Bash functions to help when administering cpanel servers, I found them helpful when doing abuse/security work. Simply source the file and you should be good to go, auto-complete offered in many cases.

Includes several other tools written in PHP and Python for tasks such as CMS password changing, injection removal, server audits, and checking IPs against email blacklistings

• CentOS
• Cpanel
• CSF Firewall (recommended)
• The Silver Surfer (recommended)

To use simple clone repo into a folder. Edit the INSTALLDIR bash variable at the top of cpanelsec.sh and checkrbl.py to reflect this location. Then just source cpanelsec.sh. Note if using silver surfer please install it into $INSTALLDIR/ag/

pwnmail [STRING]: Removes email from exim mail queue given string, matches recipient, sender, or ID. Can remove frozen emails with "frozen" and old emails with the command pwnoldmail

addspf [USER]: adds a 'strong' SPF record (-all) to the given cpanel user name's domains

adddkim [USER]: adds domain keys (or DKIM) to given cpanel user's domain

chkmailabuse: Shows scripts sending out mail, useful for finding malicious files blasting out spam.

check_rbl: command line RBL checker, no argument checks current IPs, -a checks all. Or you can give it a specific IP as an argument. List of rbls is in rblist

switchmailip: provides a list of all server IPs and prompts for which IP to send mail from

rdns_check: does a check to ensure rDNS is properly configured

scramble_emaili [EMAIL ADDRESS]: inserts !!ABUSE!! into the email hash for the address, allows user to reset the email password after a compromise while preventing further spam

train_sa [USER]: Trains SpamAssassin for a given cpanel user, must have user create two email folders: HAM-TRAIN (with 200+ non-spam emails) and SPAM-TRAIN (200+ spam emails).

checkmail: checks exim and prompts if recommended anti-spam settings are not enabled. Checks for SPF checking, Spamhaus RBL, and Spamcop RBL

injectcleaner: Uses the pyclean Python script to remove malicious injections. Given a regex pattern this allows you to visually see what will be matched before you remove it. Can be run without verification using -f and against a list of files with -l

Usage: injectcleaner [options] REGEX FILE

Options:
  -h, --help       show this help message and exit
  -l, --list-file  use a list file
  -b, --backup     make backup files
  -f, --force      supress confirmation notice

pwn [FILE]: 'disables' file(s), sets targets to permissions 000 and owner root:root. Can be undone with unpwn

qgrep [-l -s -p] [-c CUSTOM]: (quick)grep, searches for common base64 injections and shells across code files only. Flags are below:

• no arguments defaults to base64 injection search
• -l list files (analagous to grep -l)
• -s shellsearch (searches for list on shells found in shell_patterns file)
• -p ignores files with perm 000
• -c CUSTOM, looks for custom string

qgrep_ag: same as qgrep but uses silver surfer to search

shellscan: searches across public_html folders for all cpanel users looking for shells, places results in $INSTALLDIR/possible_shells.txt. shellscan_ag is the ag version.

phishing_scams: greps for common phishing words in all domain names

mitigate_ddos: Uses a python script that automatically temp bans (using CSF) IPs with over 30 connections

secimgdir: modifies (or creates) .htaccess file in current directory to prevent script execution. Useful for folders such as "/images" or "/uploads" which shouldn't be executing anything

sysinfo: Quick glance at CSF settings, exim queue size, external connections and disk quotas for users.

inodebreakdown: If inode restrictions are in place this will give a pretty accurate listing of folders containing the most inodes for abuse notices.

grepuser [USER/DOMAIN]: searches a string in userdomains and cpanel account names

trafficstats [DOMAIN]: given a domain it returns the number of hits in the last 24 hours, autocompletes based on domain names in /etc/httpd/domlogs

lshtaccess: find and prints .htaccess files recursively, useful for finding malicious redirects

chpass [USER]: Generates random password for given user, also runs ftpupdate script to make cpanel happy

cmspass: Automatically find and detect Joomla/WordPress installations and change all admin passwords to random 10 character strings

owner [USER]: finds owner of cpanel account, auto-completes cpanel names

fixperms: recursively sets files to 644 and folders to 755. Leaves cms config files as 600

rmsymlinks: recursively removes symlinks (safely). For use in symlink attacks

www USER: jumps to cpanel user's public_html folder, autocompletes cpanel account names

chkbackup [FILE]: compares FILE with copies in daily, weekly, and monthly backups. Helpful when only a single file needs to be restore, avoids full account backup.

vzsuspend [VEID]: suspends OpenVZ container, can be unsuspended with vzunsuspend

lscpanelsec: lists all commands and arguments for easy reference