Friday, September 14, 2012

MailIP Blacklist And Spamming

Top 5 users sending maximum emails on the server:

grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5 eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}' Top 5 mail receivers: egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5

eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'

Script to check path for the script used for spamming

awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $4} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

If there is large number of hits from an IP,block the IP

tail -n1000 /var/log/exim_mainlog |grep SMTP|cut -d[ -f2|cut -d] -f1|sort -n |uniq -c

Following command will show path to the script being utilized to send mail

ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R

Shows the connections from a certain ip to the SMTP server

netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1

To shows the domain name and the no of emails in queue

exim -bp | exiqsumm | more

If spamming from outside domain then you can block that domain or email id on the server

pico /etc/antivirus.exim

Add the following lines:

if $header_from: contains “name@domain.com”
then
seen finish
endif


To Remove particular email account email

exim -bpr |grep “test.org”|awk {‘print $3′}|xargs exim -Mrm

cdp (pid XXX?) is not running ?

root@ [~]# /etc/init.d/cdp-agent status
/etc/init.d/cdp-agent status: cdp (pid 753?) not running

If you face this problem again, please check the log file
(/usr/sbin/r1soft/log/cdp.log), there you can fine the exact reason.

Here the error I have got is the following.

============
,[ERROR],[NO-CONNECTION],Exception from network
server: Address already in use
============

This happened when the port 1167 is in use. We can sort this issue
by using the following

If your Agent hang ! and is not restarting properly,
check Agent port is used by hcp demon

lsof -i :1167 #1167 default agent port

~]# lsof -i :1167
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
hcp_io/1/ 2250 root 8u IPv4 191316993 TCP *:1167 (LISTEN)
hcp_io/1/ 2256 root 8u IPv4 191316993 TCP *:1167 (LISTEN)
hcp_io/1/ 2257 root 8u IPv4 191316993 TCP *:1167 (LISTEN)
hcp_io/1/ 2258 root 8u IPv4 191316993 TCP *:1167 (LISTEN)

you see that hcp working so , you must stop hcp activity :

hcp -r /dev/hcp1 (/dev/hcp1 : example)

now ! you can restart agent easily :
/etc/init.d/cdp-agent restart
Apache crashing Invalid argument: couldn’t grab the accept mutex



Situation: The apache error log show this error:

(22)Invalid argument: couldn't grab the accept mutex
(22)Invalid argument: couldn't grab the accept mutex
(22)Invalid argument: couldn't grab the accept mutex

Solution:

Typically, these type of errors occur on systems low on memory or file handlers.

Of note, one suggested resolution for the error message would be to try adding the following line to /usr/local/apache/conf/httpd.conf file:

AcceptMutex fcntl

Run apache distiller

/usr/local/cpanel/bin/apache_conf_distiller --update --main
/scripts/rebuildhttpdconf
/etc/init.d/httpd graceful


Show All Running Processes in Linux?

# ps aux | less
It will display all running process

See every process except those running as root

# ps -U root -u root -N

See process run by a particular user

# ps -u vivek

Save Process Snapshot to a file

# top -b -n1 > /tmp/process.log

Or you can email result to yourself:

# top -b -n1 | mail -s 'Process snapshot' you@example.com




How to tar the recently modified files linux?



To accomplish this we need two commands

- Find command - to find the files which are modified

find . -mtime -5 -type f -name "*.php" ( It gets all the php files which are modified 5 days ago)

- Tar command - to create an archive
tar cvf changed_201006014.tar - It creates the archive with the name "changed_20100614.tar"

combine above two commands

tar cvf changed_20100614.tar `find . -mtime -5 -type f -name "*.php"`

It creates archive with the files which are modified 5 days ago.

How to delete a file from tar file(archive) without untar it?

We can use the option '-f" for it

syntax
tar -f {file_name.tar} --delete file1 file2 file3

tar -f myfile.tar --delete index.php folder1/test/testfile.php folder2/test_folder/*
How to find out the symbolic links in a directory?

find . -type l ==>>this will lists all the links in the directory