Here are some simple, easy to use commands to track down resource abuse, Denial of Service, or clean out compromised and code injected files.
First, if you’re using a cPanel enabled machine, it’s always helpful to turn on dcpumon stats logging in WHM -> Turn on SuExec under “Service Configuration”
# the oldest trick in the book
top
# get a full output of what the web server is serving up
/etc/init.d/apache fullstatus
# check network connections to port 80:
netstat -plan|grep :80|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
# quota list tool for cPanel users
for account in $(ls /var/cpanel/users|egrep [a-z]+[0-9]+); do echo $account;done|xargs -n1 quota 2>/dev/null| grep -v none|awk ‘/user/{printf(“\n%s :”,$5)} /\/dev\//
{printf(” %s
G”,$2/(1024*1024))}’|sort -nk3
#remove code injection
for FILE in `find -type f`; do sed -r ‘s/^.*String\.fromCharCode.*$//’ < $FILE > $FILE.tmp; mv $FILE.tmp $FILE; done