massive brute force against wp-login.php (wordpress)

So I get a ticket about high load on a server. Checking logs I see tons of:

POST /wp-login.php HTTP/1.0

and in logs:
– – [13/Aug/2013:13:35:07 -0400] “POST /wp-login.php HTTP/1.0”

Notice all http/1.0 – thanks for making it easy. Dropped with a .htaccess

RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^(HTTP/1.0)
RewriteCond %{REQUEST_URI} ^/wp-login.php$
RewriteRule .* - [R=406]

Fighting spam and confirming opt in info

InterServer monitors our entire network with feedback loops to many large email providers, so we are quickly on top of possible spam issues especially snow shoe spam. Our requirements are clear: lists must be double opt in, sending mail on multiple ips is a no no, and to close a spam complaint just include the opt in info. In most cases everything is cleared up easily. Of course, the spammers will try to submit opt in info to try to close the complaint. Normally its pretty cut and dry. The other day I got some obvious fake opt in info. With the help of the parties listed in the opt in info, another spammer bit the dust.

The spam complaints coming in were for mortgage refinance with opt in info listed for A glance at listed a truste verified privacy policy and contacts with no relation to mortgage refinances at all.

My first question:

How are you related to
and explain how you are properly following the listed privacy policy which
is verified by Truste at,-LLC/validation?rid=1bd7a05a-9faf-4400-bf7f-4ccc3a19b3c6

Their response:

Franchise Gator, LLC does not Sell, Rent or Share your information without
your consent. Your information goes only to the companies that you request
it be sent to. We are one of those companies.

And what did franchise gator say:

We have no relationship with anyone at XXX* nor do we have any knowledge about “Exclusive Refi Rates”.

Our services are strictly for individuals looking for information from Franchise businesses, and we only share information with those businesses our users have explicitly requested information from.

We do not sale or share user information with ANYONE except for those businesses.

I have attempted to contact XXX* to insist that they stop using our information as a rebuttal for the SPAM they are sending out.

Once more, we do not have any affiliation with this company nor have we shared information with them. Furthermore, we do not show that we have EVER had a request from user*

* personal information removed.

SVNManager in Softaculous

Came across this in a support request

The following errors were found :

- The SVN config directory does not exist.
- The SVN password file does not exist.
- The SVN access file does not exist.

The solution is before installing svnmanager run:

svnadmin create ~/repos

As the user you want to install it as.

Then rerun the installer. Make sure the repo path is /path/to/user/repos

cpanel server changing /tmp permissions during upcp to clamav / 711

This was an odd one. I found a few servers which had their /tmp permissions changed to user clamav with permissions 711.

Turned out clamav home was set to /tmp causing this during an upcp. A which script to check / fix

tmpcheck='cat /etc/passwd | grep ^clamav: | cut -d: -f6';
echo "Warning /tmp set as homedir for user clamav";
if [ "$tmpcheck" = "/tmp" ]; then
if [ ! -e /usr/local/clamav ]; then
mkdir -p /usr/local/clamav
chown clamav:clamav /usr/local/clamav
usermod -d /usr/local/clamav clamav
echo '/usr/local/clamav already exists, no changes made';

This will create clamav home as /usr/local/clamav, only if it does not exist already. Another option may be /home/clamav

InterServer’s in house customer portal features

InterServer’s customer portal at provides a lot addons included in the price. Many of these are for VPS’s (kvm/openvz) or InterServer quickservers. Here is a small list of features:

1) Backup creation – under system management under the VPS you can create a backup of a running VPS. For KVM there is no downtime, and with openvz there is a small amount of downtime for backups. These are stored on interserver cloud storage systems and does not count toward your space usage. These backups can be restored onto a new VPS or a reinstall with the same VPS.

2) Server monitoring – under the monitoring tab in you can monitor an external IP address for services like ping or httpd. Email can be sent on failure.

3) DNS Control – using cdns1/cdns2/ under -> domains -> dns manager create and manage your own dns records. These dns servers are geo distributed (NJ and LA). Great for a small vps looking to lower memory usage by not running a separate dns server.

4) Reboot / stop / start and reinstall under system management.

5) Out of band VNC – KVM only – set up vnc to connect out of band to your system. You can connect even if networking is down on your VPS. A similar feature coming soon for openvz.

6) Tons of OS choices available now – Gentoo / Centos / Debian / Ubuntu / Windows 2008/2012 and more.

7) Purchase additional harddrive space – under system management. You don’t need to add additional slices to increase just disk space on your VPS.

8) Add additional slices – under system management. Increase cpu / memory / disk space and bandwidth limit all at once.

All of the above can be done with out contacting support for assistance.

database is locked (sqlite / yum issue not rpm issue)

On occasion an RPM db can get corrupt on RHEL based systems. Running rpm -vv –rebuilddb after backing up /var/lib/rpm is a quick fix to the problem.

I came across the following error during a yum update, on an openvz container

(process:7450): GLib-CRITICAL **: g_timer_stop: assertion `timer != NULL' failed

(process:7450): GLib-CRITICAL **: g_timer_destroy: assertion `timer !=

TypeError: Can not create db_info table: database is locked

Now my immediate thought was rpm db, but that was not the case. This was from a sqlite file in /var/cache/yum.

Cleaning the headers / all in yum did not help, in this case I had to restart the openvz container to release the lock on the database.

The easy way to remove javascript inserts (viruses) from php javascript (js) and html using sed.

Client site have lots of javascripts inserted into it? If there are comments between this, then you can remove them with sed in ssh/shell.

I generally see these ftp inserts through a client side password stealer. First, find out where it is coming from (kindly ask your user to use SCP / SFTP in the future as well).

Now on to the cleaning, and hopefully my own domain doesn’t get picked up as as unsafe by google.

Here is my example from previous work on the example issue:

Client got javascript virus, nice guy virus inserted comments like 4d9f97 for the virus. html, php and javascript are all different but in each 4d9f97 is commented between them. We can use sed and a regex to remove data between these:

example showing what exactly is happening:

cat index.htm | grep 4d9f97
                    </div><!--4d9f97--><script type="text/javascript" language="javascript">

PHP and javascript follow the same pattern, commented as well.

1) backup the file
cp index.htm index.htm.old

2) run script

 cat index.htm |  sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i index.htm

3) compare

diff index.htm index.htm.old 
<                   </div> 
>                   </div><!--4d9f97-->><script type="text/javascript" language="javascript" >                                                                                                                                                      VIRUS                                                                                                                                                      <!--/4d9f97-->

Coverts html comments and php/js comments, removing the text in between

* Always backup first, I’ve only tested this a few times.
* Normal IFS does not handle files with spaces in them.
* change 4d9f97 to whatever your comments are.

Full example on an entire directory:

cd /home/username
tar -zcf public_html.tgz public_html
cd public_html
for i in `grep -lri 4d9f97 .`; do cat "$i" | sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i "$i"; done

Credit to InterServer sysadmin Detain for the sed work.

Converting to nginx on a cpanel server

Moved to

I’ve been working on a script slowly to convert a cpanel server to nginx for a while. I consider the script now to be good enough to allow others to use it. Some things to consider:

* tested on centos 5/6
* only available for cpanel
* I don’t have an easy way to convert back yet (but will add this in and show below how it can be easily removed.
* You must be able to run commands as root in SSH
* non static content is proxied to apache

Converting to nginx
Run the following ssh commands

rsync -a rsync:// /admin

1) Install + convert

/admin/convert2nginx yes all

Nginx will be installed, the apache vhosts converted and started up. But you are not done, you should also

2) Add to cron

*/2 * * * * /admin/ >/dev/null 2>&1

3) Remove fileprotect


4) Configure mod_rpaf by adding the below to /usr/local/apache/conf/includes/pre_virtualhost_global.conf

The install process also configured mod_rpaf. Note change RPAFproxy_ips to your server IPs.

LoadModule rpaf_module modules/

RPAFenable On
# Enable reverse proxy add forward
# which ips are forwarding requests to us
RPAFsethostname On
# let rpaf update vhost settings
# allows to have the same hostnames as in the "real"
# configuration for the forwarding Apache
RPAFheader X-Forwarded-For
# Allows you to change which header mod_rpaf looks
# for when trying to find the ip the that is forwarding
# our requests

Once done restart apache with /scripts/restartsrv_httpd

So what just happened? /admin/convert2nginx did the following

* installed nginx
* installed mod_rpaf
* converted the vhosts to nginx (/usr/local/nginx/conf/virtual.include)
* added /admin/ to /etc/rc.d/rc.local
* created /scripts/legacypostwwwacct and /etc/logrotate.d/nginx
* change /var/cpanel/cpanel.config to reflect apache_port=

Your steps are to add the cron and configure mod_rpaf, and if needed disable file protect.

Disabling nginx

To disable edit /var/cpanel/cpanel.config and change apache_port= to apache_port=

Save and run
killall -9 nginx
/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings
/scripts/restartsrv_httpd will not run if the apache port is not set to 81

To remove completely: delete /usr/local/nginx, /etc/logrotate.d/nginx, /scripts/legacypostwwwacct, nginx_monitor from cron and /etc/rc.d/rc.local startup of nginx

To do

Add in support for file protect (better to get cloudlinux with cagefs anyway)
Add in DA support
Add in removal script

John Quaglieri
InterServer Inc

Install clamavconnector (cpanel addon) from SSH

I avoid logging into WHM whenever possible, relying on ssh, and normally cpanel as script or command so WHM can be avoided. I’ve been looking around for a way to install clamavconnector with out logging into WHM and enabling it in the addons section. Unfortunatly there is no script to do this with cpanel. However after enabling it a few times in WHM, I was able to write my own script to do this.

The script is below, if the plugin is installed already the update addon WHM script is called. This has been tested in i686 and x86_64 only.


# small sanity checks
if [ ! -e /etc/redhat-release ]; then
echo ‘Tested on rhel only’;

if [ ! -e /usr/local/cpanel ]; then
echo ‘Requires cpanel’;

#make dir if it doesn’t exist
mkdir -p /usr/local/cpanel/modules-install
cd /usr/local/cpanel/modules-install

# supports i686 and x86_64
arch=`uname -m`;

if [ ! -d clamavconnector-Linux-${arch} ]; then
if [ -f clamavconnector-Linux-${arch}.tar.bz2 ]; then
/bin/rm clamavconnector-Linux-${arch}.tar.bz2
if [ -e clamavconnector-Linux-${arch}.tar.bz2 ]; then
tar -jxvf clamavconnector-Linux-${arch}.tar.bz2
rm clamavconnector-Linux-${arch}.tar.bz2
cd clamavconnector-Linux-${arch}
echo “clamav installed already, updating”;
/usr/local/cpanel/whostmgr/bin/whostmgr2 –updateaddons


Kernel too old on centos5 hostnode for ubuntu 12.04 and 12.10

Getting kernel too old (and a failure to start up) for the ubuntu 12.04 and 12.10 templates on openvz? The newer templates may only work on centos 6 servers, and you may not want to upgrade systems to centos6 yet. Updates continue until Mar 31, 2017 anyway.

You can use the following ubuntu templates instead which are tested to work on centos 5 openvz systems:





You will need to add

ubuntu-12.04 2.6.32

ubuntu-12.10 2.6.32

to /etc/vz/osrelease.conf