Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the copy-the-code domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the pb-seo-friendly-images domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the johannes domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121
cPanel CheatSheet - PC✗3

cPanel CheatSheet

This is a practical cPanel cheatsheet for beginners, with focus on the commands that may be useful to new sysadmins.

cpanel


Basic Setup

Install Installatron

wget https://data.installatron.com/installatron-plugin.sh
chmod +x installatron-plugin.sh
./installatron-plugin.sh -f 

Install memcache

wget http://pecl.php.net/get/memcache
cd memcache*
phpize
./configure
make && make install
echo "extension=memcache.so" >> /your_path/php.ini 

Backups

cPanel backup account

/scripts/pkgacct username 

Check cPbackup for errors

tail -100 $(ls -dt /usr/local/cpanel/logs/cpbackup/* | head -n1) | grep 'error|warn' 

Check when backup finished

tail -3 $(ls -dt /usr/local/cpanel/logs/cpbackup/* | head -n1) 

Check the number of accounts that were backed up

echo "Total Accounts to backup: $(grep -Li "suspended" $(grep -l "^BACKUP=1" /var/cpanel/users/*) | wc -l)" && echo "Backed up accounts: $(cd "$(grep "BACKUPDIR" /var/cpanel/backups/config | awk '{print $2}')"/"$(date -dlast-sunday +%Y-%m-%d)"/accounts && ls | wc -l)" 

Check when was the last time that Jetbackup ran and it’s status

echo -e "n~~~~JB accounts backup last job stats~~~n" && tail -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print "Job date:"$1"-"$2" "$3", status: "$7" "$8}' | tr '[' ' ' && echo "Start time:" && head -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print $4}' | cut -d ':' -f 1,2 | awk '{print $0" AM"}' && echo "End time:" && tail -1 $(find /usr/local/jetapps/var/log/jetbackup/backup/ -type f -size +2k | xargs ls -dt | head -n 1) | awk '{print $4}' | cut -d ':' -f 1,2 && echo "" 

Security

ModSecurity limit website connections per IP

nano /usr/local/apache/conf/modsec2.user.conf
SecConnReadStateLimit 250 

Check if IP is blocked by cPhulk

grep IP /usr/local/cpanel/logs/cphulkd.log 

Temporary disable cphulk

/usr/local/cpanel/etc/init/stopcphulkd 

Whitelist an IP on cPHulk

/scripts/cphulkdwhitelist x.x.x.x 

Blacklist an IP on cPHulk

/scripts/cphulkdblacklist x.x.x.x 

CSF check IP

csf -g 8.8.8.8 

Unblock an IP on CSF

csf -dr 8.8.8.8 

Check IP block history

grep IP /var/log/lfd.log 

For more CSF snippets check this CSF CheatSheet


Emails

Delete all email accounts

ls /home/cpanel_user/mail/domain.com/ > /tmp/list
for i in `cat /tmp/list`; do cpapi2 --user=cpanel_user Email delpop domain=domain.com email=$i; done 

Sort email accounts by the number of logins

head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'2020-10-25 

Check rejected emails for a single email address

exigrep user@domain.com /var/log/exim_rejectlog* 

List failed logins for a speciffic email address

grep DOMAIN.com /var/log/maillog | grep failed 

List all logins and messages for a specific email address

grep dovecot_login:user@domain.com /var/log/exim_mainlog 

Check who suspended an email account

grep suspend_incoming /usr/local/cpanel/logs/access_log 

Accounts

List all cPanel accounts and domains

cat /etc/trueuserdomains | awk '{ print $2" "$1}' | sed 's/://' 

Change IP for a cPanel accounts

/usr/local/cpanel/bin/setsiteip -u $user $ip 

Which user owns the domain (addon/allias)

/scripts/whoowns domain.com 

Delete an account

/scripts/killacct username 

Suspend an account

/scripts/suspendacct USERNAME 

Unsuspend an account

/scripts/unsuspendacct USERNAME 

List of suspended accounts

ll /var/cpanel/suspended 
cat /usr/local/apache/conf/includes/account_suspensions.conf 

Malware Finding

List all POST requests for a cPanel account

grep POST /home/USERNAME/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n 

Check for the most well known WordPress attack methods

egrep -c '(wp-comments-post.php|wp-login.php|xmlrpc.php)' /usr/local/apache/domlogs/* |grep -v "_log" |sort -t: -nr -k 2 |head -5 |tee /tmp/delete_check |cut -d'/' -f6; for domlog in $(cut -d':' -f1 /tmp/delete_check); do echo; echo $domlog; echo; echo wp-login.php :: $(grep -c wp-login.php $domlog); echo; grep wp-login.php $domlog | cut -d' ' -f1|egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo xmlrpc.php :: $(grep -c xmlrpc.php $domlog); echo; grep xmlrpc.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; echo wp-comments-post.php :: $(grep -c wp-comments-post.php $domlog); echo; grep wp-comments-post.php $domlog |cut -d' ' -f1 |egrep -o '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' |sort |uniq -c |sort -nr | head; echo; done 

Scan files for CWD mailing scripts

tail -n2000 /var/log/exim_mainlog|grep /home/USERNAME/ 

Scan files for known PHP code injection methods

grep -R "base64_" /home/USERNAME/
grep -lr --include=.php "eval(base64_decode" 
grep -lr --include=.php "eval" 
grep -lr --include=*.php "base64" 

Scan directory with Maldet

maldet -a /path/to/directory 

SSL

Check AutoSSL status for user

/usr/local/cpanel/bin/autossl_check --user=USERNAME 

Clear AutoSSL Pending Queue

cd /var/cpanel mv autossl_queue_cpanel.sqlite autossl_queue_cpanel.sqlite.old 
/usr/local/cpanel/bin/autossl_check_cpstore_queue 

DNS

Add an DomainKey (DKIM) record

/usr/local/cpanel/bin/dkim_keys_install username 

Replace IP address in the zone file

/usr/local/cpanel/bin/swapip [sourceip] [destip] [ftpip] [domains] 

Add an SPF record

/usr/local/cpanel/bin/spf_installer username 

Logs

Check which domain is IP accessing

grep -rle 'IP-GOES-HERE' /usr/local/apache/domlogs/. | uniq 

Who accessed to a certain acc

grep USERNAME /usr/local/cpanel/logs/session_log | grep "NEW .*app=cpaneld" | awk "{print $6}" | sort -u | uniq 

Check IP access for HTTP status 503

grep 11.22.33.44 addon-domain.main-domain-name.extension-ssl_log | grep 503 

Check on which service (cpanel, webdisk, webmail..) a certain IP tried to access

grep IP-GOES-HERE /usr/local/cpanel/logs/login_log 

Check cPanel logins for a specific IP

grep IP-GOES-HERE /usr/local/cpanel/logs/session_log | grep cpanel-user 

Who suspended an email acc

grep suspend_incoming /usr/local/cpanel/logs/access_log 

Check the error logs for a certain IP address

grep 11.22.33.44 /usr/local/apache/logs/error_log 

All cPanel account action

/var/cpanel/accounting.log 

We need your help!

Do you know a useful command that we haven’t included in this cPanel CheatSheet?

Help us keep the cPanel CheatSheet up-to-date and enrich it by sharing the useful cpanel commands that you know with other system administrators.


Share your knowledge