Redirects in .htaccess file

If a domain is loading and the http://www.domain is not loading (showing white page), and we want to redirect www to domain, add the following lines in .htaccess file of your account.

To redirect www to domain

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.catherine\.com$ [NC]
RewriteRule ^(.*)$ http://catherine.com/$1 [R=301,L]

To redirect domain to www

RewriteEngine on
RewriteCond %{HTTP_HOST} ^catherine\.com$ [NC]
RewriteRule ^(.*)$ http://www.catherine.com/$1 [R=301,L]

Try now and hope it works 🙂

 

 

FIND and FIX SPAMMING IN KLOXO SERVER + QMAIL

To check the email count,

[root@vs-boa ~]# /var/qmail/bin/qmail-qstat
messages in queue: 1970
messages in queue but not yet preprocessed: 0

To see the email queue,

[root@vs-boa ~]# /var/qmail/bin/qmail-qread

6 Apr 2016 01:21:35 GMT #103844 2808 <>
remote sperrung@mastercard.de
6 Apr 2016 01:23:33 GMT #104718 2642 <>
remote support@mastercard.de
6 Apr 2016 01:22:56 GMT #104442 2788 <>
remote support@mastercard.de
6 Apr 2016 01:16:09 GMT #102004 2823 <>
remote sperrung@mastercard.de
6 Apr 2016 01:20:13 GMT #103522 2814 <>
remote sperrung@mastercard.de
6 Apr 2016 01:17:21 GMT #102418 2794 <>
remote support@mastercard.de
6 Apr 2016 01:18:54 GMT #102924 2798 <>
remote support@mastercard.de
6 Apr 2016 01:13:36 GMT #101084 2826 <>
remote info@mastercard.de
6 Apr 2016 01:26:41 GMT #103430 2787 <>
remote support@mastercard.de
6 Apr 2016 01:19:31 GMT #103246 2866 <>
remote support@mastercard.de

Here the number starts with # is the message ID.

[root@vs-boa ~]# find /var/qmail/queue -iname 102418
/var/qmail/queue/info/22/102418
/var/qmail/queue/mess/22/102418
/var/qmail/queue/remote/22/102418

The file /var/qmail/queue/mess/22/102418 contains the message header.

[root@vs-boa ~]# cat /var/qmail/queue/mess/22/102418
Received: (qmail 16833 invoked for bounce); 6 Apr 2016 01:17:21 -0000
Date: 6 Apr 2016 01:17:21 -0000
From: MAILER-DAEMON@*************
To: support@mastercard.de
Subject: failure notice

Hi. This is the qmail-send program at*************.
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.

<cornelia.buser@web.de>:
User and password not set, continuing without authentication.
212.227.17.8 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 212.227.17.8.

— Below this line is a copy of the message.

Return-Path: <support@mastercard.de>
Received: (qmail 16824 invoked by uid 0); 6 Apr 2016 01:17:21 -0000
Received: from unknown (HELO localhost.localdomain) (charity@************@XXXX.)
by ************* with ESMTPA; 6 Apr 2016 01:17:21 -0000
Date: Wed, 6 Apr 2016 11:25:10 +0200
Return-Path: <support@mastercard.de>
To: cornelia.buser@web.de
From: MasterCard <support@mastercard.de>
Subject: Phishing-Attacke auf Ihrer MasterCard festgestellt!
Message-ID: <695b595d28e3accca7f498e1d8537870@localhost.localdomain>
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)

=================

This means, an email was sent from support@mastercard.de to the email address cornelia.buser@web.de. As the recipient address is a non-existent one, the email delivery failed and returned to support@mastercard.de.Here the domains web.de and mastercard.de are not belong to our server. As I said already, the email address charity@************ was used to send spam mails via XX.XX.XX.XX. To confirm this, we can see the log.
——————

Find the spammer

———————–

[root@vs-boa log]#cd /var/log
[root@vs-boa log]# grep -irl XX.XX.XX.XX .
./messages
./kloxo/smtp.log
./kloxo/maillog-7

CHKUSER relaying rcpt: from <support@mastercard.de:charity@************:> remote rcpt <danieldb@XXXX.net> : client allowed to relay
CHKUSER relaying rcpt: from <support@mastercard.de:charity@************:> remote rcpt <Daniel_Polsfuhs@XXXX.de> : client allowed to relay
CHKUSER relaying rcpt: from <support@mastercard.de:charity@************:> remote rcpt <orbb2@XXXX..com> : client allowed to relay
CHKUSER relaying rcpt: from <support@mastercard.de:charity@************:> remote rcpt <raithel9@XXXX..com> : client allowed to relay

cat kloxo/maillog-7 | grep XX.XX.XX.XX

Apr 6 02:28:28 vs-boa vpopmail[15940]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:28 vs-boa vpopmail[15947]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:29 vs-boa vpopmail[15959]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:29 vs-boa vpopmail[15966]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:30 vs-boa vpopmail[15979]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:30 vs-boa vpopmail[15987]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:31 vs-boa vpopmail[15999]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:32 vs-boa vpopmail[16006]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX
Apr 6 02:28:32 vs-boa vpopmail[16015]: vchkpw-smtp: (PLAIN) login success charity@************: XX.XX.XX.XX

Fix

This means the email address charity@************ has been compromised and become known to a 3rd party and it used to send out spam mails via the IP XX.XX.XX.XX.So, to stop this, change the password and block this IP.

=======================================================================================

Delete the mails from queue

To delete the spam mails, filter the mails and remove it from the queue.

egrep -ir “support@mastercard.de” /var/qmail/queue/mess
/var/qmail/queue/mess/17/105656:To: support@mastercard.de
/var/qmail/queue/mess/17/105656:Return-Path: <support@mastercard.de>
/var/qmail/queue/mess/17/105656:Return-Path: <support@mastercard.de>
/var/qmail/queue/mess/17/105656:From: MasterCard <support@mastercard.de>
/var/qmail/queue/mess/17/101125:To: support@mastercard.de
/var/qmail/queue/mess/17/101125:Return-Path: <support@mastercard.de>

egrep -ir “support@mastercard.de|www.sascho54@yahoo.de|Unser Sicherheitsteam hat Ihre Kreditkarte gesperrt” /var/qmail/queue/mess
/var/qmail/queue/mess/17/105656:To: support@mastercard.de
/var/qmail/queue/mess/17/105656:Return-Path: <support@mastercard.de>
/var/qmail/queue/mess/17/105656:Return-Path: <support@mastercard.de>
/var/qmail/queue/mess/17/105656:From: MasterCard <support@mastercard.de>
/var/qmail/queue/mess/17/100458:Subject: Unser Sicherheitsteam hat Ihre Kreditkarte gesperrt!
/var/qmail/queue/mess/17/101125:To: support@mastercard.de
/var/qmail/queue/mess/17/101125:Return-Path: <support@mastercard.de>

/usr/local/script/qmqtool -d -f “Unser Sicherheitsteam hat Ihre Kreditkarte gesperrt”

This will delete the spam mails. You can filter by email address also.
==================================================

That’s it 🙂

Email forwarders

cPanel mail forwarder file location (backend)

=======

/etc/valiases/{domain}

=======

If

info@domain.com:caty@example.com

means, the  email address caty@example.com will be forwarded to info@domain.com

 

 

Backup/Restore in kloxo based linux server

To take backup of all servers

/script/backup –class=client –name=admin

 

To restore all accounts

/script/restore –restore –accounts=all <backup-file-path>

 

PHP Handlers

PHP Handler is an apache module.It contains libraries that the Apache web server can use to interpret and run PHP code.In order for a website to run PHP script, the server must interpret a PHP code library in order to generate a page when visitors access the site. The web server interprets the code library based on which PHP version is installed, like “PHP 5.5”. A PHP handler is what actually loads these coding libraries into the webserver, so that they can be interpreted.

By Default, 4 php handlers are offered by WHM/cPanel.

1.DSO

2.SuPHP

3.CGI

4.FastCGI

DSO

• Other name – mod_php
• Older configuration
• High speed – considered as fastest handler
• It runs PHP directly from apache , ie, PHP scripts run as Apache user by the user “nobody“
• So, files should be owned by “nobody” and should have write permissions (For files – 664, user:nobody and for directories 775, user:nobody)
• less resource usage
• security is a concern

SuPHP

* Runs PHP as a separate service

* Low Memory consumption

* It consists of 2 parts.

• mod_suphp – An Apache module that directs Apache to run the suphp program when Apache receives a PHP request.
• suphp – A program that changes the owner that executes the PHP scripts. Apache executes each PHP script with the permissions of the owner of the request.

* Technically a CGI module, but much different than CGI

* with suEXEC enabled it runs the PHP scripts as the user calling them

* Main advantage – tracking down websites using excessive resources easier

* Simplifies the overall permissions scheme : 644 and user:user for files, and similarly 755 and user:user for directories.

* Security == Exploit can’t cross all accounts, but affects every single file of the particular account which is exploited.

Disadvantages:

High CPU load and less speed then other handlers

CGI

• run PHP as a CGI module as opposed to an Apache module.
• The CGI method is intended as a fallback handler for when DSO is not available.

This method is neither fast nor secure, regardless of whether or not suEXEC is enabled

• Not much recommended to use

FastCGI

*  mod_fcgid

*  similar to suPHP in that it is a separate process that compiles the PHP which is then sent back to Apache.

* It is also a CGI module, which means with suEXEC enabled PHP runs the process as the user.

*Good permission scheme like suPHP

Disadvantage 

>> High memory usage

How to determine which PHP Handler is set on the server.

2 methods :

1. By commandline : – if path to rebuild_phpconf is /usr/local/cpanel/bin/rebuild_phpconf, Then use the below command.                                                                                                                                                                             /usr/local/cpanel/bin/rebuild_phpconf –current
   Available handlers: suphp dso fcgi cgi none
   DEFAULT PHP: 5
   PHP4 SAPI: none
   PHP5 SAPI: suphp
   SUEXEC: enabled
   RUID2: not installed

PHP Handler : suphp

The following command also lists the available php handlers

# /usr/local/cpanel/bin/rebuild_phpconf –available
Available handlers: suphp dso fcgi cgi none
PHP4 SAPI: cgi
PHP5 SAPI: cgi-fcgi
SUEXEC: available
RUID2: not available

2. Create a phpinfo.php file under the root of your website. Put the following script into the file:

<?php phpinfo(); ?>

2. Then access your website with this URL

www.yourwebsite.com/phpinfo.php

 

 

Domain missing in /etc/userdomains

If the file /etc/userdomains is not showing an active domain, do the following steps to resolve the issue.

#mv /etc/trueuserowners /etc/trueuserowners1

#/scripts/updateuserdomains

the result may be “warn [updateuserdomains] safeunlock: Invalid arguments”
#/scripts/updateuserdomains

Now the file shows the missing domain name.

 

 

 

Email account compromised

An email account is getting bombarded by ‘Undeliverable’ messages.
Email account : account@domain.com
domain.com’s IP : 1.1.1.1

We shall check log file .

grep account@domain.com /var/log/exim_mainlog

Error
=====
1XSari-0006qr-Bv SMTP error from remote mail server after MAIL FROM:<account@domain.com> SIZE=3523: host mta7.am0.yahoodns.net [98.136.216.25]: 421 4.7.0 [TS01] Messages from 1.1.1.1 temporarily deferred due to user complaints – 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
=====

Also there should be number of emails from the email account account@domain.com (undelivered messages)

Fix
===

The email account “account@domain.com” has been used to send suspicious email and thus the mail account’s password would appear to have been compromised and become known to a third party.

* Change the email account’s password
* Clear the queue

Prior to using the new password,

* Run a virus scan
* Update Softwares, plugins and operating system security updates
* Upgrade Oracle Java, Adobe Flash and Adobe Reader to the latest secure release

To fix  exim email issues, we should understand the logs.

In Cpanel server the exim email logs are stored in the three mail files

1. /var/log/exim_mainlog
2. /var/log/exim_rejectlog
3. /var/log/exim_paniclog

 

from the above all the logs are recorded into the exim_mainlog file. Rejected emails logs are classified into the exim_rejectlog and if the exim server stuck or fails then those logs will be recorded into the exim_paniclog file.But most probably, we are checking /var/log/exim_mainlog to find out the email issues.

/var/log/exim_mainlog

Before going to read the log, it’s better to be aware of the following symbols:

<= (When the email arrives to the server from outside email server Or )

=> (When the email goes to the outside email server)

-> (additional address in same delivery)

*> (delivery suppressed by -N)

** (delivery failed; address bounced)

== (delivery deferred; temporary problem)

 

Reading a Successful Transaction :

 

Let’s start picking apart a successful transaction.Below is the email logs of the successful transaction on an email :

 

2013-03-10 15:52:00 SMTP connection from [127.0.0.1]:35405 (TCP/IP connection count = 1)

2013-03-10 15:52:00 SMTP connection identification H=localhost A=127.0.0.1 P=35405 U=USER ID=1195 S=USER B=identify_local_connection

2013-03-10 15:52:00 1UEcvA-0004yA-9K <= test@domain.com H=localhost.localdomain ([***.***.***.***]) [127.0.0.1]:35405 P=esmtpa A=courier_login:test@domain.com S=805 id=f008291981178ae1333d69e68cd2e676.squirrel@***.* **.***.***T=”Test email from support department to recipient.com” for supp0rt_test@reciever.com

2013-03-10 15:52:00 SMTP connection from localhost.localdomain ([***.***.***.***]) [127.0.0.1]:35405 closed by QUIT

2013-03-10 15:52:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UEcvA-0004yA-9K

2013-03-10 15:52:00 1UEcvA-0004yA-9K SMTP connection outbound 1362909120 1UEcvA-0004yA-9K domain.com supp0rt_test@reciever.com

2013-03-10 15:52:01 1UEcvA-0004yA-9K => supp0rt_test@reciever.com R=dkim_lookuphost T=dkim_remote_smtp H=recipientmailserver.net [***.***.***.***]

2013-03-10 15:52:01 1UEcvA-0004yA-9K Completed

 

First line : It will provide you the email server from where the email has been sent it may be your localhost (i.e. 127.0.0.1 mostly for outgoing emails) or any other IP

 

Second Line : The next item on the in this line starts with “H=”. This specifies the hostname of the server that the mail originates from.

 

Third Line : Showing the internal email message ID after immediately to the start of date and time. Also it contains the ” <=” symbol means the email is the outgoing email from the server from the email address test@domain.com alongwith the authentication of email account (see A=courier_login) shows that which webmail client (squirrel)has used. It also contains the subject of the email and the recipient address.

 

Fourth Line : Email connectioin from the email client for that internal email ID is being closed.

 

Fifth Line : The email is being in queue in the /var/spool/exim

 

Sixth Line : Mail server sent the connection request to the recipient email server and this is mentioned as outbond email connection (Connection Establishment).

 

Seventh Line : Once the connection is established to the remote email server the email being sent to the recipient.

 

Eight Line : Completed means the emails is being sent successfully

 

Change cPanel Port

You can change the cPanel port in /var/cpanel/cpanel.config file. Search for this line
——————–
port=2082
———————-
After changing the port, then run these two commands for it to take effect:

# /usr/local/cpanel/whostmgr/bin/whostmgr2 –updatetweaksettings
# /etc/init.d/httpd restart

Wp- login page redirects to old site

Recently I faced an issue with wordpress login page. If I enter username and password for the url http://example.uk/wp-login.php it redirects to my old site http://example.com/wp-login.php. If I click “Lost Password” it redirects to http://example.com/wp-login.php?action=lostpassword .

Reason
=====

There should be a base url for any CMS like wordpress, joomla, Drupal, magento etc.If we migrate files, folders and databases to another domain , we should change the baseurl, then only CMS works correctly.We can do it from wp-admin or the location where all those settings got saved. All the general settings are saved in the table “Wp_options” of the account’s database.

Fix
====
Database —> Wp_Options

We have to edit
site_url as http://example.uk (new)
home as http://example.uk (new)