In case of a Plesk server, we can get the admin password by running the following command at server's command prompt.
==
"%plesk_bin%\plesksrvclient" -get
==
In case of Linux server, the password is stored at 'cat /etc/psa/.psa.shadow' or use /usr/local/psa/bin/admin --show-password.
For more information, please refer:
http://kb.parallels.com/en/473
http://kb.parallels.com/en/387
Friday, March 22, 2013
Mod Security Rules
Configuration
The basic
modsecurity.conf looks like the following code:<IfModule mod_security.c># Turn the filtering engine On or OffSecFilterEngine On# The audit engine works independently and can be turned# On or Off on a per-server or per-directory basisSecAuditEngine RelevantOnly# Make sure that URL encoding is validSecFilterCheckURLEncoding On# Unicode encoding checkSecFilterCheckUnicodeEncoding On# Only allow bytes from this rangeSecFilterForceByteRange 1 255# Cookie format checks.SecFilterCheckCookieFormat On# The name of the audit log fileSecAuditLog logs/audit_log# Should mod_security inspect POST payloadsSecFilterScanPOST On# Default action setSecFilterDefaultAction "deny,log,status:500"</IfModule> |
Now, let’s look at some basic configuration directives:
SecFilterEngine: When set to On (that is,SecFilterEngine On), it starts monitoring requests. It isOff(disabled) by default.SecFilterScanPOST: WhenOn, enables scanning the request body/POST payload.SecFilterScanOutput: WhenOn, enables scanning the response body also.
Similarly, to check URL encoding, you can use
SecFilterCheckURLEncoding; to control request body buffering, use SecRequestBodyAccess; to control what happens once the response body limit is reached, use SecResponseBodyLimitAction; and to specify the response body buffering limit, use SecResponseBodyLimit.The full list of configuration directives, their usage and syntax is at available on modsecurity.org.
Rules — the basics
The
mod_security rule engine is where gathered data is checked for any malicious or particular content. Rules are directives in the configuration file that decide what to do with the data parsed by the configuration directives. The rule language is a vast topic; we’ll only discuss basic rule-writing syntax, and rule directives to secure Web applications from all the attacks we’ve discussed so far.The main directive used to create rules is
SecRule, whose syntax is as follows:SecRule VARIABLES OPERATOR [ ACTIONS] |
VARIABLES: Specify which places to check in an HTTP transaction.mod_securitypreprocesses raw transaction data, making it easy for rules to focus on the logic of detection. Currently, variables are divided into request, server, and response variables, parsing flags and time variables. You can use multiple variables in a single rule with the|operator.OPERATORS: Specify a regular expression, pattern or keyword to be checked in the variable(s). There are four types of operators: string-matching, numerical, validation and miscellaneousoperators. Operators always begin with a@character, and are always followed by a space.ACTIONS: Specify what to do if the rule evaluates to “true” — step on to another rule, display an error message, or any other task. Actions are divided into seven categories: disruptive,flow, metadata, variable, logging, special and miscellaneous actions.
Here is a simple example of a rule:
SecRule ARGS|REQUEST_HEADERS "@rx <script" id:101,msg: 'XSSAttack', severity:ERROR,deny,status:404 |
Here,
ARGS and REQUEST_HEADERS are variables (request parameters and request headers, respectively); @rx is the operator used to match a pattern in the variables (here, this pattern is<script); id, msg, severity, deny and status are all actions to be performed if the pattern is matched. This rule is used to avoid XSS attacks by checking for a <script pattern in the request parameters and header, and generates an 'XSS Attack' message. The id:101 is given to the rule; it will deny any matching request with a 404 status response.Let’s look at another example, for more clarity:
SecRule ARGS:username "@streq admin" chain,denySecRule REMOTE_ADDR "!@streq 192.168.1.1" |
This is an example of chaining two rules, and the transfer of control to another rule if the first rule holds true. The first rule checks for the string admin in the request’s username parameter. If found, the second rule will be activated, which denies all such requests that are not from the
192.168.1.1 IP address. Thus, chaining rules help to create complex rules.Now, writing filtering rules for each attack will be very cumbersome, and also prone to human error. Here,
mod_security provides users with another directive, SecFilter. This looks for a keyword in the request. It will be applied to the first line of the request (the one that looks like GET /index.php?parameter=value HTTP/1.0). In case of POST requests, the body of the request will be searched too (provided request body buffering is enabled). All pattern matches are case-insensitive, by default. The syntax for SecFilter is SecFilter KEYWORD.Rules against major attacks
Let’s look at some rules to prevent major attacks on Web applications.
SQL injection
Suppose you have an application that is vulnerable to SQL-injection attacks. An attacker could try to delete all records from a MySQL table, like this:
http://www.example.com/login.php?user=arpit';DELETE%20FROM%20users-- |
This can be prevented with the following directive:
SecFilter "delete[[:space:]]+from" |
Whenever such a request is caught by the filter, something similar to the following code is logged to
audit_log:========================================Request: 192.168.0.207 - - [04/Jul/2006:23:43:00 +1200] "GET /login.php?user=tom';DELETE%20FROM%20users-- HTTP/1.1" 500 1215Handler: (null)----------------------------------------GET /login.php?user=arpit';DELETE%20FROM%20users-- HTTP/1.1Host: 192.168.0.100User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-alivemod_security-message: Access denied with code 500. Pattern match "delete[[:space:]]+from" at THE_REQUESTmod_security-action: 500HTTP/1.1 500 Internal Server ErrorLast-Modified: Fri, 21 Oct 2005 14:30:18 GMTETag: "8238-4bf-833a5280"Accept-Ranges: bytesContent-Length: 1215Connection: closeContent-Type: text/html |
In response to the attack,
SecFilterDefaultAction is applied (the request is denied, logged, and the attacker gets a 500 error). If you want a different action to take place (like, redirect the request to a HTML page that can provide customised warning content), you can specify this in the rule, as follows:SecFilter "delete[[:space:]]+from" log,redirect:http://example.com/invalid_request.html |
To prevent more SQL injection attacks, we can add a few other directives like:
SecFilter "insert[[:space:]]+into"SecFilter "select.+from"SecFilter "drop[[:space:]]table"SecFilter create[[::space:]]+tableSecFilter update.+set.+=SecFilter union.+selectSecFilter or.+1[[:space:]]*= [[:space:]]1SecFilter '.+--SecFilter xp_enumdsnSecFilter xp_cmdshellSecFilter xp_regreadSecFilter xp_regwriteSecFilter xp_regdeletekey |
The last five are particularly used for MS SQL server-specific injection attacks.
The only problem with
SecFilter is that it scans the whole request instead of particular fields. Here, SecFilterSelective is useful; it allows you to choose exactly what to search. The syntax is:SecFilterSelective LOCATION KEYWORD [ACTIONS] |
Here,
LOCATION decides which area of the request to be filtered. Hence, for SQL injection, you can also use:SecFilterSelective SCRIPT_FILENAME "login.php" chainSecFilterSelective ARG_user "!^[a-zA-Z0-9\.@!]{1,10}$" |
The above code will validate the user parameter, and allow only the white-list of characters we have given. If for some reason you cannot take this approach, and must use a deny-what-is-badmethod, then at least remove single quotes (
'), semicolons (;), dashes, hyphens (-), and parenthesis (()).XSS attacks
For XSS attacks, we can use the following directives:
SecFilter "<(.|\n)+>"SecFilter "<[[:space:]]*script"SecFilter "<script"SecFilter "<.+>" |
And also, some additional filters like:
SecFilterSelective THE_REQUEST "<[^>]*meta*\"?[^>]*>"SecFilterSelective THE_REQUEST "<[^>]*style*\"?[^>]*>"SecFilterSelective THE_REQUEST "<[^>]*script*\"?[^>]*>"SecFilterSelective THE_REQUEST "<[^>]*iframe*\"?[^>]*>"SecFilterSelective THE_REQUEST "<[^>]*object*\"?[^>]*>"SecFilterSelective THE_REQUEST "<[^>]*img*\"?[^>]*>"SecFilterSelective THE_REQUEST "<[^>]*applet*\"?[^>]*>"SecFilterSelective THE_REQUEST "<[^>]*form*\"?[^>]*>" |
Though these filters will detect a large number of XSS attacks, they are not foolproof. Due to the multitude of different scripting languages, it is possible for an attacker to create many different methods for implementing an XSS attack that would bypass these filters. Hence, here it is advised that you also keep on adding your own filters.
To protect against an XSS attack done via PHP session cookies, you can use the following:
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" |
Command execution attacks
For command execution attacks, you can use the following directives:
SecFilter /etc/passwordSecFilter /bin/ls |
Here, the attacker may try to use a string like
/bin/./sh to bypass the filter — butmod_security automatically reduces /./ to / and // to /, and also decodes URL-encoded characters. You can also use the white-list approach:SecFilterSelective SCRIPT_FILENAME "directory.php" chainSecFilterSelective ARG_dir "!^[a-zA-Z/_-\.0-9]+$" |
This chained rule-set will only allow letters, numbers, underscore, dash, forward slash, and period in the
dir parameter. Filtering out command directory names is also a good option, and can be done as follows:SecFilterSelective THE_REQUEST "/^(etc|bin|sbin|tmp|var|opt|dev|kernel)$/"SecFilterSelective ARGS "bin/" |
Session fixation
During session fixation, in one of its phases, the attacker needs to somehow inject the desired session ID into the victim’s browser. We can mitigate these issues by implementing the following:
# Weaker XSS protection, but allows common HTML tagsSecFilter "<[[:space:]]*script"# Prevent XSS attacks (HTML/Javascript injection)SecFilter "<.+>"# Block passing Cookie/Session IDs in the URLSecFilterSelective THE_REQUEST "(document\.cookie|Set-Cookie|SessionID=)" |
Directory traversal attacks
For path/directory traversal attacks, the following directives are mostly used:
SecFilter "\.\./"SecFilterSelective SCRIPT_FILENAME "/scripts/foo.cgi" chainSecFilterSelective ARG_home "!^[a-zA-Z].{15,}\.txt" |
The last two filters are chained, and will reject all parameters to the
home argument that is a filename of more than 15 alpha characters, and that doesn’t have a .txt extension.Similarly, you can prevent predictable resource location attacks also, and protect against sensitive file misuse, with two recommended solutions. First, remove files that are not intended for public viewing from all Web server-accessible directories. After this, you can create security filters to identify if someone probes for these files:
SecFilterSelective REQUEST_URI "^/(scripts|cgi-local|htbin|cgibin|cgis|win-cgi|cgi-win|bin)/"SecFilterSelective REQUEST_URI ".*\.(bak|old|orig|backup|c)$" |
These two filters will deny access to both — unused, but commonly scanned for directories, and files with common backup extensions.
Web pages that are dynamically created by the directory-indexing function will have a title that starts with “Index of /”. We can use this as a signature, and add the following directives to catch and deny access to this data:
SecFilterScanOutput OnSecFilterSelective OUTPUT "\<title\>Index of /" |
Information leakage
Here, we are introduced to the OUTPUT filtering capabilities of mod_security, which you should enable by adding
SecFilterScanOutput On in the configuration file. We can easily set up a filter to watch for common database error messages being sent to the client, and then generate a generic 500 status code instead of the verbose message:SecFilterScanOutput OnSecFilterSelective OUTPUT "An Error Has Occurred" status:500SecFilterSelective OUTPUT "Fatal error:" |
Output filtering can also be used to detect successful intrusions. These rules will monitor output, and detect typical keywords resulting from a command execution on the server.
SecFilterSelective OUTPUT "Volume Serial Number"SecFilterSelective OUTPUT "Command completed"SecFilterSelective OUTPUT "Bad command or filename"SecFilterSelective OUTPUT "file(s) copied"SecFilterSelective OUTPUT "Index of /cgi-bin/"SecFilterSelective OUTPUT ".*uid\=\(" |
Secure file uploads
mod_security is capable of intercepting files uploaded through POST requests and multi-part/form-data encoding through PUT requests. It will always upload files to a temporary directory. You can choose the directory using the SecUploadDir directive:SecUploadDir /tmp |
It is better to choose a private directory for file storage, somewhere that only the Web server user account is allowed access. Otherwise, other server users may be able to access files uploaded through the Web server. You can choose to execute an external script to verify a file before it is allowed to go through to the application. The
SecUploadApproveScript directive enables this, like the following example:SecUploadApproveScript /usr/local/apache/bin/upload_verify.pl |
RFI attacks
RFI attacks are generally easy to detect, with something like the following directive:
SecRule ARGS “@rx (?i)^(f|ht)tps?://([^/])” msg:’Remote File Inclusion attack’# To detect inclusions containing IP addressSecRule ARGS "@rx (ht|f)tps?://([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])" msg:'Remote File Inclusion attack'#To detect inclusions containing PHP function ‘include()’SecRule ARGS "@rx \binclude\s*\([\w|\s]*(ht|f)tps?://" "msg:'Remote File Inclusion'"# To detect inclusion ending with ‘?’SecRule ARGS "@rx (ft|htt)ps?.*\?+$" msg:'Remote File Inclusion' |
Miscellaneous security features
You can also block IP addresses by the following command:
SecFilterSelective "REMOTE_ADDR" "^192.168.1.1$" |
If you have an input field URL in your comment form, and you want to scan the value of URL for the string
c99, you do it as follows:SecFilterSelective "ARG_url" "c99" |
The following configuration helps fight HTTP fingerprinting, and accepts only valid protocol versions:
SecFilterSelective SERVER_PROTOCOL !^HTTP/(0\.9|1\.0|1\.1)$ |
The following configuration allows supported request methods only, and helps fight XST attacks:
SecFilterSelective REQUEST_METHOD !^(GET|HEAD|POST)$ |
Often during the reconnaissance phase, attackers look for the Web server identity and version. Web servers typically send their identity with every HTTP response, in the Server header. Apache is particularly helpful here; it not only sends its name and full version, by default, but also allows server modules to append their versions. Here, you can confuse the attackers by using something like:
SecServerSignature "Microsoft-IIS/5.0" |
PHP code cannot be injected directly, but it may be possible to have code recorded on disk to be executed later, using an LFI attack. The following rule will detect such an injection attempt, but will ignore XML documents, which use similar syntax:
SecRule ARGS "@rx <\?(?!xml)" |
Logging
There are three places where, depending on the configuration, you may find
mod_securitylogging information:mod_securitydebug log: If enabled via theSecFilterDebugLevelandSecFilterDebugLogdirectives, it contains a large number of entries for every request processed. Each log entry is associated with a log level, which is a number from 0 (no messages at all) to 4 (maximum logging). You normally keep the debug log level at 0, and increase it only when you are debugging your rule set.- Apache error log: Some of the messages from the debug log will make it into the Apache error log (even if you set
mod_securitydebug log level to 0). These are the messages that require an administrator’s attention, such as information about requests being rejected. mod_securityaudit log: When audit logging is enabled (using theSecAuditEngineandSecAuditLogdirectives),mod_securitycan record each request (and its body, provided request body buffering is enabled) and the corresponding response headers.
Here is an example of an error message resulting from invalid content discovered in a cookie:
[Tue Jun 26 17:44:36 2011] [error] [client 127.0.0.1]mod_security: Access denied with code 500. Pattern match "!(^$|^[a-zA-Z0-9]+$)"at COOKIES_VALUES(sessionid) [hostname "127.0.0.1"][uri "/test.php"] [unique_id 3434fvnij54jktynv45fC8QQQQAB] |
The message indicates that the request was rejected (“Access denied”) with an HTTP
500response because the content of the cookie sessionid contained content that matched the pattern !(^$|^[a-zA-Z0-9]+$). (The pattern allows a cookie to be empty, but if it is not, it must consist only of one or more letters and digits.)Note: I once again stress that neither LFY nor myself are responsible for the misuse of the information given here. Any attack techniques described here are meant to give you the knowledge that you need to protect your own infrastructure. Please use the tools and techniques sensibly.
This article has just scratched the surface of
mod_security. For more details on rule writing and other important directives, please refer to ModSecurity Handbook by Ivan Ristic — a must-read book for anyone interested in this topic.We will deal with other ways to secure Apache in the next article. Always remember: Know hacking, but no hacking.
Script to change the name servers server wide .
ll /var/named/ |awk -F " " '{print$9}'|grep .db > account
for i in "$(cat account)"; do sed -i -e "s/ns1.privatedns.com/ns3.flashattractions.com/g" ;done
for i in "$(cat account)"; do sed -i -e "s/ns1.privatedns.com/ns3.flashattractions.com/g" ;done
MYSQL Issue:- ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
[root@servert1 ~]# /etc/init.d/mysqld stop
Stopping MySQL: [ OK ]
[root@servert1 ~]# mysqld_safe --skip-grant-tables &
[1] 13694
[root@servert1 ~]# Starting mysqld daemon with databases from /var/lib/mysql
root@servert1 ~]# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> update user set password=PASSWORD("testpass") where User='root';
ERROR 1046 (3D000): No database selected
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.13 sec)
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
17 rows in set (0.00 sec)
mysql> update user set password=PASSWORD("testpass") where User='root';
Query OK, 3 rows affected (0.05 sec)
Rows matched: 3 Changed: 3 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.04 sec)
mysql> quit
Bye
[root@servert1 ~]# /etc/init.d/mysql restart
bash: /etc/init.d/mysql: No such file or directory
[root@servert1 ~]# /etc/init.d/mysqld restart
STOPPING server from pid file /var/run/mysqld/mysqld.pid
101120 04:17:15 mysqld ended
Stopping MySQL: [ OK ]
Starting MySQL: [ OK ]
[1]+ Done mysqld_safe --skip-grant-tables
root@servert1 ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> quit
Bye
Stopping MySQL: [ OK ]
[root@servert1 ~]# mysqld_safe --skip-grant-tables &
[1] 13694
[root@servert1 ~]# Starting mysqld daemon with databases from /var/lib/mysql
root@servert1 ~]# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> update user set password=PASSWORD("testpass") where User='root';
ERROR 1046 (3D000): No database selected
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.13 sec)
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
17 rows in set (0.00 sec)
mysql> update user set password=PASSWORD("testpass") where User='root';
Query OK, 3 rows affected (0.05 sec)
Rows matched: 3 Changed: 3 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.04 sec)
mysql> quit
Bye
[root@servert1 ~]# /etc/init.d/mysql restart
bash: /etc/init.d/mysql: No such file or directory
[root@servert1 ~]# /etc/init.d/mysqld restart
STOPPING server from pid file /var/run/mysqld/mysqld.pid
101120 04:17:15 mysqld ended
Stopping MySQL: [ OK ]
Starting MySQL: [ OK ]
[1]+ Done mysqld_safe --skip-grant-tables
root@servert1 ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> quit
Bye
.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
If you are getting “(13)Permission denied: /home/username/public_html/shop/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://www.yourdomain.com/shop/index.html” error in apache error logs file /usr/local/apache/logs/error_log as well as the site is showing 403 Forbidden Error.
Then first please check the permissions of your folder and .htaccess file because folder permission are most likely 755 and .htaccess permission 644. Permissions can be changed via FTP or SSH.
In case you still are getting the same problem, then it might be the Frontpage Extensions causing the problem. To fix:
* Login into your CPanel account
* Click on Frontpage Extensions icon
* Click on Reinstall extensions button beside your problem domain.
* Done.
(make sure to have a backup copy of your data before reinstalling Frontpage)
And the site is showing “403 Forbidden Error”.
At first, I suspect it’s .htaccess problem, but actually it’s caused by Frontpage Extension.
To solve “.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable” follow the steps below:-
* Login into your CPanel account
* Click on “Frontpage Extensions” icon
* Click on “Reinstall extensions” button beside your problem domain.
*If you do not use any frontpage extensions, it’s good to uninstall this extension
* Done. The “.htaccess pcfg_openfile: unable to check htaccess file” problem has been fixed.
** If you are not on CPanel hosting, please contact your system administrator to fix the problem. ***
http://help.directadmin.com/item.php?id=363
Then first please check the permissions of your folder and .htaccess file because folder permission are most likely 755 and .htaccess permission 644. Permissions can be changed via FTP or SSH.
In case you still are getting the same problem, then it might be the Frontpage Extensions causing the problem. To fix:
* Login into your CPanel account
* Click on Frontpage Extensions icon
* Click on Reinstall extensions button beside your problem domain.
* Done.
(make sure to have a backup copy of your data before reinstalling Frontpage)
And the site is showing “403 Forbidden Error”.
At first, I suspect it’s .htaccess problem, but actually it’s caused by Frontpage Extension.
To solve “.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable” follow the steps below:-
* Login into your CPanel account
* Click on “Frontpage Extensions” icon
* Click on “Reinstall extensions” button beside your problem domain.
*If you do not use any frontpage extensions, it’s good to uninstall this extension
* Done. The “.htaccess pcfg_openfile: unable to check htaccess file” problem has been fixed.
** If you are not on CPanel hosting, please contact your system administrator to fix the problem. ***
http://help.directadmin.com/item.php?id=363
Thursday, March 21, 2013
Configuration File name for Scripts.
Configuration File name for Scripts.
Usually there are many scripts available and they have different configuration file name using which we can use to update the configuration of website and it does include database username and password details.
If you have root or shell access you can locate the file under using below cmd, but make sure are are in the correct document root of the domain.
find . -type f -name “config_file”
i.e
find . -type f -name “wp-config.php”
Below are the Configuration file name for the scripts.
WordPress >> wp-config.php
Joomla >> configuration.php
Drupal >> sites/default/settings.php
osCommerce >> includes/configure.php
admin/includes/configure.php
Cube Cart >> includes/global.inc.php
Zen Cart >> includes/configure.php
admin/includes/configure.php
PHPlist >> config/config.php
Magento >> app/etc/local.xml
Mambo >> configuration.php
MyBB >> inc/config.php
SMF >> Settings.php
Soholaunch >> sohoadmin/config/isp.conf.php
B2 Evolution >> conf/_basic_config.php
Boonex Dolphin >> inc/header.inc.php
Coppermine Photo Gallery >> include/config.inc.php
dotProject >> includes/config.php
FAQMasterFlex >> faq_config.php
Geeklog >> db-config.php
siteconfig.php
ib-common.php
Noahs Classifieds >> app/config.php
Moodle >> config.php
Gallery >> config.php
Nucleus >> config.php
PHP-Nuke >> config.php
phpBB >> config.php
Post-Nuke >> config.php
Siteframe >> config.php
phpWCMS >> include/inc_conf/conf.inc.php
phpWebSite >> conf/config.php
PhpWiki >> admin.php
lib/config.php
TYPO3 >> typo3conf/localconf.php
vBulletin >> includes/config.php
WebCalendar >> includes/settings.php
Xoops >> mainfile.php
Usually there are many scripts available and they have different configuration file name using which we can use to update the configuration of website and it does include database username and password details.
If you have root or shell access you can locate the file under using below cmd, but make sure are are in the correct document root of the domain.
find . -type f -name “config_file”
i.e
find . -type f -name “wp-config.php”
Below are the Configuration file name for the scripts.
WordPress >> wp-config.php
Joomla >> configuration.php
Drupal >> sites/default/settings.php
osCommerce >> includes/configure.php
admin/includes/configure.php
Cube Cart >> includes/global.inc.php
Zen Cart >> includes/configure.php
admin/includes/configure.php
PHPlist >> config/config.php
Magento >> app/etc/local.xml
Mambo >> configuration.php
MyBB >> inc/config.php
SMF >> Settings.php
Soholaunch >> sohoadmin/config/isp.conf.php
B2 Evolution >> conf/_basic_config.php
Boonex Dolphin >> inc/header.inc.php
Coppermine Photo Gallery >> include/config.inc.php
dotProject >> includes/config.php
FAQMasterFlex >> faq_config.php
Geeklog >> db-config.php
siteconfig.php
ib-common.php
Noahs Classifieds >> app/config.php
Moodle >> config.php
Gallery >> config.php
Nucleus >> config.php
PHP-Nuke >> config.php
phpBB >> config.php
Post-Nuke >> config.php
Siteframe >> config.php
phpWCMS >> include/inc_conf/conf.inc.php
phpWebSite >> conf/config.php
PhpWiki >> admin.php
lib/config.php
TYPO3 >> typo3conf/localconf.php
vBulletin >> includes/config.php
WebCalendar >> includes/settings.php
Xoops >> mainfile.php
Directory Structure of Cpanel
Directory Structure of Cpanel
=> Apache
==========
Quote:
/usr/local/apache
+ bin- apache binaries are stored here – httpd, apachectl, apxs
+ conf – configuration files – httpd.conf
+ cgi-bin
+ domlogs – domain log files are stored here
+ htdocs
+ include – header files
+ libexec – shared object (.so) files are stored here – libphp4.so,mod_rewrite.so
+ logs – apache logs – access_log, error_log, suexec_log
+ man – apache manual pages
+ proxy -
+ icons -
Init Script :/etc/rc.d/init.d/httpd – apache start script
Cpanel script to restart apache – /scripts/restartsrv_httpd
==========================================================
=> Exim
=========
Quote:
Conf : /etc/exim.conf – exim main configuration file
/etc/localdomains – list of domains allowed to relay mail
Log : /var/log/exim_mainlog – incoming/outgoing mails are logged here
/var/log/exim_rejectlog – exim rejected mails are reported here
/var/log/exim_paniclog – exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim – /scripts/restartsrv_exim
Email forwarders and catchall address file – /etc/valiases/domainname.com
Email filters file – /etc/vfilters/domainname.com
POP user authentication file – /home/username/etc/domainname/passwd
catchall inbox – /home/username/mail/inbox
POP user inbox – /home/username/mail/domainname/popusername/inbox
POP user spambox – /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid – -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim
==========================================================
=> ProFTPD
============
Quote:
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file – /etc/proftpd/username – all ftp accounts for the domain are listed here
==========================================================
=> Pure-FTPD
=============
Quote:
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root – /etc/pure-ftpd/ip-address
==========================================================
=> Frontpage Extensions
=========================
Quote:
Program – (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html
==========================================================
=> Mysql
===========
Quote:
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory – /var/lib/mysql – Where all databases are stored.
Database naming convention – username_dbname (eg: john_sales)
Permissions on databases – drwx 2 mysql mysql
Socket file – /var/lib/mysql/mysql.sock, /tmp/ mysql.sock
==========================================================
=> SSHD
===========
Quote:
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages
==========================================================
=> Perl
===========
Quote:
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.8.8/
==========================================================
=> PHP
==========
Quote:
Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini – apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache
==========================================================
=> Named(BIND)
================
Quote:
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages
==============================================
==>> Cpanel installation directory structure
==============================================
Quote:
/usr/local/cpanel
+ 3rdparty/ – tools like fantastico, mailman files are located here
+ addons/ – AdvancedGuestBook, phpBB etc
+ base/ – phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ – cpanel binaries
+ cgi-sys/ – cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ – cpanel access log and error log
+ whostmgr/ – whm related files
==========================================================
=> WHM related files
=======================
Quote:
/var/cpanel – whm files
+ bandwidth/ – rrd files of domains
+ username.accts – reseller accounts are listed in this files
+ packages – hosting packages are listed here
+ root.accts – root owned domains are listed here
+ suspended – suspended accounts are listed here
+ users/ – cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ – dns zone template files are taken from here
==========================================================
=> Common CPanel scripts
==========================
Quote:
cpanel/whm Scripts are located in /scripts/
+ addns – add a dns zone
+ addfpmail – Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips – Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp – Adds the gorup nobody and activates security
+ addpop – add a pop account
+ addservlets – Add JSP support to an account (requires tomcat)
+ addstatus – (Internal use never called by user)
+ adduser – Add a user to the system
+ bandwidth – (OLD)
+ betaexim – Installs the latest version of exim
+ biglogcheck – looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall – Installs crypto on FreeBSD
+ bsdldconfig – Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest – Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect – Install expect on FreeBSD
+ builddomainaddr – (OLD)
+ buildeximconf – Rebuilds exim.conf
+ buildpostgrebsd-dev – Installs postgresql on FreeBSD.
+ chcpass – change cpanel passwords
+ easyapache – recompile/upgrade apache and/or php
+ exim4 – reinstall exim and fix permissions
+ fixcommonproblems – fixes most common problems
+ fixfrontpageperm – fixes permission issues with Front Page
+ fixmailman – fixes common mailman issues
+ fixnamed – fixes common named issues
+ fixndc – fixes rndc errors with named
+ fixquotas – fixes quota problems
+ fullhordereset – resets horde database to a fresh one – all previous user data are lost
+ initquotas – initializes quotas
+ installzendopt – installs zend optimizer
+ killacct – terminate an account – make sure you take a backup of the account first
+ mailperm – fixes permission problems with inboxes
+ park – to park a domain
+ pkgacct – used to backup an account
+ restartsrv – restart script for services
+ restorepkg – restores an account from a backup file ( pkgacct file)
+ runlogsnow – update logs of all users
+ runweblogs – update stats for a particular user
+ securetmp – secures /tmp partition with options nosuexec and nosuid
+ suspendacct – suspends an account
+ unsuspendacct – unsuspends a suspended account
+ upcp – updates cpanel to the latest version
+ updatenow – updates the cpanel scripts
+ updateuserdomains – updates userdomain entries
==========================================================
=> Important cpanel/whm files
================================
Quote:
/etc/httpd/conf/httpd.conf – apache configuration file
/etc/exim.conf – mail server configuration file
/etc/named.conf – name server (named) configuration file
/etc/proftpd.conf – proftpd server configuration file
/etc/pure-ftpd.conf – pure-ftpd server configuration file
/etc/valiases/domainname – catchall and forwarders are set here
/etc/vfilters/domainname – email filters are set here
/etc/userdomains – all domains are listed here – addons, parked,subdomains along with their usernames
/etc/localdomains – exim related file – all domains should be listed here to be able to send mails
/var/cpanel/users/username – cpanel user file
/var/cpanel/cpanel.config – cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network – Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf – Networking Setup–> Resolver Configuration
/etc/nameserverips – Networking Setup–> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers – For addpkg, etc permissions for resellers.
/etc/chkserv.d – Main >> Service Configuration >> Service Manager *
/var/run/chkservd – Main >> Server Status >> Service Status *
/var/log/dcpumon – top log process
/root/cpanel3-skel – skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )*
/etc/wwwacct.conf – account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf – Update Config *
/etc/cpbackup.conf – Configure Backup*
/etc/clamav.conf – clamav (antivirus configuration file )
/etc/my.cnf – mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini – php configuration file
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )*
/etc/ipaddrpool – ip addresses which are free
/etc/ips.dnsmaster – name server ips
/var/cpanel/Counters – To get the counter of each users.
/var/cpanel/bandwidth – To get bandwith usage of domains
=> Apache
==========
Quote:
/usr/local/apache
+ bin- apache binaries are stored here – httpd, apachectl, apxs
+ conf – configuration files – httpd.conf
+ cgi-bin
+ domlogs – domain log files are stored here
+ htdocs
+ include – header files
+ libexec – shared object (.so) files are stored here – libphp4.so,mod_rewrite.so
+ logs – apache logs – access_log, error_log, suexec_log
+ man – apache manual pages
+ proxy -
+ icons -
Init Script :/etc/rc.d/init.d/httpd – apache start script
Cpanel script to restart apache – /scripts/restartsrv_httpd
==========================================================
=> Exim
=========
Quote:
Conf : /etc/exim.conf – exim main configuration file
/etc/localdomains – list of domains allowed to relay mail
Log : /var/log/exim_mainlog – incoming/outgoing mails are logged here
/var/log/exim_rejectlog – exim rejected mails are reported here
/var/log/exim_paniclog – exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim – /scripts/restartsrv_exim
Email forwarders and catchall address file – /etc/valiases/domainname.com
Email filters file – /etc/vfilters/domainname.com
POP user authentication file – /home/username/etc/domainname/passwd
catchall inbox – /home/username/mail/inbox
POP user inbox – /home/username/mail/domainname/popusername/inbox
POP user spambox – /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid – -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim
==========================================================
=> ProFTPD
============
Quote:
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file – /etc/proftpd/username – all ftp accounts for the domain are listed here
==========================================================
=> Pure-FTPD
=============
Quote:
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root – /etc/pure-ftpd/ip-address
==========================================================
=> Frontpage Extensions
=========================
Quote:
Program – (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html
==========================================================
=> Mysql
===========
Quote:
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory – /var/lib/mysql – Where all databases are stored.
Database naming convention – username_dbname (eg: john_sales)
Permissions on databases – drwx 2 mysql mysql
Socket file – /var/lib/mysql/mysql.sock, /tmp/ mysql.sock
==========================================================
=> SSHD
===========
Quote:
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages
==========================================================
=> Perl
===========
Quote:
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.8.8/
==========================================================
=> PHP
==========
Quote:
Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini – apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache
==========================================================
=> Named(BIND)
================
Quote:
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages
==============================================
==>> Cpanel installation directory structure
==============================================
Quote:
/usr/local/cpanel
+ 3rdparty/ – tools like fantastico, mailman files are located here
+ addons/ – AdvancedGuestBook, phpBB etc
+ base/ – phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ – cpanel binaries
+ cgi-sys/ – cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ – cpanel access log and error log
+ whostmgr/ – whm related files
==========================================================
=> WHM related files
=======================
Quote:
/var/cpanel – whm files
+ bandwidth/ – rrd files of domains
+ username.accts – reseller accounts are listed in this files
+ packages – hosting packages are listed here
+ root.accts – root owned domains are listed here
+ suspended – suspended accounts are listed here
+ users/ – cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ – dns zone template files are taken from here
==========================================================
=> Common CPanel scripts
==========================
Quote:
cpanel/whm Scripts are located in /scripts/
+ addns – add a dns zone
+ addfpmail – Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips – Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp – Adds the gorup nobody and activates security
+ addpop – add a pop account
+ addservlets – Add JSP support to an account (requires tomcat)
+ addstatus – (Internal use never called by user)
+ adduser – Add a user to the system
+ bandwidth – (OLD)
+ betaexim – Installs the latest version of exim
+ biglogcheck – looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall – Installs crypto on FreeBSD
+ bsdldconfig – Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest – Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect – Install expect on FreeBSD
+ builddomainaddr – (OLD)
+ buildeximconf – Rebuilds exim.conf
+ buildpostgrebsd-dev – Installs postgresql on FreeBSD.
+ chcpass – change cpanel passwords
+ easyapache – recompile/upgrade apache and/or php
+ exim4 – reinstall exim and fix permissions
+ fixcommonproblems – fixes most common problems
+ fixfrontpageperm – fixes permission issues with Front Page
+ fixmailman – fixes common mailman issues
+ fixnamed – fixes common named issues
+ fixndc – fixes rndc errors with named
+ fixquotas – fixes quota problems
+ fullhordereset – resets horde database to a fresh one – all previous user data are lost
+ initquotas – initializes quotas
+ installzendopt – installs zend optimizer
+ killacct – terminate an account – make sure you take a backup of the account first
+ mailperm – fixes permission problems with inboxes
+ park – to park a domain
+ pkgacct – used to backup an account
+ restartsrv – restart script for services
+ restorepkg – restores an account from a backup file ( pkgacct file)
+ runlogsnow – update logs of all users
+ runweblogs – update stats for a particular user
+ securetmp – secures /tmp partition with options nosuexec and nosuid
+ suspendacct – suspends an account
+ unsuspendacct – unsuspends a suspended account
+ upcp – updates cpanel to the latest version
+ updatenow – updates the cpanel scripts
+ updateuserdomains – updates userdomain entries
==========================================================
=> Important cpanel/whm files
================================
Quote:
/etc/httpd/conf/httpd.conf – apache configuration file
/etc/exim.conf – mail server configuration file
/etc/named.conf – name server (named) configuration file
/etc/proftpd.conf – proftpd server configuration file
/etc/pure-ftpd.conf – pure-ftpd server configuration file
/etc/valiases/domainname – catchall and forwarders are set here
/etc/vfilters/domainname – email filters are set here
/etc/userdomains – all domains are listed here – addons, parked,subdomains along with their usernames
/etc/localdomains – exim related file – all domains should be listed here to be able to send mails
/var/cpanel/users/username – cpanel user file
/var/cpanel/cpanel.config – cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network – Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf – Networking Setup–> Resolver Configuration
/etc/nameserverips – Networking Setup–> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers – For addpkg, etc permissions for resellers.
/etc/chkserv.d – Main >> Service Configuration >> Service Manager *
/var/run/chkservd – Main >> Server Status >> Service Status *
/var/log/dcpumon – top log process
/root/cpanel3-skel – skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )*
/etc/wwwacct.conf – account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf – Update Config *
/etc/cpbackup.conf – Configure Backup*
/etc/clamav.conf – clamav (antivirus configuration file )
/etc/my.cnf – mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini – php configuration file
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )*
/etc/ipaddrpool – ip addresses which are free
/etc/ips.dnsmaster – name server ips
/var/cpanel/Counters – To get the counter of each users.
/var/cpanel/bandwidth – To get bandwith usage of domains
Subscribe to:
Posts (Atom)