “\n”; echo “Detailed Inode usage for: $(pwd)” ; for d in `find -maxdepth 1 -type d |cut -d\/ -f2 |grep -xv . |sort`; do c=$(find $d |wc -l) ; printf “$c\t\t- $d\n” ; done ; printf “Total: \t\t$(find $(pwd) | wc -l)\n\n”


tail -f /var/log/messages | grep


Mass Email Deletion

FTP host/username/pass (MAIN ACCT):
Navigate to mail/domain/user/cur/
Delete files within and VOILA!
Query host to locate account

ssh to xxxyyy
ls -al /etc/valiases/domain




Quick command list:

* ls – use this to list the contents of a directory
example: ls /home/userna5/

* head – use this command to see the first few lines of a file
(default is ten lines – specify a different number of lines with a dash)
example: head /home/userna5/somefile
example: head -500 /home/userna5/somefile

* tail – use this command to see the last few lines of a file
(default is ten lines – specify a different number of lines with a dash)
example: tail /home/userna5/somefile
example: tail -500 /home/userna5/somefile

* more – use this to scroll thru a file one page at a time (hit ‘spacebar’ to c
example: more /home/userna5/somefile

* grep – use this command to search through a file for a string
(note: by default this only shows the matching lines in a file)
example: grep “SEARCHSTRING” /home/userna5/somefile

* zgrep – This is just like grep – but searches compressed files.
example: zgrep “SEARCHSTRING” /var/log/messages.1.gz

* less – use this command to page through a file with advanced options
(ask a tier-2 to show you how to use this program)
example: less /home/userna5/somefile

* checkip – use this command to check the firewall for an given IP
(2nd example – look for part of an ip address if you think a range has been bl
example: checkip
example: checkip 68.3.8

——-log location———–
/usr/local/apache/logs – main server apache logs
/usr/local/apache/domlogs – domain apache logs
zcat /var/log/exim_mainlog.2.gz | grep

—–remove from DNS zone—–
[user@server ~]$ /scripts/killdns

—–make php.ini recursive—-

suPHP_ConfigPath /home/username/pathtophpini

——gs servers——-
cgi email is disabled on gs servers!

—–Certs —–
[/etc/ssl/certs] from root (usually works!)

—–ssl main ip—–
(02:21:40 PM) Tech: does he have an ssl already?
(02:21:51 PM) me: Not installed, no,.
(02:22:00 PM) Tech: Okay well you can use the main ip for that
(02:22:15 PM) Tech: Just install as the user nobody
(02:22:24 PM) Tech: then ssh into the server and do the following
(02:22:41 PM) Tech: mv /var/cpanel/userdata/nobody/domain.com_SSL*
(02:23:10 PM) Tech: replace nobody userna5 —
(02:23:24 PM) Tech: then rebuild and restart httpd

—–kill cronjobs—–
(09:38:44 AM) me: hey, how do I actually kill this guys cronjob now that I’m
actually in?
(09:41:32 AM) Tech: is it on the root user or his user?
(09:41:43 AM) me: his user
(09:41:51 AM) Tech: crontab -e -u hisusername
(09:42:36 AM) Tech: then remove the line of his cron job
(09:43:05 AM) Tech: 0 0 * * * /usr/local/bin/php -f
This is vim! So you will need to type “i” to edit!
(09:43:06 AM) Tech: this one
dont forget!
service crond status

(09:53:38 AM) me: Any idea why crond would show up as an unrecognized service?
(09:54:22 AM) Tech: perms
(09:54:30 AM) Tech: check /etc/init.d

—-Enable innodb—-
-bash-3.2# rm -f /var/lib/mysql/ib*
service mysql restart

(09:55:55 AM) me: root@server [~]# chpass user password
-bash: chpass: command not found
(09:56:07 AM) me: Isn’t chpass the correct thing?
(09:56:16 AM) Tech: you need to use the full path
(09:56:20 AM) Tech: /scripts/chpass

-bash-3.2# passwd root
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

—-disk space usage—-
(10:36:27 AM) me: Any way just to figure out the guys disk space usage from cmd?
(10:36:32 AM) me: pardon, terminal.
(10:36:48 AM) Tech: cd /home
(10:36:52 AM) Tech: du -sh userna5
—-Disk usage on VPS and dedis—
du -sh * | sort -n
df -h
du -sh ./*
df -i <—-inodes! always check when disk is full error!

—-remove dns from cluster—–
root@server [~]# grep /etc/userdomains
root@server [~]# /scripts/killdns
tier1adv@server [~]# usernano /var/cpanel/users/userna5
tier1adv@server [~]# updateuserdomains

—–not the owner of domain xyz——
(04:10:54 PM) me: usernano /var/cpanel/users/

—-Clamscan AV——-
Clamscan AV is NOT included by default on VPS or dedis, can be installed free.
Installed by accessing cpanel add-ons through whm

(02:58:12 PM) Tech: so clamscan -r /home/user5 > scanresults.txt
-bash-3.2# cat scanresults.txt | grep -i found

—-updating cpanel license——-
lynx -dump

phpinfo.php on hostname not working
suphp server?
Set ownership to nobody nobody, instead of root.

—-opening ports——
****for exim*******
Log into WHM > Service Manager and check both boxes next to exim on another port, and
enter the port number in the box (default is 26).
On the server, edit /etc/apf/conf.apf and add the port number to the inbound TCP ports
list. For example:
# Common inbound (ingress) TCP ports
add it
restart apf

—-server load—–
user@server [~]# uptime
09:41:06 up 52 days, 20:33, 5 users, load average: 3.64, 4.94, 4.88
3.64 (1min load avg)
4.94 (5min load avg)
4.88 (15min load avg)

Sar -b (print out of usage at intervals)

—-editing /etc/my.cnf—–
set-variable = query_cache_size=512M

set-variable = query_cache_size=512M
set-variable = old_password=1
set-variable = max_connections=500

then restart mysql

—-fixperms vps/dedi—–
SWITCH TO /home/userna5/
find . -type d | sed -e “s/^/\”/;” | sed -e “s/$/\”/;” | xargs chmod 755
find . -type f | sed -e “s/^/\”/;” | sed -e “s/$/\”/;” | xargs chmod 644

—-Edit dns directly—–

—-fsock open error—–
Restart courier-imap

—-shared account moves—–
old accounts are on previous servers for 2 weeks before removal

—-apache modules—-
on servers where httpd -l doesnt work (newer servers)
non compiled modules would live in /usr/local/apache/modules

—-for shared—-
user@server [~]# /etc/init.d/httpd -l

-bash-3.2# cat /home/userna5/public_html/.htaccess
ExpiresActive on
ExpiresDefault “access plus 1 month”

——ftp recursion——–
nano /etc/pure-ftpd.conf
search for and edit!

—-parse php in html—–
AddType application/x-httpd-php5 .html

—-cpanel logs——

—-last change for mail ip——-
When was the last time we changed the outbound mail IP?
ls -alh /etc | grep exim.conf

—-hung processes——-
(01:31:33 PM) Tech: was a hung httpd process with bunch of defunct php
(01:31:36 PM) Tech: kill’d em
(01:32:10 PM) Tech: did this: -bash-3.00# for i in `ps -ef | grep nobody |
awk ‘{print $2}’`; do kill -9 $i; done

—–what os——-
-bash-3.2# cat /etc/redhat-release

—–display date/time from command line—–

—–grepping for stuff—–
-bash-3.00# grep -ri “Stuff you’re grepping for” ./*

—-grep recursively and pipe to a file—
fgrep -R (grep subject) * > (filename)

—-grep for multiple things at once—
[user@server ~]$ egrep ‘(test)|(zgrep)’ ./*
[user@server ~]$
[user@server ~]$ grep ‘test\|zgrep\|cat’ ./*
[user@server ~]$

—-phpinfo page code——
<?php phpinfo(); ?>

—-uncompress files—-
tar xzvf should work
so sinze it is bzipped and not gzipped
we will use tar -xjvf filename instead
z for gzip
j for bzip

—-find and kill a process—–
root@server[/]# ps afx
root@server[/]# kill -9 15676 14697

—-upgrade roundcube—–
root@server [/]# /usr/local/cpanel/bin/update-roundcube
RoundCube is configured to use SQLite.
This update is for RoundCube using MySQL. Running
Roundcube is up to date. Execute ‘/usr/local/cpanel/bin/update-roundcube-sqlite
–force’ to force an update.
root@server[/]# /usr/local/cpanel/bin/update-roundcube-sqlite –force

—-delete large boxtrapper logs—-
for i in $(find ./ -type f -exec ls -l ‘{}’ ‘;’ | grep “boxtrapper/log”|awk ‘{ print
$9; }’); do rm -f $i; done

—-mail filters for attachments—–

—-meta refresh code—-

<meta http-equiv=”refresh” content=”2;url=”>

—-php as apache module—

—-manual updates for awstats—–
whm–>tweak settings
ctrl+f: awstats
check allow manual updates

—-list perl modules from ssh—–
cpan -O

—-domain not resolving, pointed properly—–
-bash-3.2# cd /var/cpanel/userdata/userna5/
ls -alh
nano the templates and make sure the ip listed is correct

—–mongo db server install—-
mongod – Mongo DB:

pico /etc/yum.repos.d/CentOS-10gen.repo

name=10gen Repository

yum install mongo-stable-server
touch /var/log/mongodb.log
/usr/bin/mongod –fork –logpath /var/log/mongodb.log –logappend
default port 27017

—-godaddy ns registration—-

—-hourly email limit—
user@server [~]# grep adam /var/cpanel/maxemails
user@server [~]#

—–all service status——
root@server [~]# service –status-all | less

——503 error?—— R=lookuphost T=remote_smtp: SMTP error from remote mail server
after RCPT TO:: host []:
550-Verification failed for \n550-Previous
(cached) callout verification failure\n550 Sender verify failed

—–ls -laSh—–
(10:24:41 AM) Tech: do a ls -laSh | head
(10:25:29 AM) Tech: it will sort it by size

—display machines primary ip from shell—-
hostname -i

—-image magick—-
need to know the version?
Just type “convert” and scroll on up.

—-gd image library info—-
into a file
chmod and chown the file
pull it up!

—what ports and what they do—-

No default in the php.ini? Add
to the php.ini
service httpd restart

—-immediate email deferral—–
53 and 111 timeouts
eximup –force
courierup –force
if that doesnt work try disabling exim tweak

—-apache restarts in logs—-
shows up in error_log as a “SIGHUP”
// ]]>

Leave a Reply

Your email address will not be published.