The easy way to remove javascript inserts (viruses) from php javascript (js) and html using sed.

Client site have lots of javascripts inserted into it? If there are comments between this, then you can remove them with sed in ssh/shell.

I generally see these ftp inserts through a client side password stealer. First, find out where it is coming from (kindly ask your user to use SCP / SFTP in the future as well).

Now on to the cleaning, and hopefully my own domain doesn’t get picked up as as unsafe by google.

Here is my example from previous work on the example issue:

Client got javascript virus, nice guy virus inserted comments like 4d9f97 for the virus. html, php and javascript are all different but in each 4d9f97 is commented between them. We can use sed and a regex to remove data between these:

example showing what exactly is happening:

cat index.htm | grep 4d9f97
                    </div><!--4d9f97--><script type="text/javascript" language="javascript">

PHP and javascript follow the same pattern, commented as well.

1) backup the file
cp index.htm index.htm.old

2) run script

 cat index.htm |  sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i index.htm

3) compare

diff index.htm index.htm.old 
<                   </div> 
>                   </div><!--4d9f97-->><script type="text/javascript" language="javascript" >                                                                                                                                                      VIRUS                                                                                                                                                      <!--/4d9f97-->

Coverts html comments and php/js comments, removing the text in between

* Always backup first, I’ve only tested this a few times.
* Normal IFS does not handle files with spaces in them.
* change 4d9f97 to whatever your comments are.

Full example on an entire directory:

cd /home/username
tar -zcf public_html.tgz public_html
cd public_html
for i in `grep -lri 4d9f97 .`; do cat "$i" | sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i "$i"; done

Credit to InterServer sysadmin Detain for the sed work.

Converting to nginx on a cpanel server

Moved to

I’ve been working on a script slowly to convert a cpanel server to nginx for a while. I consider the script now to be good enough to allow others to use it. Some things to consider:

* tested on centos 5/6
* only available for cpanel
* I don’t have an easy way to convert back yet (but will add this in and show below how it can be easily removed.
* You must be able to run commands as root in SSH
* non static content is proxied to apache

Converting to nginx
Run the following ssh commands

rsync -a rsync:// /admin

1) Install + convert

/admin/convert2nginx yes all

Nginx will be installed, the apache vhosts converted and started up. But you are not done, you should also

2) Add to cron

*/2 * * * * /admin/ >/dev/null 2>&1

3) Remove fileprotect


4) Configure mod_rpaf by adding the below to /usr/local/apache/conf/includes/pre_virtualhost_global.conf

The install process also configured mod_rpaf. Note change RPAFproxy_ips to your server IPs.

LoadModule rpaf_module modules/

RPAFenable On
# Enable reverse proxy add forward
# which ips are forwarding requests to us
RPAFsethostname On
# let rpaf update vhost settings
# allows to have the same hostnames as in the "real"
# configuration for the forwarding Apache
RPAFheader X-Forwarded-For
# Allows you to change which header mod_rpaf looks
# for when trying to find the ip the that is forwarding
# our requests

Once done restart apache with /scripts/restartsrv_httpd

So what just happened? /admin/convert2nginx did the following

* installed nginx
* installed mod_rpaf
* converted the vhosts to nginx (/usr/local/nginx/conf/virtual.include)
* added /admin/ to /etc/rc.d/rc.local
* created /scripts/legacypostwwwacct and /etc/logrotate.d/nginx
* change /var/cpanel/cpanel.config to reflect apache_port=

Your steps are to add the cron and configure mod_rpaf, and if needed disable file protect.

Disabling nginx

To disable edit /var/cpanel/cpanel.config and change apache_port= to apache_port=

Save and run
killall -9 nginx
/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings
/scripts/restartsrv_httpd will not run if the apache port is not set to 81

To remove completely: delete /usr/local/nginx, /etc/logrotate.d/nginx, /scripts/legacypostwwwacct, nginx_monitor from cron and /etc/rc.d/rc.local startup of nginx

To do

Add in support for file protect (better to get cloudlinux with cagefs anyway)
Add in DA support
Add in removal script

John Quaglieri
InterServer Inc

Install clamavconnector (cpanel addon) from SSH

I avoid logging into WHM whenever possible, relying on ssh, and normally cpanel as script or command so WHM can be avoided. I’ve been looking around for a way to install clamavconnector with out logging into WHM and enabling it in the addons section. Unfortunatly there is no script to do this with cpanel. However after enabling it a few times in WHM, I was able to write my own script to do this.

The script is below, if the plugin is installed already the update addon WHM script is called. This has been tested in i686 and x86_64 only.


# small sanity checks
if [ ! -e /etc/redhat-release ]; then
echo ‘Tested on rhel only’;

if [ ! -e /usr/local/cpanel ]; then
echo ‘Requires cpanel’;

#make dir if it doesn’t exist
mkdir -p /usr/local/cpanel/modules-install
cd /usr/local/cpanel/modules-install

# supports i686 and x86_64
arch=`uname -m`;

if [ ! -d clamavconnector-Linux-${arch} ]; then
if [ -f clamavconnector-Linux-${arch}.tar.bz2 ]; then
/bin/rm clamavconnector-Linux-${arch}.tar.bz2
if [ -e clamavconnector-Linux-${arch}.tar.bz2 ]; then
tar -jxvf clamavconnector-Linux-${arch}.tar.bz2
rm clamavconnector-Linux-${arch}.tar.bz2
cd clamavconnector-Linux-${arch}
echo “clamav installed already, updating”;
/usr/local/cpanel/whostmgr/bin/whostmgr2 –updateaddons