Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the copy-the-code domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the pb-seo-friendly-images domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the johannes domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121
cPanel CheatSheet - PC✗3
Are you a 🤖?
Search
Search

cPanel CheatSheet

This is a practical cPanel cheatsheet for beginners, with focus on the commands that may be useful to new sysadmins.

cpanel

Basic Setup

Install Installatron 

wget https://data.installatron.com/installatron-plugin.sh
chmod +x installatron-plugin.sh
./installatron-plugin.sh -f

Install memcache 

wget http://pecl.php.net/get/memcache
cd memcache*
phpize
./configure
make && make install
echo "extension=memcache.so" >> /your_path/php.ini

Backups

cPanel backup account 

/scripts/pkgacct username

Check cPbackup for errors 

tail -100 $(ls -dt /usr/local/cpanel/logs/cpbackup/* | head -n1) | grep 'error|warn'

Check when backup finished 

tail -3 $(ls -dt /usr/local/cpanel/logs/cpbackup/* | head -n1)

Check the number of accounts that were backed up 

echo "Total Accounts to backup: $(grep -Li "suspended" $(grep -l "^BACKUP=1" /var/cpanel/users/*) | wc -l)" && echo "Backed up accounts: $(cd "$(grep "BACKUPDIR" /var/cpanel/backups/config | awk '{print $2}')"/"$(date -dlast-sunday +%Y-%m-%d)"/accounts && ls | wc -l)"

Check when was the last time that Jetbackup ran and it’s status 

echo -e "n~~~~JB accounts backup last job stats~~~n" && tail -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print "Job date:"$1"-"$2" "$3", status: "$7" "$8}' | tr '[' ' ' && echo "Start time:" && head -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print $4}' | cut -d ':' -f 1,2 | awk '{print $0" AM"}' && echo "End time:" && tail -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print $4}' | cut -d ':' -f 1,2 && echo ""

Security

ModSecurity limit website connections per IP 

nano /usr/local/apache/conf/modsec2.user.conf
SecConnReadStateLimit 250

Check if IP is blocked by cPhulk 

grep IP /usr/local/cpanel/logs/cphulkd.log

Temporary disable cphulk 

/usr/local/cpanel/etc/init/stopcphulkd

Whitelist an IP on cPHulk 

/scripts/cphulkdwhitelist x.x.x.x

Blacklist an IP on cPHulk 

/scripts/cphulkdblacklist x.x.x.x

CSF check IP 

csf -g 8.8.8.8

Unblock an IP on CSF 

csf -dr 8.8.8.8

Check IP block history 

grep IP /var/log/lfd.log

For more CSF snippets check this CSF CheatSheet

Emails

Delete all email accounts 

ls /home/cpanel_user/mail/domain.com/ > /tmp/list
for i in `cat /tmp/list`; do cpapi2 --user=cpanel_user Email delpop domain=domain.com email=$i; done

Sort email accounts by the number of logins 

head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'2020-10-25

Check rejected emails for a single email address 

exigrep user@domain.com /var/log/exim_rejectlog*

List failed logins for a speciffic email address 

grep DOMAIN.com /var/log/maillog | grep failed

List all logins and messages for a specific email address 

grep dovecot_login:user@domain.com /var/log/exim_mainlog

Check who suspended an email account 

grep suspend_incoming /usr/local/cpanel/logs/access_log

Accounts

List all cPanel accounts and domains 

cat /etc/trueuserdomains | awk '{ print $2" "$1}' | sed 's/://'

Change IP for a cPanel accounts 

/usr/local/cpanel/bin/setsiteip -u $user $ip

Which user owns the domain (addon/allias) 

/scripts/whoowns domain.com

Delete an account 

/scripts/killacct username

Suspend an account 

/scripts/suspendacct USERNAME

Unsuspend an account 

/scripts/unsuspendacct USERNAME

List of suspended accounts 

ll /var/cpanel/suspended 
cat /usr/local/apache/conf/includes/account_suspensions.conf

Malware Finding

List all POST requests for a cPanel account

grep POST /home/USERNAME/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n

Check for the most well known WordPress attack methods 

egrep -c '(wp-comments-post.php|wp-login.php|xmlrpc.php)' /usr/local/apache/domlogs/* |grep -v "_log" |sort -t: -nr -k 2 |head -5 |tee /tmp/delete_check |cut -d'/' -f6; for domlog in $(cut -d':' -f1 /tmp/delete_check); do echo; echo $domlog; echo; echo wp-login.php :: $(grep -c wp-login.php $domlog); echo; grep wp-login.php $domlog | cut -d' ' -f1|egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo xmlrpc.php :: $(grep -c xmlrpc.php $domlog); echo; grep xmlrpc.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo wp-comments-post.php :: $(grep -c wp-comments-post.php $domlog); echo; grep wp-comments-post.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; done

Scan files for CWD mailing scripts 

tail -n2000 /var/log/exim_mainlog|grep /home/USERNAME/

Scan files for known PHP code injection methods 

grep -R "base64_" /home/USERNAME/
grep -lr --include=.php "eval(base64_decode" 
grep -lr --include=.php "eval" 
grep -lr --include=*.php "base64"

Scan directory with Maldet 

maldet -a /path/to/directory

SSL

Check AutoSSL status for user 

/usr/local/cpanel/bin/autossl_check --user=USERNAME

Clear AutoSSL Pending Queue 

cd /var/cpanel mv autossl_queue_cpanel.sqlite autossl_queue_cpanel.sqlite.old 
/usr/local/cpanel/bin/autossl_check_cpstore_queue

DNS

Add an DomainKey (DKIM) record 

/usr/local/cpanel/bin/dkim_keys_install username

Replace IP address in the zone file 

/usr/local/cpanel/bin/swapip [sourceip] [destip] [ftpip] [domains]

Add an SPF record 

/usr/local/cpanel/bin/spf_installer username

Logs

Check which domain is IP accessing 

grep -rle 'IP-GOES-HERE' /usr/local/apache/domlogs/. | uniq

Who accessed to a certain acc 

grep USERNAME /usr/local/cpanel/logs/session_log | grep "NEW .*app=cpaneld" | awk "{print $6}" | sort -u | uniq

Check IP access for HTTP status 503 

grep 11.22.33.44 addon-domain.main-domain-name.extension-ssl_log | grep 503

Check on which service (cpanel, webdisk, webmail..) a certain IP tried to access 

grep IP-GOES-HERE /usr/local/cpanel/logs/login_log

Check cPanel logins for a specific IP 

grep IP-GOES-HERE /usr/local/cpanel/logs/session_log | grep cpanel-user

Who suspended an email acc 

grep suspend_incoming /usr/local/cpanel/logs/access_log

Check the error logs for a certain IP address 

grep 11.22.33.44 /usr/local/apache/logs/error_log

All cPanel account action 

/var/cpanel/accounting.log

We need your help!

Do you know a useful command that we haven’t included in this cPanel CheatSheet?

Help us keep the cPanel CheatSheet up-to-date and enrich it by sharing the useful cpanel commands that you know with other system administrators.


Share your knowledge

Menu