cPanel CLI

If you are ever using a cPanel server, here are some one-liners for the Command Line Interface.

Over Use of CPUs

Too many php-fpm requests

sudo netstat -an|grep :443|cut -d":" -f2|sort|uniq -c
sudo netstat -an|grep :80|cut -d":" -f2|sort|uniq -c

This has a look at all the connections running on https, parses the external IP address, sorts them then counts them. The result may look like this.

1 443 
2 443 
29 443 
60 443

A quick check of finds that this address has been reported for abuse in the past.


Ban the IP addresses & at the firewall level.

WordPress Attacks

Attacking xmlrpc.php

grep -d skip -e "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/*|cut -d/ -f6|cut -d":" -f1|sort|uniq -c

This gives an output of:


In the case of epiphany, I dug a bit deeper and found:

grep "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/|cut -d"-" -f1|sort|uniq -c

152 (Amazon)
1295 (Amazon)

There is no reason for an Amazon IP do be doing this unless it is a compromised website at this address.
Ban the IP addresses & at the firewall level.

Email Server under Attack

Sent today

grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep 2020-11-17 | wc -l


You only have a few days worth of records, so I do this hourly and have an extended script that ends me an email if more than 400 emails are sent in a day.
If you end up with a large number you can run a script like this:

today=date +%Y-%m-%d
echo $today
echo $today > /home/strider/scripts/emails.txt
for i in grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep "$today" |cut -c21-36
     cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt
cat /home/strider/scripts/emails.txt |sort|uniq -c
echo cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt