cPanel CLI

If you are ever using a cPanel server, here are some one-liners for the Command Line Interface.

Over Use of CPUs

Too many php-fpm requests

sudo netstat -an|grep :443|cut -d":" -f2|sort|uniq -c
or
sudo netstat -an|grep :80|cut -d":" -f2|sort|uniq -c

This has a look at all the connections running on https, parses the external IP address, sorts them then counts them. The result may look like this.

1 443 207.46.13.234 
2 443 207.46.13.4 
29 443 24.253.147.45 
60 443 3.112.253.65

A quick check of https://www.abuseipdb.com/check/3.112.253.65 finds that this address has been reported for abuse in the past.

Remedy

Ban the IP addresses 24.253.147.45 & 3.112.253.65 at the firewall level.

WordPress Attacks

Attacking xmlrpc.php

grep -d skip -e "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/*|cut -d/ -f6|cut -d":" -f1|sort|uniq -c

This gives an output of:

40 docsmenagerie.com-ssl_log
1506 epiphanychurch.co.nz
133 fallingforward.life-ssl_log

In the case of epiphany, I dug a bit deeper and found:

grep "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/epiphanychurch.co.nz|cut -d"-" -f1|sort|uniq -c

152 3.112.253.65 (Amazon)
1 3.113.159.115
1295 3.22.117.97 (Amazon)
Remedy

There is no reason for an Amazon IP do be doing this unless it is a compromised website at this address.
Ban the IP addresses 3.122.253.65 & 3.22.117.97 at the firewall level.

Email Server under Attack

Sent today

grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep 2020-11-17 | wc -l

136

You only have a few days worth of records, so I do this hourly and have an extended script that ends me an email if more than 400 emails are sent in a day.
If you end up with a large number you can run a script like this:

today=date +%Y-%m-%d
echo $today
echo $today > /home/strider/scripts/emails.txt
for i in grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep "$today" |cut -c21-36
  do
     cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt
done
cat /home/strider/scripts/emails.txt |sort|uniq -c
echo cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt

MYSQL Commands

If you are using phpmyadmin, or have access to bash, here are some useful commands.
Remember always do a mysqldump first so you have a back up of your database.

mysqldump

When you have access to your database it is always a good ide to have a current backup before you do any work.
In bash you can run

mysqldump -uuser dbname -ppassword >todaysdate.sql

Now you can play and even make mistakes. But until you have done this some and feel confident only work on your own databases, not a production database.

update

Had an issue, I had just updated a website to my server, set up security and was moving them to https. Only to find out that the theme they were using was rather out of date and the ssl plugin could not edit the ‘meta_value’ in real time and replace http with https. This mean that the site was seen as insecure.

select * from tinkerwp_postmeta where meta_value like "%http:%";

Gave me a list of all the IDs with http: in the meta_value field, about 15 of them, so instead of indifivuallt going to each record and manually replacing http with https, I ran this command.

UPDATE tinkerwp_postmeta SET meta_value = REPLACE(meta_value, 'http:', 'https:');
Query OK, 15 rows affected (0.012 sec)
Rows matched: 3390 Changed: 8 Warnings: 0

Success.

Working with WordPress and MySQL

select option_id,option_name from wp_options where option_value like "%http://mokuaikaua.com%";

This gives us all the lines that use http://mokuaikaua.com

select option_id,option_name from wp_options where option_value like "%https://mokuaikaua.com%";
select * from wp_options where option_id = 1;
+-----------+-------------+------------------------+----------+
| option_id | option_name | option_value           | autoload |
+-----------+-------------+------------------------+----------+
|         1 | siteurl     | https://mokuaikaua.com | yes      |
+-----------+-------------+------------------------+----------+

This is what https://mokuaikaua.com may look like.
Now we want to replace https://mokuaikaua.com with https://temp.mokuaikaua.com

UPDATE wp_options SET option_value = REPLACE(option_value, 'https://mokuaikaua.com', 'https://temp.mokuaikaua.com');

Useful Commands

show tables;

Let’s you see all the tables in the current database.

describe tablename;

This gives a description of all the fields and their type from the table selected.