e r i k i m h d o t c o m

Here are some simple, easy to use commands to track down resource abuse, Denial of Service, or clean out compromised and code injected files.

First, if you’re using a cPanel enabled machine, it’s always helpful to turn on dcpumon stats logging in WHM -> Turn on SuExec under “Service Configuration”

# the oldest trick in the book

top

# get a full output of what the web server is serving up

/etc/init.d/apache fullstatus

# check network connections to port 80:

netstat -plan|grep :80|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1

# quota list tool for cPanel users

for account in $(ls /var/cpanel/users|egrep [a-z]+[0-9]+); do echo $account;done|xargs -n1 quota 2>/dev/null| grep -v none|awk ‘/user/{printf(“\n%s :”,$5)} /\/dev\//
{printf(” %s
G”,$2/(1024*1024))}’|sort -nk3

#remove code injection

for FILE in `find -type f`; do sed -r ‘s/^.*String\.fromCharCode.*$//’ < $FILE > $FILE.tmp; mv $FILE.tmp $FILE; done

Share on Facebook