Where can I check the current version of Horde webmail client running with cPanel ?

If you have ‘root’ SSH access to the server then, simply open the file /var/cpanel/horde/version using your favorite editor and you’ll be able to see the current Horde version.

How can a particular email account be ‘disabled’ temporarily. Note that the email account should not be ‘deleted’ ? Is this possible at all via cPanel?

There is no direct functionality in cPanel at the moment for this. This feature might be added at a later stage.
However, you can achieve this functionality by modifying a few entries via SSH.

Comment out the entries related to the particular email account in the following locations:
/home/user/etc/domainname/passwd
/home/user/etc/domainname/shadow
/home/user/etc/domainname/quota

Make sure that you just comment them and NOT delete them as you might need them back later.

Quick tutorial to remove trendy site builder.

cd /usr/local/cpanel/base/frontend/x3
rm -rf trendysitebuilder
rm -f trendysitebuilder.tar.gz
rm -f /usr/local/cpanel/Cpanel/trendysitebuilder.pm
cd /usr/local/cpanel/whostmgr/docroot/cgi
rm addon_trendysitebuilder.php
rm -rf trendysitebuilder
/usr/local/cpanel/bin/unregister_cpanelplugin /usr/local/cpanel/bin/trendysitebuilder.cpanelplugin
rm -f/usr/local/cpanel/bin/trendysitebuilder.cpanelplugin
/usr/local/cpanel/bin/rebuild_sprites

IonCube is a PHP module extension that loads encrypted PHP files, and speeds up webpages that are being displayed.

It is often required for a lot of PHP-based applications.

Download ioncube from their site according to your system: http://www.ioncube.com/loaders.php

So for example, for linux x86,

# cd /usr/local/src
# wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
# tar -xfz ioncube_loaders_lin_x86.tar.gz
# mv ioncube /usr/local

Use a text editor to open up php.ini in /usr/local/lib/phi.ini and insert:
zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.2.so
according to your php version. Save and restart httpd.
 
# nano -w /usr/local/lib/php.ini
# service httpd restart
   

To check the CPU allocation and information on your VPS, simply log in to SSH as root, and run the following command:

# cat /proc/cpuinfo

If you find that you have accidentally been locked out of your WHM/cPanel server by Brute Force Detection, you can log in to your Server or VPS via SSH and run the following command to clear the brute force log:

# echo “delete from brutes; delete from logins;” | mysql cphulkd

To export a MySQL database, access your Dedicated Server or VPS via SSH and run:

# mysqldump -u username -p database_name > dumpfile.sql

To import a MySQL Database, run:

# mysql -u username -p database_name < dumpfile.sql

Below was the error while trying to install CSF in one of the OpenVz containers:

    ----------------------------------error--------------------------------
    [root@abc ~]# perl /etc/csf/csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...FAILED [ 4294967295] - Required for csf to function
    Testing ipt_multiport/xt_multiport...FAILED [FATAL Error: iptables: Unknown error 4294967295] - Required for csf to function
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...FAILED [FATAL Error: iptables: Unknown error 4294967295] - Required for csf to function
    Testing ipt_limit/xt_limit...FAILED [FATAL Error: iptables: Unknown error 4294967295] - Required for csf to function
    Testing ipt_recent...FAILED [Error: iptables: Unknown error 4294967295] - Required for PORTFLOOD and PORTKNOCKING features
    Testing xt_connlimit...FAILED [Error: iptables: Unknown error 4294967295] - Required for CONNLIMIT feature
    Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 4294967295] - Required for SMTP_BLOCK and UID/GID blocking features
    Testing iptable_nat/ipt_REDIRECT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for MESSENGER feature
    Testing iptable_nat/ipt_DNAT...FAILED [Error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)] - Required for csf.redirect feature
    ---------------------------------------------------------------



Enable Iptables Modules for a VPS:-




1 . Before enabling the modules to a VPS , make sure that its enabled in the root node of the VPS. You can check it using the command :

lsmod | grep -i module_name



2. If its not enabled, then it can enable by using the modprobe command :-



    modprobe iptables_module

    modprobe ipt_helper

    modprobe ipt_REDIRECT

    modprobe ipt_TCPMSS

    modprobe ipt_LOG

    modprobe ipt_TOS

    modprobe iptable_nat

    modprobe ipt_length

    modprobe ipt_tcpmss

    modprobe iptable_mangle

    modprobe ipt_tos

    modprobe iptable_filter

    modprobe ipt_helper

    modprobe ipt_tos

    modprobe ipt_ttl

    modprobe ipt_SAME

    modprobe ipt_REJECT

    modprobe ipt_helper

    modprobe ipt_owner

    modprobe ip_tables

    modprobe ipt_MASQUERADE

    modprobe ipt_multiport/xt_multiport

    modprobe ipt_state/xt_state

    modprobe ipt_limit/xt_limit

    modprobe ipt_recent

    modprobe xt_connlimit

    modprobe ipt_owner/xt_owner

    modprobe iptable_nat/ipt_DNAT

    modprobe iptable_nat/ipt_REDIRECT



3. Stop the container which one you want to enable the module :

    # vzctl stop 101



4 . Executing the following command:-



a) By Command:
Execute following command to enable all the modules for the VPS


    # vzctl set 101 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save

or



b) Adding Rules manually:

Open the VPS configuration file which exists at /etc/vz/conf/veid.conf and paste following in the last line of the file.

    
    IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc"



5. Restart the container.

    # vzctl restart 101

Fatal error: Allowed memory size of x bytes exhausted (tried to allocate xbytes)

The error normally occurs when PHP tries to process a big database records or when importing or exporting. To solve the error, there are two fixes. One is to increase PHP memory limit of the account by using a custom php.ini file. But sometimes it won't work.

If it didn't work, then you can fix the error by increasing the memory of the particular PHP script (displayed in error message) by adding an additional line at the top of the script:

ini_set(”memory_limit”,”32M”);   (Change the value based on the error message).

Now browse the page again, perform the operation again. It will just work fine if you have set correct value based on the error message.

After installing Webmin on a VPS, you may be wondering how to add and configure FTP users. With Webmin it is not a one-click process, but the procedure is still fairly simple. To install proftpd and add a user, follow these steps:

Login to webmin at http://xx.xx.xx.xx:10000 (may be https:// for Debian/Ubuntu system)
Access the Webmin Modules option via Webmin > Webmin Configuration
Select Standard module from www.webmin.com
Click the button on the right of that option
Choose: proftpd
Click Install Module
On the left sidebar, after installation, click Refresh Modules
Click Create a new user accessed via System > Users and Groups
Provide a username for what is to be your FTP account
Select Normal Password and provide a unique, complex password for the account
If desired, select a custom home directory, otherwise choose Create home directory near the bottom of the options.
Select New Group with same name as user
Click Create
Once this is done, you should be able to access FTP with the username
and password you selected, using your server's IP address as the host.

Steps:

1. Firstly find out what's causing server CPU high usage
Normally, we firstly will notice that server cpu load is high, run 'top' to confirm which process is contributing the cpu high usage, it's mysql or other process. Also, run uptime, vmstat 2 and iostat -x to find out if there's any abnormal situation.

Here, we need some baseline to compare with, before the problem happens and server is running fine, we should have recorded some baseline information first such as the output of:

vmstat 2 20
top -b -n 5
iostat -x 5 | grep sdb

2. check mysql error log , slow query log etc from /etc/my.cnf

log_error                = /srv/mysql/log/error.log
log_slow_queries        = /srv/mysql/log/mysql-slow.log
innodb_buffer_pool_size=20000M


3. mysql> show engine innodb status\G


look at the end of the output as follows:
----------------------
BUFFER POOL AND MEMORY
----------------------
Total memory allocated 22981924466; in additional pool allocated 1048576
Dictionary memory allocated 2323288
Buffer pool size   1280000
Free buffers       0
Database pages     1115883
Modified db pages  12101
Pending reads 0
Pending writes: LRU 0, flush list 32, single page 0
Pages read 2075693, created 11255097, written 1339038405
0.00 reads/s, 2.98 creates/s, 427.44 writes/s
Buffer pool hit rate 1000 / 1000
----------------

The bufer pool hit rate shoule be nearly 1000/1000. page write/s is 427.44 for this case.

The innodb_buffer_pool_size system variable specifies the size of the buffer pool. If your buffer pool is small and you have sufficient memory, making the pool larger can improve performance by reducing the amount of disk I/O needed as queries access InnoDB tables.


4. show processlist; then 'kill query [number]' to kill process.


# mysql -uroot -ppassword -e "show processlist" | grep client1_hostname | awk '{print "kill query "$1";"}' | mysql -uroot -ppassword

Apache:
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error_log

MySQL:
/var/lib/mysql/hostname.err

cPanel Installation Logs:
/var/log/cpanel-install-thread0.log

Apache domlogs:
/usr/local/apache/domlogs/example.com

cPanel Access Log:
/usr/local/cpanel/logs/access_log

cPanel Error Log:
/usr/local/cpanel/logs/error_log

ModSecurity:
/usr/local/apache/logs/modsec_audit.log
/usr/local/apache/logs/modsec_debug_log

Cron Logs:
var/log/cron

Apache SUEXEC Logs:
/usr/local/apache/logs/suexec_log

Exim:
/var/log/exim_mainlog
/var/log/exim_paniclog
/var/log/exim_rejectlog

BIND (named) Log:
/var/log/messages

Courier or Dovecot IMAP:
/var/log/maillog

Tomcat Logs:
/usr/local/jakarta/tomcat/logs/catalina.err
/usr/local/jakarta/tomcat/logs/catalina.out

cPanel Error Log:
/usr/local/cpanel/logs/error_log

cPanel License Log:
/usr/local/cpanel/logs/license_log

cPHulkd:
/usr/local/cpanel/logs/cphulkd.log

Stats Execution Logs:
/usr/local/cpanel/logs/stats_log

cPanel Backup Logs:
/usr/local/cpanel/logs/cpbackup/*.log

ChkServd (cPanel Monitoring Daemon) Logs:
/var/log/chkservd.log

SSH Logs:
/var/log/secure

Pure-FTP:
/var/log/messages
/var/log/xferlog (symlinked to /usr/local/apache/domlogs/ftpxferlog)

# Deprecated due to security issues so it should be off: http://blog.modsecurity.org/2008/08/transformation.html
SecCacheTransformations Off

# Check Content-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:Content-Length "!^\d+$""deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"

# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(?:GET|HEAD)$""chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none

# Require Content-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$""chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none

# Don't accept transfer encodings we know we don't know how to handle
SecRule REQUEST_HEADERS:Transfer-Encoding "!^$""phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"

# Check decodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \,id:1500001
    "chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding""deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"

# Proxy access attempt
SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"

# Restrict type of characters sent
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \,id:1500002
    "@validateByteRange 1-255" \
    "log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"

SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \,id:1500003
    "deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"

# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \,id:1500004
    "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"

# Restrict file extension
# removed exe so that frontpage will work

# Restricted HTTP headers
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \,id:1500005
    "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"

SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \,id:1500006
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \,id:1500007
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'"
SecRule REQUEST_FILENAME "^/nessustest" \,id:1500008
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'"

SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \,id:1500009
        "deny,log,auditlog,msg:'Rogue web site crawler',id:'990012',severity:'2'"

SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \,id:1500010
        "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"

# Session fixation
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie" \,id:1500011
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959009,id:1500012
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \,id:1500013
        "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \,id:1500014
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'959009',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"

# Blind SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries" \,id:1500015
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959007,id:1500016
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \,id:1500017
        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \,id:1500018
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"       

SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name" \,id:1500019
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959904,id:1500020
SecRule REQUEST_FILENAME|ARGS "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \,id:1500021
        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \,id:1500022
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

# SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" \,id:1500023
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,id:999501,skipAfter:959001
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \,id:1500024
        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \,id:1500025
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \,id:1500026
        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \,id:1500027
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class" \,id:1500028
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959906,id:1500029
SecRule REQUEST_FILENAME|ARGS "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \,id:1500030
        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \,id:1500031
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \,id:1500032
        "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \,id:1500033
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

# XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" \,id:1500034
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959004,id:1500035
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \,id:1500036
        "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \,id:1500037
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'959004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"

# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \,id:1500038
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:959005,id:1500039
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \,id:1500040
        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'950005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \,id:1500041
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'959005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"

# Command access
SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \,id:1500042
        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access',id:'950002',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"

# Command injection
SecRule ARGS "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \,id:1500043
        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction phase:2,pass,nolog,skipAfter:950006,id:1500044
SecRule ARGS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \,id:1500045
        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \,id:1500046
        "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction pass,nolog,skipAfter:959006,id:1500047
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \,id:1500048
        "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule ARGS \,id:1500049
        "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \,id:1500050
        "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"

# SSI injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \,id:1500051
        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack',id:'950011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \,id:1500052
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack',id:'959011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"

# PHP injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress" \,id:1500053
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"
SecAction pass,nolog,skipAfter:959013,id:1500054
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \,id:1500055
        "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack',id:'950013',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/* "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \,id:1500056
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack',id:'959013',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"

One of the often overlooked aspects of web hosting is reverse DNS. A website will not connect to users who type in a domain name if the forward DNS does not identify the IP address associated with it, but some domains do not have reverse DNS, despite it being an established Internet standard.

Among other uses, reverse DNS can help security-conscious users and professionals verify that the relationship between a domain and an IP address is valid, which helps prevent spam, phishing, and other nefarious activities.

When you manage your server with WHM from cPanel, it is easy to setup reverse DNS records for your IP addresses. Just follow these steps:

Create a reverse DNS zone file

    Login to WHM and navigate to DNS Functions -> Add a DNS Zone
    Type in your IP address (example – 192.168.254.254)
    Enter the reverse DNS name (example -254.128.192.in-addr.arpa). For instructions on adding the appropriate reverse DNS name, see naming an IPv4 zone and naming an IPv6 zone.

Edit the reverse DNS zone file

Now, you will need to create each PTR record.

    From the main WHM page, go to DNS Functions-> Edit DNS Zone
    Under where it says “Add New Entries Below This Line”, enter the corresponding octet or nibble (the final number in the IP address). Example: 254. In the drop down menu, select “PTR”.
    Enter the associated domain name for that IP address
    Repeat for each IP address

To check that your reverse DNS is working, you can type this from the command line:

host 192.168.254.254

and the output should look like this:

254.254.168.192.in-addr.arpa domain name pointer www.yourdomain.com

Alternatively, you can find numerous free reverse DNS lookup tools on the web. For more information about setting up reverse DNS in WHM, see the cPanel documentation.

Most Linux items that need backing up are stored in user home directories. This usually includes virtual web server directories as well, depending on the web server and settings you are using. One exception to this rule is configuration files. These are stored in /etc and other places. When it comes time to backup, many people backup database files and home directories but forget about configuration files. Webmin has a solution.

To backup configuration files, login to Webmin and navigate to “Webmin – Backup Configuration Files”. Next, select the Webmin modules that you want to backup. This might include Apache web server, Bind DNS, etc. You then need to specify where you want the backups to be saved. You can save them locally to a file, use an FTP or SSH server or download them through your web browser. Finally, specify whether you want to backup the server configuration files, the Webmin module config files or both. You can then click “Backup Now”.

In addition to manual backups, the second tab in the module allows you to schedule backups. The settings are pretty much the same, except the last section gives you a cron tool that lets you specify the times when you want backups to occur. You can do simple schedules for cron hourly, daily or monthly, or you can specify specific dates and times. When you are finished, click Create. You will now have your configuration files backed up and safe.

Webmin is a web-based system administration tool for Linux and other Unix-like servers. Webmin provides a graphical interface for many of the tasks you would normally have to perform from the command line. Best of all, it is free and open source. One task you might have trouble performing from the Linux shell is creating cron jobs. Fortunately, Webmin has a cron job module.

    Navigate to the cron job module page
    Click “Create a new scheduled cron job”
    Under “Execute cron job as”, enter the username you want to run the cron job
    Select whether you want the cron job to be active (selecting no will create it but leave it inactive until you change this setting)
    Type the command string in the command field
    If you have data you need sent to the command, enter it in the “input to command” field
    Select the time you want for “when to execute”. The dropdown menu will give general times like “hourly”. Alternatively, you can use “Times and dates selected below” and setup your own schedule.
    Optionally, setup “Date range to execute” to limit the cron job to a time period. After it expires, it will not run again.
    Click “create” to finish.

It is generally understood that a server running Linux needs to have a relatively recent kernel version or at least one that has been securely patched to fix any vulnerabilities. For dedicated servers, a kernel upgrade is not big deal; a simple install, reboot and you are done. For a virtual private server, it can differ depending on the technology and method of deployment your provider uses.

On OpenVZ, for example, the virtual OS does not actually use its own kernel. It relies on the host’s kernel. Therefore, upgrading your kernel package will not actually have an effect and might even produce errors. Instead, you can either depend on your hosting provider to update the kernel periodically or you might be able to use some internal method that the host has to update the kernel to latest.

Generally speaking Xen will have the same issues as OpenVZ. You are usually at the mercy of your host’s kernel version. If you find that the kernel is not being updated, you should contact your host to have it done. Apparently, however, there is a way to achieve kernel freedom using a tool called PyGrub.

Because of the nature of VPS, it is important that you choose a host you know will stay on top of security. Like any hosting, a website is only as secure as the server hosting it. While much of the VPS security is in your hands, you still need the help of your host.

You can run below script as root. It disables all traces of Attracta from the server.

/scripts/attracta/uninstall-attracta is a symlink to /usr/local/cpanel/3rdparty/attracta/scripts/uninstall-attracta in newer versions. In older versions, you'll need to use the /u/l/c location.

As there are a number of different components to the Attracta integration, it's definitely recommended to use the uninstall-attracta script to ensure everything is cleaned up fully.

To trace php script sending email, first you will need root SSH access to server and enable log selector for exim which will help you to generate extra/well defined logs for exim.

To do this Access WHM as root. Access Service Configuration >> Exim Configuration Editor. Click on Advance Editor.

Under exim.conf section you will see #!!# cPanel Exim 4 Config
and you can add following code in the text box.

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn  

Now checking exim logs:

tail -f /var/log/exim_mainlog | grep cwd    

Above command will grep for current working directory for exim and show the directory path from which email are being sent.

Mostly if email are sent from script then in exim logs you will see email sent form cpaneluser@serverhostname.tld

If you see there are multiple email in email queue with name cpaneluser@serverhostname.tld then you can check headers for the message.

To check email header use command

exim -Mvh Message-id  

In the header section locate for X-PHP-Script: and that will show you the exact script i.e sending email

If you have an account on a cPanel server with shell access or your own VPS or Dedicated server running Linux then SSH is a powerful tool to have in your skill set.

SSH (aka Secure Shell) is a way of logging into your server from a remote computer such as your home desktop or laptop. The remote connection utilizes encryption on both the server’s end and your end to keep the entire session secure.

The most common type of connection that our support department uses is to SSH into a server as the root user. Logging in as root allows you to make systemwide changes, restart important services, and perform many other tasks that only the root user is allowed to do (by default).

If you are going to initiate your remote connection from a Linux or Mac OS X computer you can start using SSH by opening up the Terminal application. Linux users should know how to find the terminal, and Mac OS X users need only open their Applications folder and then the Utilities folder to find Terminal.app. Unfortunately SSH is not built-in to Windows, so you will need to download an application like PuTTY.

Once your terminal is open you can start your SSH session as root using the following command:

ssh root@host.servername.com

This commands tells your computer “I want to open a new SSH session to the server called host.servername.com, and I want to log in as the user root.”

If this is your first time connecting to the server using this hostname your SSH client will ask if you are sure you want to connect to a new, previously unknown host. Say “yes” and you will be prompted for the root account’s password (or simply, root password). After you have typed in the password and it is accepted you will be logged in to the server as the root user.

Before you continue, it is important to note that logging in to a server as root is a powerful but also potentially DANGEROUS system administration tool. The root user is allowed to change/delete practically everything in a server without any type of warning or confirmation of changes being made. Always backup your files before you modify them using a simple backup command:

root@host [~]# cp file file.bak

For new shell users, the above command breaks down like so:

root@host [~]#

The prompt. Shows you your username (root) and the name of the server you are logged into (@host). For example: If you were logged into a server called webstuff1 and your username was bill, your prompt might display bill@webstuff1.
       
The [~]# indicates the directory you are currently looking at/working in

cp
The copy command. Tells the server to copy the file to a new file with a different name, or the same name but in a different location (path).

file
The file that you want to backup.

 file.bakThe new copy of the file that will be created. You can also specify a new location like /home/username/file.bak .
   
To review, the above command creates a copy of “file” in the same location as the original and calls it “file.bak”.