Find all nameservers:

Get local and remote domains from the server:

cat /etc/localdomains | rev | sort | awk -F "." '{print $1, $2}' | uniq | rev | sed 's/ /./g'
cat /etc/remotedomains | rev | sort | awk -F "." '{print $1, $2}' | uniq | rev | sed 's/ /./g'

Copy them into a list on your workstation, domains.txt then whois them all to get their nameservers (looking for non-LW nameservers):

for i in $(cat domains.txt); do echo $i; whois $i | egrep -i '(name server|nameserver|nserver)' | egrep -i -v '(ns.liquidweb.com|ns1.liquidweb.com|ns.sourcedns.com|ns1.sourcedns.com)'; done

Which site error log was triggered?

for each in $(find  /home/USER/public_html/ -type f -name "*error*log*"); do ls $each && tail -n1 $each && echo " "; done

Skip the first 3 columns, good for seeing errors in a given timeframe:

grep '12-Feb-2014 12:' /home/$USER/public_html/error_log | awk '{ $1=""; $2=""; $3=""; print $0 }' | sort | uniq -c

Another way to search by date:

for each in $(find  /home/USER/public_html/ -type f -name "*error*log*"); do grep -H 2015 $each | tail -n1; done

Apache

Connections Going to WP Abuse

By Domain:

apachectl fullstatus | grep 'xmlrpc.php\|wp-login.php'  | awk '{print substr($0, index($0,$12))}' | awk -F ":" '{print $1, $2}' | awk '{print $3, $5, $6}' | sort  | uniq -c | sort -k2

By Raw Hits:

apachectl fullstatus | grep 'xmlrpc.php\|wp-login.php'  | awk '{print substr($0, index($0,$12))}' | awk -F ":" '{print $1, $2}' | awk '{print $3, $5, $6}' | sort  | uniq -c | sort -nr

Find a domain's docroot:

Use www before the subdomain too. cPanel always adds it as a ServerAlias.

grep -i www.domain.tld  /etc/apache2/conf/httpd.conf -2

List all docroots on a given IP+port

grep -A3 67.227.152.93:80 /etc/apache2/conf/httpd.conf |grep DocumentRoot | awk '{print $2}' | sort

List all SSL subdomains for wildcard installations:

grep -A3 ':443>' /etc/apache2/conf/httpd.conf | fgrep -B1 -A2 'domain.tld'

Which domains is an IP hitting?

grep -l "123.45.67.123" /var/log/apache2/domlogs/* | while read i; do echo $i; grep -c 123.45.67.123 $i; done

For archived domlogs:

zgrep -l "123.45.67.123" /home/*/logs/*-Nov-2020.gz | while read i; do echo $i; zgrep -c 123.45.67.123 $i; done

.htaccess in /home/user/

find /home/*/ -maxdepth 1 -name .htaccess

Print only the rule IDs, hostnames, and URIs of ModSec violations, then sort them:

grep  $IPADDRESS /usr/local/apache/logs/error_log  | grep 'Tue Jul 28' | grep ModSec  |  awk -F '\\[line ' '{print $2}' | awk -F '\\[unique_id' '{print $1}' | awk '{print $2, $3, $(NF-3), $(NF-2),  $(NF-1), $(NF)}' | sort | uniq -c

PHP

Custom php.ini values on suphp sites

for i in $(find /home*/*/public_html -name .htaccess -not -name \*_vti_* -exec grep -iH suphp_ {} \; | awk -F" " '{ print $2"/php.ini" }' | sort | uniq); do echo $i; grep 'max_execution_time\|max_input_time\|memory_limit' $i; done

Also, check for .htaccess files in the userdir, not just the docroot.

Listing Files

List files with numbers instead of usernames:

ls -l | awk '{print $3, $9}' | grep '^[0-9]'

LoadMon List

Old old school, but keeping this just in case:

cd /root/loadMon && ls -lahtr | rev | cut -d' ' -f1 | rev | grep -v './'

LoadWatch

Old school grep

grep -B 1 'Loadwatch tripped' /root/loadwatch/checklog | tail -n15

New school

grep

grep '##' /var/log/loadwatch/check.log | tail

Only double-digit or higher load averages

grep '##' /var/log/loadwatch/check.log | grep -E 'load\[[0-9]{2,}'

Which cPanel accounts had non-FPM sites that were hit the most

grep php-cgi /var/log/loadwatch/2019-03-05.11.39.txt | awk '{print $NF}' | cut -d '/' -f3 | sort | uniq -c | sort -rn

chkservd

Check for failures today (watch for Socket Connect as that varies between services):

grep 'Service check .\|httpd' /var/log/chkservd.log | grep -v 'socket connect:+' | grep -v 'Loading services .'

sar

To check a specific time range, append it to your sar command like this:

sar -s 14:00:00 -e 17:00:00

Or this:

sar -q -s 14:00:00 -e 17:00:00

Sed

Sed gets its own wiki now: sed

Awk

Merge two lines:

Handy for when you have a list of paths which are split on two consecutive lines, like: /home/user/mail/ domain.com/emailaccount/new/email.to.be.deleted

awk 'NR % 2 == 1 { o=$0 ; next } { print o $0 } END { if ( NR % 2 == 1 ) { print o } }' pathlist1 > pathlist2

Nix last character of stout:

awk '{print substr($0, 1, length($0)-1)}'

Skip multiple columns

You must start with 0, the latter number may vary. Skip the first three:

echo 'This is a test' | awk '{print substr($0, index($0,$3))}'

Skipping the first six is more practical for parsing bash history:

history | awk '{print substr($0, index($0,$6))}'

Yum

Install all ea-php73 packages that ea-php72 has:

yum list installed ea-php72\* | grep ea-php72 | cut -d '.' -f1 | paste -d " " -s| sed 's/72/73/g' | xargs yum install -y

Or if you just want a formatted list to put "yum install" in front of:

yum list installed ea-php72\* | grep ea-php72 | cut -d '.' -f1 | paste -d " " -s| sed 's/72/73/g'

Strip out mcrypt and replace ioncube packages with ioncube10 packages (doesn't leave -debuginfo on for those packages, needs more sed work to find out how to do that):

yum list installed ea-php70\* | grep ea-php70 | grep -v mcrypt|sed 's/ioncube.*$/ioncube10/g'| cut -d '.' -f1 | paste -d " " -s| sed 's/70/73/g'

Or just put it right back through "yum list available" to strip out the packages that no longer exist:

yum list installed ea-php55\* | grep ea-php55 | cut -d '.' -f1 | paste -d " " -s| sed 's/55/72/g' | xargs yum list available | grep ea-php72 | cut -d '.' -f1 | paste -d " " -s