Archive for March, 2014

To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.

# exim -bpr | grep “<" | awk {'print $4'} | cut -d "” -f 1 | sort -n | uniq -c | sort -n

The following scripts will check the script that will originate spam mails:

# grep “cwd=/home” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n

# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.

# ps auxwwwe | grep | grep –color=always “” | head

The usage of the above script is as shown below.

# ps auxwwwe | grep test8 | grep –color=always “/home/test8/public_html/wp/wp-content/themes/twentyeleven” | head

Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.

# grep “” /home/user/access-logs/ | awk ‘{print $1}’ | sort -n | uniq -c | sort -n


Following command that will show you the script which is using script to send the email. If it is from php then use

# egrep -R “X-PHP-Script” /var/spool/exim/input/*


It shows top 50 domains using mail server with options.

# eximstats -ne -nr /var/log/exim_mainlog


It shows from which user’s home the mail is going, so that you can easily trace it and block it if shows the mails going from the server.

# ps -C exim -fH ewww | grep home

It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

In order to find “nobody” spamming, issue the following command

# ps -C exim -fH ewww | awk ‘{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n

It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

# grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n


The following script will give the summary of mails in the mail queue.

exim -bpr | exiqsumm -c | head


1. Create a file named with the following contents in it.

cat /etc/trueuserdomains | awk ‘{print $2}’ | while read user; do
pass=`> passwords.txt
/scripts/realchpass $user $pass
/scripts/ftpupdate ===================================================================

2. Give executable permission to the script.

# chmod +x

3. Run the script and you will get a file named passwords.txt with all cpanel users with their new passwords.

# sh

You can use random string generate scripts like the following generate passwords.

pass=`date | md5sum | head -c16 | xargs`
pass=`openssl rand -base64 128 | head -c16 | xargs`
pass=`strings /dev/urandom | tr -dc .~?_A-Z-a-z-0-9 | head -c16 | xargs`


In some cases when executing /scripts/realchpass script will showing the following error.

ERROR: /usr/local/cpanel/scripts/realchpass
Invocation changes only the system
password and does not have any effect
on other services associated with your
cPanel account, including FTP, SSH,
WebDAV, and FrontPage. It is strongly
encouraged for you to change the
password via the WHM & cPanel
interface. You can force a password
change through this script by setting
the environment variable

You can fix the above error by running the following command. After that execute the script again.



When creating a mail account using cpanel, it is showing an error as showing below.


File open for /home/user/etc/ failed with error No such file or directory


The error is because of the the wrong permssions or missing of the ‘etc’ directory in user’s document root.
You can create a new direcory in that name and given permissions as like follows to solve the issue.
Let ‘jijo’ be the cpanel user having the issue.

root@server [~]# cd /home/jijo
root@server [/home/jijo]# mkdir etc
root@server [/home/jijo]# chmod 750 etc
root@server [/home/jijo]# chown jijo.mail etc

Installing Ruby on Rails on cPanel

Posted: March 21, 2014 in cPanel

In cpanel it is easy to install Ruby using the following cpanel script.

# /scripts/installruby

Some times the cPanel scripts installer does not work properly and does not install them. So you can run the following commands to install Ruby.

# gem install rails
# gem install mongrel
# gem install fastthread

Open ports 3000 and 12001 if you’re running a firewall

If you have installed LIBSAFE, uring the installation you may encounter an Overflow error and the installation will stop. You have to add /usr/bin/ruby to LIBSAFE exception list.
The installation log may as like follows.
0x8052e4a /usr/bin/ruby
0x8bbde7 /lib/
Overflow caused by memcpy()

You can add /usr/bin/ruby to LIBSAFE exception list by using the following command.

# echo “/usr/bin/ruby” >> /etc/libsafe.exclude
# echo “/usr/bin/ruby-bin” >> /etc/libsafe.exclude

Try running the installation again… This time there will not be any Overflow errors while installation…


When try to access phpMyAdmin from cPanel it is showing the following error.

Fatal error: session_start() [function.session-start]: Failed to initialize storage module: sqlite (path: /var/cpanel/userhomes/cpanelphpmyadmin/sessions/phpsess.sdb) in /usr/local/cpanel/base/3rdparty/phpMyAdmin/libraries/ on line 92


Login as root user via ssh,

open the file, /usr/local/cpanel/3rdparty/etc/phpmyadmin/php.ini in your favourate editor and search for the following entries in it.

session.save_handler = sqlite
session.save_path =/var/cpanel/userhomes/cpanelphpmyadmin/sessions/phpsess.sdb

Change the above two lines to as follows.

session.save_handler = files
session.save_path = /var/cpanel/userhomes/cpanelphpmyadmin/sessions

If the direcroty exists, remove all session files from there.

# rm -f /var/cpanel/userhomes/cpanelphpmyadmin/sessions/sess*

If the directory, /var/cpanel/userhomes/cpanelphpmyadmin/sessions does not exist, create it.

# mkdir -p /var/cpanel/userhomes/cpanelphpmyadmin/sessions

change the permission of /var/cpanel/userhomes/cpanelphpmyadmin/sessions as follows.

# chmod 1777 /var/cpanel/userhomes/cpanelphpmyadmin/sessions

Once you have done the above changes, restart apache.

# /etc/init.d/httpd restart

Try loading phpMyAdmin again…

I have followed the following steps to create custom php.ini for a user in cpanel server. There is suphp enabled in the server.

# cp /usr/local/lib/php.ini /home//public_html/php.ini

I have created a phpinfo page and accessed in browser and it is found that it still loading server’s default(/usr/local/lib/php.ini) php.ini

Later it is found that there is SuExec Enabled Server.

root@server [~]# httpd -M | grep su
suexec_module (static)
suphp_module (shared)
Syntax OK

The configuration changes given below will help you to enable Custom php.ini on SuExec and suphp Enabled Server.

Open /opt/suphp/etc/suphp.conf in yourfavourate editor and search for the following lines.

;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.

The above suphp configuration forces suphp to use the php.ini from /usr/local/lib/. You can comment those line to resolve the loading issue of custom php.ini file. So the configuation will look like as follows after the change.

;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.

Once you made the changes, restart apache to make changes in effective.

# /etc/init.d/httpd restart

Try to load phpinfo page again and verify the result.


When i tried to access ConfigServer Security & Firewall option in WHM i got the following error.

Internal Server Error


No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/addon_csf.cgi): subprocess exited with status 2

cpsrvd/11.38 Server at

The error like above may seen when going to ConfigServer cPanel plugins in WHM like:

ConfigServer Explorer
ConfigServer Mail Manage
ConfigServer Mail Queues
ConfigServer ModSecurity Control
ConfigServer Security & Firewall


root@server [~]# curl -s | perl