DOMAINS
Which user owns the domain (addon/allias)
/scripts/whoowns domain.com
BACKUPS
Check cPbackup for errors
tail -100 $(ls -dt /usr/local/cpanel/logs/cpbackup/* | head -n1) | grep 'error|warn'
Check when backup finished
tail -3 $(ls -dt /usr/local/cpanel/logs/cpbackup/* | head -n1)
Number of accounts that were backed up
echo "Total Accounts to backup:
When was the last Jetbackup and is it done
echo -e "\n~~~~JB accounts backup last job stats~~~\n" && tail -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print "Job date:"$1"-"$2" "$3", status: "$7" "$8}' | tr '[' ' ' && echo "Start time:" && head -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print $4}' | cut -d ':' -f 1,2 | awk '{print
EMAILS
EMAILS sort emails by login no
head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'2020-10-25
REJECTED EMAILS FOR A SINGLE E-ADDRESS
exigrep user@domain.com /var/log/exim_rejectlog*
FAILED Logins on email address
grep DOMAIN.com /var/log/maillog | grep failed
ALL logins/msgs for an email address
grep dovecot_login:user@domain.com /var/log/exim_mainlog
Regenerate mailbox size for a user
/scripts/generate_maildirsize --confirm --allaccounts --verbose USERNAME
ACCOUNTS
Suspend an account
/scripts/suspendacct USERNAME
Unsuspend an account:
/scripts/unsuspendacct USERNAME
List of suspended accounts
ll /var/cpanel/suspended or cat /usr/local/apache/conf/includes/account_suspensions.conf
SSL
Check AutoSSL status for user
/usr/local/cpanel/bin/autossl_check --user=USERNAME
Clear AutoSSL Pending Queue
cd /var/cpanel mv autossl_queue_cpanel.sqlite autossl_queue_cpanel.sqlite.old /usr/local/cpanel/bin/autossl_check_cpstore_queue
LOGS
GREP IP ACCESS LOG status 503
grep IP-GOES-HERE addon-domain.main-domain-name.extension-ssl_log | grep 503
WHICH USERNAME IP USED FOR MAILLOGIN
grep IP-GOES-HERE /var/log/maillog
GREP WHICH DOMAINS IS IP ACCESSING
grep -rle 'IP-GOES-HERE' /usr/local/apache/domlogs/. | uniq
GREP username or IP address in the error log
grep "USERNAME" /usr/local/cpanel/logs/error_log
WHO accessed to a certain acc
grep USERNAME /usr/local/cpanel/logs/session_log | grep "NEW .*app=cpaneld" | awk "{print $6}" | sort -u | uniq
WHO accessed from an IP address
grep IP-GOES-HERE /usr/local/cpanel/logs/session_log | grep cpanel-user
WHO suspended email acc
grep suspend_incoming /usr/local/cpanel/logs/access_log
Where IP tried to login (cpanel, webdisk, webmail..)
grep IP-GOES-HERE /usr/local/cpanel/logs/login_log
All cPanel account action
/var/cpanel/accounting.log
FIREWALL (cPHulk & CSF)
cPhulk check IP
grep IP /usr/local/cpanel/logs/cphulkd.log
Check cphulkd or Brute Force Protection Error logs
/usr/local/cpanel/logs/cphulkd_errors.log
Whitelist an IP on cPHulk
/scripts/cphulkdwhitelist x.x.x.x
Blacklist an IP on cPHulk
/scripts/cphulkdblacklist x.x.x.x
CSF check IP
csf -g 8.8.8.8
Unblock an IP on CSF
csf -dr 8.8.8.8
Restart CSF
csf -r
MALWARE FINDING
Search for "Hacked by" signature
grep -ril "hacked by" ./*
Find modified files&directories in last 5 days
find . -mtime -5 -ls
Find all modified files in last 120 min
find /home/USERNAME -type f -mmin +120
Grep username in karantin files of CXS
grep -r USERNAME /karantin/cxscgi/
Find PHP files in a folder
find . -print | grep -i .php
Find PHP files in all /wp-content/uploads folders
find /home/USERNAME/*/wp-content/uploads -print | grep -i .php
POST requests for cpanel acc
grep POST /home/USERNAME/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n
WORDPRESS ATTACKS
egrep -c '(wp-comments-post.php|wp-login.php|xmlrpc.php)' /usr/local/apache/domlogs/* |grep -v "_log" |sort -t: -nr -k 2 |head -5 |tee /tmp/delete_check |cut -d'/' -f6; for domlog in $(cut -d':' -f1 /tmp/delete_check); do echo; echo
CWD mail scripts among files
tail -n2000 /var/log/exim_mainlog|grep /home/USERNAME/
SCAN files for malware
grep -R "base64_" /home/USERNAME/ grep -lr --include=.php "eval(base64_decode" . grep -lr --include=.php "eval" . grep -lr --include=*.php "base64" .
Maldet scanner
maldet -a /path/to/directory
Configuration
Check no of SMTP connections
cat /etc/exim.conf |grep smtp_accept_max
Check version of PHP extension
php -i | grep libxml