One Liners
Notes:
-check bounce headers for spam injections
-cross check maillogs and processed logs for ip addresses found in headers
-check for the user logging in and the domain if listed in the file
Example: Received: from 64-60-103-180.static-ip.telepacific.net (HELO User) (64.60.103.180)
Example: maillog.processed.3.gz:May 30 10:35:43 125212-www1 smtp_auth: smtp_auth: SMTP user info : /var/qmail/mailnames/charlesromancatering.com/info logged in from unknown@64-60-103-180.static-ip.telepacific.net [64.60.103.180]
# mysql -uadmin -p$(</etc/psa/.psa.shadow) psa -e "select domains.name,domains.id,mail.mail_name,accounts.password from domains,mail,accounts where domains.id=mail.dom_id and accounts.id=mail.account_id" | awk '{print $3}' > list
# cd /usr/local/psa/var/log
# for i in `cat /root/list`; do cat maillog* | grep $i | grep LOGIN | wc -l; done
# zgrep LOGIN *.gz | grep mbryan | wc -l
- Search mail logs for log in attempts
# for i in `ls /var/spool/mail`; do echo $i; cat /var/log/maillog* | grep LOGIN | grep $i | wc -l; done
# for i in `ls /var/spool/mail`; do echo $i; cat /var/log/maillog* | grep LOGIN | grep "authid="$i | wc -l; done
- Check for dead services
# for i in `chkconfig --list | awk '{print $1}' | grep -v :`; do service $i status; done | grep dead | awk '{print $1}'
- Top Apache connections
# netstat -anpt|egrep -v ^Active\|^Proto\|LISTEN |awk '{ print $4":"$5 }' |cut -f 3,2 -d ':'|sort |uniq -c|sort -n
-sort processes by mem usage
# ps auwxx --sort rss
# icps "semiphores"
if apache is high mem usage, check MaxRequestsPerChild and keepalives
----------------
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
-effective user name. This will be the textual user ID, if it can be obtained and the field width permits, or a decimal representation otherwise. The n option can be used to force the decimal representation. (alias uname, user).
-PID process ID number of the process.
-%CPU cpu utilization of the process in "##.#" format. Currently, it is the CPU timeused divided by the time the process has been running (cputime/realtime ratio), expressed as a percentage. It will not add up to 100% unless you are lucky. (alias pcpu).
-%MEM ratio of the process's resident set size to the physical memory on the machine, expressed as a percentage. (alias pmem).
-VSZ virtual memory usage of entire process. vm_lib + vm_exe + vm_data + vm_stack
-RSS Resident set size, the non-swapped physical memory that a task has used (in kiloBytes).
-TTY controlling tty (terminal). (alias tname, tt).
-STAT multi-character process state. See section PROCESS STATE CODES for the different values meaning. See also s and state if you just want the first character displayed.
-START start
-TIME cumulative CPU time, "[dd-]hh:mm:ss" format. (alias cputime).
--------------
Check Top Connections
# PORT=110;netstat -antp | awk '$4 ~ /:'$PORT'$/ {c++;print $5|"cut -f1 -d:|sort |uniq -c|sort -n"} END {print c}'
List Top Processes
# ps -eo user,pid,pcpu,cmd,args --sort -pcpu | head -n20
Run SpamAssassin on messages in queue and delete (from lovepig.org)
# count=0; cd /var/qmail/queue/mess; /etc/init.d/qmail stop; for i in `` . -type f`; do spammess=`cat $i | spamassassin | grep 'X-Spam-Status: Yes' | wc -l | awk '{print $1}'`; if [ $spammess = 1 ]; then messname=`echo $i | sed 's/\//\ /g' | awk '{print $3}'`; echo Deleting $messname...; count=`expr $count + 1`; qmHandle -d$messname > /dev/null; fi; done; service qmail start; echo $count emails have been removed.
Inflated:
count=0;
cd /var/qmail/queue/mess;
/etc/init.d/qmail stop;
for i in `find . -type f`;
do spammess=`cat $i | spamassassin | grep 'X-Spam-Status: Yes' | wc -l | awk '{print $1}'`;
if [ $spammess = 1 ];
then messname=`echo $i | sed 's/\//\ /g' | awk '{print $3}'`;
echo Deleting $messname...;
count=`expr $count + 1`;
qmHandle -d$messname > /dev/null;
fi;
done;
service qmail start;
echo $count emails have been removed.
SAR Bandwidth
# sar -n DEV -f /var/log/sa/sa27 | grep -E eth0\|IFACE
SAR Memory
# sar -r
SMTP and IMAP traffic (change $2 to the date you desire)
# awk '$2 =="9" { if ($5 == "imapd:" && $7 == "LOGOUT,") {rcvd[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=substr($12,6,length($12)-1);sent[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=substr($13,6,length($13)-1)}; if ($5 ~ /^imapd-ssl/ && $7 == "LOGOUT,") {rcvd[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=substr($9,6,length($9)-1);sent[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=substr($10,6,length($10)-1)}; if ($5 == "qmail:" && $10 == "bytes"){size[$1" "$2" "substr($3,1,2)"."substr($3,4,1)]+=$11}} END {for (i in sent){ print i"\t"sprintf("%2.2f",size[i]/1024)"K\tsmtp\t"sprintf("%2.2d",sent[i]/1024)"K\timap-out\t"sprintf("%2.2f",rcvd[i]/1024)"K\timap-in"|"sort -k 3,3n"} }' maillog
MySQL Database Check
mysqlcheck --auto-repair -A
$ curl --cipher SSLv2 https://www.rackspace.com
$ curl --cipher SSLv3 https://www.rackspace.com
# dmesg | grep Treason | awk '{print $5}' | sed s/:/" "/ | awk '{print $1}' | uniq -c | sort -nr
# echo 1.2.3.4:2345 | sed 's/:.*/ /'
# The command below creates the initrd image file
mkinitrd ./initrd-2.4.18-19.8.0custom.img 2.4.18-19.8.0custom
# tar -pczf name_of_your_archive.tar.gz /path/to/directory
# alternatives --config mta
Check Plesk mail accounts with autoresponders
for i in `mysql -uadmin -p$(</etc/psa/.psa.shadow) psa -e "select domains.name,domains.id,mail.mail_name,accounts.password from domains,mail,accounts where domains.id=mail.dom_id and accounts.id=mail.account_id" | awk '{print $3"@"$1}'
`; do autorespond=`/usr/local/psa/bin/mail.sh --info $i | grep Autoresponder | awk '{print $2}'`; if [ $autorespond = 1 ]; then echo $i; fi; done
Find the 50 largest files
find / -path /dev -prune -o -path /sys -prune -o -path /proc -prune -o -type f \
-size '+1024k' -printf "%s %h/%f\n" | sort -rn -k1 | head -n50 | \
awk '{ printf("%5dMB\t%s\n", $1/1048576, substr($0, index($0, " ")+1, length($0))) }'
File Search and Replace
perl -pi -w -e 's/search/replace/g;' *.php
-e means execute the following line of code.
-i means edit in-place
-w write warnings
-p loop
---------------
empulsegroup.com - 2008