Shortcuts
Find all nameservers:
Get local and remote domains from the server:
cat /etc/localdomains | rev | sort | awk -F "." '{print $1, $2}' | uniq | rev | sed 's/ /./g'
cat /etc/remotedomains | rev | sort | awk -F "." '{print $1, $2}' | uniq | rev | sed 's/ /./g'
Copy them into a list on your workstation, domains.txt then whois them all to get their nameservers (looking for non-LW nameservers):
for i in $(cat domains.txt); do echo $i; whois $i | egrep -i '(name server|nameserver|nserver)' | egrep -i -v '(ns.liquidweb.com|ns1.liquidweb.com|ns.sourcedns.com|ns1.sourcedns.com)'; done
Which site error log was triggered?
for each in $(find /home/USER/public_html/ -type f -name "*error*log*"); do ls $each && tail -n1 $each && echo " "; done
Skip the first 3 columns, good for seeing errors in a given timeframe:
grep '12-Feb-2014 12:' /home/$USER/public_html/error_log | awk '{ $1=""; $2=""; $3=""; print $0 }' | sort | uniq -c
Another way to search by date:
for each in $(find /home/USER/public_html/ -type f -name "*error*log*"); do grep -H 2015 $each | tail -n1; done
Apache
Connections Going to WP Abuse
By Domain:
apachectl fullstatus | grep 'xmlrpc.php\|wp-login.php' | awk '{print substr($0, index($0,$12))}' | awk -F ":" '{print $1, $2}' | awk '{print $3, $5, $6}' | sort | uniq -c | sort -k2
By Raw Hits:
apachectl fullstatus | grep 'xmlrpc.php\|wp-login.php' | awk '{print substr($0, index($0,$12))}' | awk -F ":" '{print $1, $2}' | awk '{print $3, $5, $6}' | sort | uniq -c | sort -nr
Find a domain's docroot:
Use www before the subdomain too. cPanel always adds it as a ServerAlias.
grep -i www.domain.tld /etc/apache2/conf/httpd.conf -2
List all docroots on a given IP+port
grep -A3 67.227.152.93:80 /etc/apache2/conf/httpd.conf |grep DocumentRoot | awk '{print $2}' | sort
List all SSL subdomains for wildcard installations:
grep -A3 ':443>' /etc/apache2/conf/httpd.conf | fgrep -B1 -A2 'domain.tld'
Which domains is an IP hitting?
grep -l "123.45.67.123" /var/log/apache2/domlogs/* | while read i; do echo $i; grep -c 123.45.67.123 $i; done
For archived domlogs:
zgrep -l "123.45.67.123" /home/*/logs/*-Nov-2020.gz | while read i; do echo $i; zgrep -c 123.45.67.123 $i; done
.htaccess in /home/user/
find /home/*/ -maxdepth 1 -name .htaccess
Print only the rule IDs, hostnames, and URIs of ModSec violations, then sort them:
grep $IPADDRESS /usr/local/apache/logs/error_log | grep 'Tue Jul 28' | grep ModSec | awk -F '\\[line ' '{print $2}' | awk -F '\\[unique_id' '{print $1}' | awk '{print $2, $3, $(NF-3), $(NF-2), $(NF-1), $(NF)}' | sort | uniq -c
PHP
Custom php.ini values on suphp sites
for i in $(find /home*/*/public_html -name .htaccess -not -name \*_vti_* -exec grep -iH suphp_ {} \; | awk -F" " '{ print $2"/php.ini" }' | sort | uniq); do echo $i; grep 'max_execution_time\|max_input_time\|memory_limit' $i; done
Also, check for .htaccess files in the userdir, not just the docroot.
Listing Files
List files with numbers instead of usernames:
ls -l | awk '{print $3, $9}' | grep '^[0-9]'
LoadMon List
Old old school, but keeping this just in case:
cd /root/loadMon && ls -lahtr | rev | cut -d' ' -f1 | rev | grep -v './'
LoadWatch
Old school grep
grep -B 1 'Loadwatch tripped' /root/loadwatch/checklog | tail -n15
New school
grep
grep '##' /var/log/loadwatch/check.log | tail
Only double-digit or higher load averages
grep '##' /var/log/loadwatch/check.log | grep -E 'load\[[0-9]{2,}'
Which cPanel accounts had non-FPM sites that were hit the most
grep php-cgi /var/log/loadwatch/2019-03-05.11.39.txt | awk '{print $NF}' | cut -d '/' -f3 | sort | uniq -c | sort -rn
chkservd
Check for failures today (watch for Socket Connect as that varies between services):
grep 'Service check .\|httpd' /var/log/chkservd.log | grep -v 'socket connect:+' | grep -v 'Loading services .'
You can also escape the period after "Service check" like so:
grep 'Service check \.\|httpd ' /var/log/chkservd.log | grep -v 'socket connect:+'
sar
To check a specific time range, append it to your sar command like this:
sar -s 14:00:00 -e 17:00:00
Or this:
sar -q -s 14:00:00 -e 17:00:00
Sed
Sed gets its own wiki now: sed
Awk
Merge two lines:
Handy for when you have a list of paths which are split on two consecutive lines, like: /home/user/mail/ domain.com/emailaccount/new/email.to.be.deleted
awk 'NR % 2 == 1 { o=$0 ; next } { print o $0 } END { if ( NR % 2 == 1 ) { print o } }' pathlist1 > pathlist2
Nix last character of stout:
awk '{print substr($0, 1, length($0)-1)}'
Nix the last 3 characters of column 4:
awk -v ncr=3 '{$4=substr($4,0,length($4)-ncr)}1'
Practical example: Skip the seconds in the cPanel access log.
[root@host ~]# grep -E '\sfakeuser\s' /usr/local/cpanel/logs/access_log | grep -v " 401 " | grep -v " 403 " | egrep '2082|2083' | cut -d "]" -f1 | awk -v ncr=3 '{$4=substr($4,0,length($4)-ncr)}1' | sort -k4 | uniq
10.20.7.40 - fakeuser [02/03/2022:18:19 -0000
10.20.7.40 - fakeuser [02/03/2022:18:21 -0000
10.20.7.40 - fakeuser [02/03/2022:18:22 -0000
10.20.7.40 - fakeuser [02/03/2022:18:54 -0000
10.20.7.60 - fakeuser [03/15/2022:18:19 -0000
10.20.7.43 - fakeuser [06/16/2022:18:46 -0000
10.20.7.43 - fakeuser [06/16/2022:18:47 -0000
10.20.7.43 - fakeuser [06/16/2022:18:48 -0000
10.20.7.43 - fakeuser [06/16/2022:18:54 -0000
10.20.7.28 - fakeuser [08/05/2022:16:00 -0000
10.20.7.28 - fakeuser [08/05/2022:16:01 -0000
Skip a middle column
Column 5 in this case:
awk '{ $5=""; print}'
You can do this with more than one:
awk '{ $3=""; $5=""; print}'
Skip multiple consecutive columns
You must start with 0, the latter number may vary. Skip the first three:
echo 'This is a test' | awk '{print substr($0, index($0,$3))}'
Skipping the first six is more practical for parsing bash history:
history | awk '{print substr($0, index($0,$6))}'
Add up numeric values in a column (in a long list, column 5):
for i in $(cat listofjustfilenamesandpaths.txt); do ls -la $i; done | awk '{Total=Total+$5} END {print "Total is: " Total}'
Yum/DNF
Install all ea-php73 packages that ea-php72 has:
yum list installed ea-php72\* | grep ea-php72 | cut -d '.' -f1 | paste -d " " -s| sed 's/72/73/g' | xargs yum install -y
Or if you just want a formatted list to put "yum install" in front of:
yum list installed ea-php72\* | grep ea-php72 | cut -d '.' -f1 | paste -d " " -s| sed 's/72/73/g'
Strip out mcrypt and replace ioncube packages with ioncube10 packages (doesn't leave -debuginfo on for those packages, needs more sed work to find out how to do that):
yum list installed ea-php70\* | grep ea-php70 | grep -v mcrypt|sed 's/ioncube.*$/ioncube10/g'| cut -d '.' -f1 | paste -d " " -s| sed 's/70/73/g'
Or just put it right back through "yum list available" to strip out the packages that no longer exist:
yum list installed ea-php55\* | grep ea-php55 | cut -d '.' -f1 | paste -d " " -s| sed 's/55/72/g' | xargs yum list available | grep ea-php72 | cut -d '.' -f1 | paste -d " " -s
DNF version:
dnf list installed ea-php73\* | grep ea-php73 | cut -d '.' -f1 | paste -d " " -s| sed 's/73/82/g' | xargs dnf list available | grep ea-php82 | grep -v '.src' | cut -d '.' -f1 | paste -d " " -s