cPanel CLI

If you are ever using a cPanel server, here are some one-liners for the Command Line Interface.

Over Use of CPUs

Too many php-fpm requests

sudo netstat -an|grep :443|cut -d":" -f2|sort|uniq -c
or
sudo netstat -an|grep :80|cut -d":" -f2|sort|uniq -c

This has a look at all the connections running on https, parses the external IP address, sorts them then counts them. The result may look like this.

1 443 207.46.13.234 
2 443 207.46.13.4 
29 443 24.253.147.45 
60 443 3.112.253.65

A quick check of https://www.abuseipdb.com/check/3.112.253.65 finds that this address has been reported for abuse in the past.

Remedy

Ban the IP addresses 24.253.147.45 & 3.112.253.65 at the firewall level.

WordPress Attacks

Attacking xmlrpc.php

grep -d skip -e "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/*|cut -d/ -f6|cut -d":" -f1|sort|uniq -c

This gives an output of:

40 docsmenagerie.com-ssl_log
1506 epiphanychurch.co.nz
133 fallingforward.life-ssl_log

In the case of epiphany, I dug a bit deeper and found:

grep "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/epiphanychurch.co.nz|cut -d"-" -f1|sort|uniq -c

152 3.112.253.65 (Amazon)
1 3.113.159.115
1295 3.22.117.97 (Amazon)
Remedy

There is no reason for an Amazon IP do be doing this unless it is a compromised website at this address.
Ban the IP addresses 3.122.253.65 & 3.22.117.97 at the firewall level.

Email Server under Attack

Sent today

grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep 2020-11-17 | wc -l

136

You only have a few days worth of records, so I do this hourly and have an extended script that ends me an email if more than 400 emails are sent in a day.
If you end up with a large number you can run a script like this:

today=date +%Y-%m-%d
echo $today
echo $today > /home/strider/scripts/emails.txt
for i in grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep "$today" |cut -c21-36
  do
     cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt
done
cat /home/strider/scripts/emails.txt |sort|uniq -c
echo cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt