Recovering deleted files from the handlers in /proc/

On compromised servers it is very common for the exploit to delete its self/logs to try and hide its presence.

Even though the executable may be removed from the filesystem as the process is forked from apache the parent process will still have file handlers open.

This will allow you to recover log files/executables as long as you do not kill the process.

To recover the files use the following steps:

  1. Find the PID of the process with the open file handlers (use lsof)
  2. cd /proc//fd where is what you found using lsof above
  3. ls -lra and you should see a load of broken symlinks (red)
  4. Copy the file using cp into another directory

Quick script to get public IPs on a NAT'd server

A quick one liner to get the public equivalent of internal IPs on a box behind NAT:

for int in $(ifconfig | grep "Link encap:" | awk '{print $1}' | grep -v 'lo'); do echo "$int: $(ifconfig $int | grep "inet addr:" | awk '{print $2}' | cut -d: -f2) => $(curl -s --interface $int ipv4.canhazip.info)"; done

I’ve restricted this to IPv4 only - NATing IPv6 is just silly but if you really want then it is on your head.

Example usage is as follows:

[damian@finnix ~]$ for int in $(ifconfig | grep "Link encap:" | awk '{print $1}' | grep -v 'lo'); do echo "$int: $(ifconfig $int | grep "inet addr:" | awk '{print $2}' | cut -d: -f2) => $(curl -s --interface $int ipv4.canhazip.info)"; done
br0: 10.44.200.5 => 89.242.208.82
br0:1: 10.44.200.15 => 89.242.208.82
cluevpn: 10.156.1.49 => 89.242.208.82
eth0: =>
vnet0: =>

Or if you want IPv6 addresses returned:

[damian@finnix ~]$ for int in $(ifconfig | grep "Link encap:" | awk '{print $1}' | grep -v 'lo'); do echo "$int: $(ifconfig $int | grep "inet addr:" | awk '{print $2}' | cut -d: -f2) => $(curl -s --interface $int canhazip.info)"; done
br0: 10.44.200.5 => 2001:470:9083::2
br0:1: 10.44.200.15 =>
cluevpn: 10.156.1.49 =>
eth0: =>
vnet0: =>

MySQL uses no space on cPanel

For some reason cPanel decided to start by default excluding sql databases from the disk usage stats.

To enable these again edit the /var/cpanel/cpanel.config file and change disk_usage_include_sqldbs from 0 to 1.

After running /scripts/update_db_cache you should now see disk stats in the interface once again.

Note: SQL database usage stats can be quite intensive to calculate so you may want to leave it off.

Install PostgreSQL on cPanel

To install PostgreSQL on a cPanel server you can perform the following:

  1. Run /scripts/installpostgres
  2. Go to SQL services -> Postgre config and click Install config
  3. Configure a root password for Postgre 4 Enable Postgre with chkconfig postgres on; service postgres restart

Now you would think that is it, right? Well if you already have users on the box you will now need to add them into postgre otherwise they will have no access.

You can add them with the following script:

for user in $(ls /var/cpanel/users);
do
 su postgres -c "createuser -S -D -R $user";
done

HTTP basic authentication - Apache

Method 1) Inside the directory you wish to protect include a .htaccess file with the following content:

AuthUserFile /some/secure/path/outside/the/public/docs/.htpasswd
AuthName "My secure area"
AuthType Basic
Require valid-user

Method 2) In your apache config file add the following:

<Directory /path/to/directory/to/protect/>
 AuthUserFile /some/secure/path/outside/the/public/docs/.htpasswd
 AuthName "My secure area"
 AuthType Basic
 Require valid-user
</Directory>

Now you have configured apache for authentication you need to create a password “databases”. This is a file in a format apache can understand.

You can create it with the htpasswd command:

htpasswd -c /some/secure/path/outside/the/public/docs/.htpasswd myusername

Once you have your password database, if you need to update a users password or add more users you can use the htpasswd command without the -c option, like so:

htpasswd /some/secure/path/outside/the/public/docs/.htpasswd myusername