Installing ImageMagick on a cPanel Server

You can easily install Imagemagick on a cPanel by using cPanel script.

/scripts/installimagemagick will do it for you.

HOLD ON, this is not it yet!!!! We need to get it into PHP rite?

The new WHM has utility to complete the task.

Log into WHM >> Software >> Module Installers >> PHP Pecl and install imagick to get the whole thing binding into PHP.

That should be it, if by any chance you got a problem with a 64 bit OS and WHM can not find imagick then install it manually, by following the steps below

Check if ImageMagick-devel is installed, if not install it using yum.

Then you need to download the Imagick PHP extensions, located here: http://pecl.php.net/package/imagick

cd /usr/src/
wget http://pecl.php.net/get/imagick-x.x.x.tar.gz
tar -zxvf imagick-x.x.x.tar.gz
cd imagick-x.x.x
phpize
./configure
make
make install

Now go back into WHM and try to activate imagick again. That is it 🙂 You are all done.

Add IP Address in Debian

The IP configurations on Debian are stored in /etc/network/interfaces. Below is an example that will configure the device eth0 to have an IP address of 192.168.1.100 on a class C network with 192.168.1.1 as the default gateway.

vim /etc/network/interfaces

The file will look like the following.

# /etc/network/interfaces – configuration file for ifup(8), ifdown(8)
# the loopback interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static

address 192.168.1.100
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1

In order to assign multiple IP addresses on the same interface (say eth0), add the following. The below example will add three more IP addresses to the same interface:

auto eth0:0
iface eth0:0 inet static

address 192.168.1.101
netmask 255.255.255.0
broadcast 192.168.1.255

auto eth0:1
iface eth0:1 inet static

address 192.168.1.102
netmask 255.255.255.0
broadcast 192.168.1.255

auto eth0:2
iface eth0:2 inet static

address 192.168.1.103
netmask 255.255.255.0
broadcast 192.168.1.255

To update your IP configuration after saving to /etc/network/interface, execute the command,

# /etc/init.d/networking restart

Make sure to double-check your configuration as this could make your server unreachable if there are any errors.

Change Joomla Installation Directory

How can I move all the files from that folder to the main directory without damaging or changing anything?

Moving the Joomla files and folders up one level will not damage them. You will need to edit your configuration.php file in a text editor to remove the joomla folder from the path for your tmp and log folders. You may also need to rename the welcome.html file to welcome.old or just remove it from your root folder.

If you are using Jooma 1.5.x no configuration file changes should be necessary. You can simply move the files to the new location.

If you are using 1.0.x then you will need to edit the configuration.php file.

To check Disk Space Usage

Show files by size, biggest last:
ls -lSr

Show files in size, biggest first
ls -Ssh | head

Show top disk users in current dir.
du -s * | sort -k1,1rn | head

Show free space on mounted filesystems

df -h

Show free inodes on mounted filesystems

df -i

Show disks partitions sizes and types

fdisk -l

List all packages by installed size (Bytes) on rpm distros

rpm -q -a –qf ‘%10{SIZE}\t%{NAME}\n’ | sort -k1,1n

Checking Rootkits with rkhunter

Rootkits
A rootkit is software that is installed on your server with the purpose of hiding the fact that your server has been compromised and providing access to your server so that the intruder can easily return. It is important to understand that in order for an intruder to install a rootkit they will have to have gained the rights to do so on your server. This means that the first line of defense is good security that prevents the installation of a rootkit.

The intruder could use a rootkit to hide the password cracker program that’s stealing your passwords and sending them back to the intruder. The intruder could also use a rootkit to hide a “back door” program that would give him easy access back into the compromised system.

There are at least six basic categories of rootkits which all serve the same purpose. They prevent the intruder’s malicious software from showing screen output to the unsuspecting user, and they prevent the malicious software from leaving traces in the system logs. They also prevent the malicious software from showing up in a “ps” or “top” process list.

Firmware rootkits
One of the most difficult rootkits to discover is the firmware rootkit that is placed in the code that exists in the ACPI or PCI cards or your system clock. Firmware rootkits can be installed in any flashable code on your motherboard or any cards that you install. The difficulties here will be that you cannot fix this by reinstalling your operating system or wiping your hard drives.

Virtualized rootkits change a computer’s boot-up sequence so that the rootkits get loaded instead of the operating system. Once the rootkits are running in memory, the original operating system loads and then runs in a virtual machine as a guest operating system. The rootkit can then intercept hardware calls from the original operating system in order to conceal the presence of any malicious software or activity.

Kernel rootkits
When Linux boots up, it loads kernel extensions, or modules. Loadable Kernel Module, or LKM rootkits, can modify these modules to make them do the intruder’s bidding. These are also very difficult to detect. They can subvert any attempt to detect them and can prevent removal. On the other hand, they can be prevented. On a known clean system, just recompile the Linux kernel without support for loadable kernel modules.

Boot Loader rootkits
In this rootkit the boot loader is replaced with a modified boot loader which is used to achieve the goals of the intruder.

Library rootkits
These rootkits work by modifying the operating system’s libraries that provide system calls. They will either patch the library files, hook onto them, or outright replace them.

Application level rootkits
These are sometimes referred to as “traditional” rootkits. That’s because they’re the oldest variety. Application level rootkits replace system utility programs with their own trojaned versions. On Linux, the affected system utilities include login, ls, du, netstat, ifconfig, ps and top. When the unsuspecting user invokes one of these counterfeit utilities, it’ll will do what the user wants done, but in the background, it will also do something for the intruder.

One way to check these utilities is to invoke them with the -/ option switch. If the command works with that switch, it’s an sign that its executable file is infected.

Rootkit Hunter
Rootkit Hunter performs a more comprehensive check than chkrootkit, and takes somewhat longer to run. If your distro’s package repository doesn’t have it, you can download it from the author’s website. The site is: http://rootkit.nl/projects or you can download it from sourceforge.net.

To perform a check of your system, enter:

rkhunter -c

Here is a typical summary which is listed at the end of the check.
System checks summary
=====================

File properties checks…
Files checked: 129
Suspect files: 0

Rootkit checks…
Rootkits checked : 115
Possible rootkits: 0

Applications checks…
Applications checked: 9
Suspect applications: 0

The system checks took: 3 minutes and 1 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

To update Rootkit Hunter, enter:

rkhunter –update

If you do a test and it discovers some programs have changed but you are sure that the changes occurred as the result of an upgrade you will want to upgrade those changes with rkhunter so that it does not continually report those as problems. Note that rkhunter will only be able to tell you that changes have occurred not why they have changed, that is your responsibility to find out.

rkhunter –propupd

Run without User Input
In order to run rkhunter as a cron job, or without user input, you must make a few modifications. Other wise, during the course of its scan, it will stop several times and ask the user to press “Enter”. Use the command:

rkhunter –cronjob

Report only Problems
You can run rkhunter so that it will only report problems that it discovers.

rkunter –cronjob –rwo

Email Your Account
You will need to edit two lines to enter your email and check your mail command header setting. This command will work for Sendmail but not Postfix.

MAIL-ON-WARNING=youremail@example.com root@mydomain
MAIL_CMD=mail -s “[rkhunter] Warnings found for ${HOST_NAME}”

If you are using Postfix as the mail server you will want to modify the default line so it looks like this:
MAIL_CMD=/usr/sbin/sendmail

This is the message you will receive is there is a problem.

”Please inspect this machine, because it may be infected.”

False Positives
You may have to uncomment lines in the rkhunter.conf file to allow for some hidden directories. You may also have to enter the lines and issues that are discovered for your system that are false positives. Of course, you will want to verify either that rkhunter discovered these on a new system or that you are sure they do not represent intrusion.

LOGFILE=/var/log/rkhunter.log

If you allow the root user to login using SSH, change this line.
ALLOW_SSH_ROOT_USER=yes

You may need to allow some directories and files to stop the false positives.
#ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
#ALLOWHIDDENDIR=/dev/.udevdb
#ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/dev/.static
ALLOWHIDDENDIR=/dev/.initramfs
#ALLOWHIDDENDIR=/dev/.SRC-unix

ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
ALLOWHIDDENFILE=/usr/sbin/.sshd.hmac

SCRIPTWHITELIST=/sbin/ifup
SCRIPTWHITELIST=/sbin/ifdown
SCRIPTWHITELIST=/usr/bin/groups
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/whatis

Enter the applications you want to whitelist. This is a possible list for a CentOS system apache on Ubuntu is called apache2 instead of httpd.

APP_WHITELIST=”httpd sshd PHP named”
Here is an example of the output that you need to fix in order to eliminate false positives.

rkhunter –cronjob –rwo
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

EasyApache Internal Server Error

If Easy Apache gives Internal Server Error like this,

“Internal Server Error

Premature end of script headers: /usr/local/cpanel/whostmgr/docroot/cgi/easyapache.pl: Please check / usr / local / cpanel / logs / error_log for the exact error.”

By following the breadcrumbs(i.e. the error message) and checking the error_log, I find that the problem is:

Acme::Spork version v0.0.8 required–this is only version v0.0.7 at /var/cpanel
/perl/easy/Cpanel/Easy/Utils/BackGround.pm line 14.
BEGIN failed–compilation aborted at /var/cpanel/perl/easy/Cpanel/Easy/Utils/Bac
kGround.pm line 14.
Compilation failed in require at (eval 28) line 3.
…propagated at /usr/lib/perl5/5.8.8/base.pm line 85.
at (eval 26) line 3
at /var/cpanel/perl/easy/Cpanel/Easy.pm line 15
BEGIN failed–compilation aborted at /var/cpanel/perl/easy/Cpanel/Easy.pm line 1
5.
Compilation failed in require at (eval 16) line 3.
…propagated at /usr/lib/perl5/5.8.8/base.pm line 85.
BEGIN failed–compilation aborted at /var/cpanel/perl/easy/Cpanel/Easy/Apache.pm
line 8.
Compilation failed in require at /usr/local/cpanel/whostmgr/docroot/cgi/easyapac
he.pl line 67.”

Download and install latest Acme::Spork module in the server (now v0.0.8), it will fix the error.

Upgrade ClamAV in cPanel Server

You can upgrade the clamav installations in the server to the latest version by the following steps.

For 32 bit:
cd /usr/local/cpanel/modules-install/clamavconnector-Linux-i686

For 64 bit:
cd /usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64

Then, download the source of the latest version of ClamAV. You can find the download the latest source at http://www.clamav.net/download/sources/

Now, open the file ‘install’. This file is located in the current directory.
vim install

Find the line ‘AVV=0.95′ and change it to ‘AVV=latest version′

Then edit the file ‘progversion’ and put the latest version of ClamAV there. You can do this with a simple command.

echo “latest_version” > progversion

Finally, run the install script with the command ‘./install’.

And thats it. Your ClamAV should now get upgraded to the latest version.