https://molamphy.keybase.pub by https://tyler.molamphy.net Last updated 12/10/2016


System:

cat <logfile> | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20


sed -n -e '/total_vm/,/Out of memory: Kill process/ p' /var/log/messages | awk '{ gsub(/\[|\]/,"",$0) ;print $0 }' | awk '{ print $8,$15 }' | sort | uniq -c | sort -n | tail -n 15


ps --no-headers -o "rss,cmd" -C php-fpm | awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'


Disk:

du -ak --max-depth=1 | sort -rn | awk 'BEGIN{ pref[1]="K"; pref[2]="M"; pref[3]="G";} { total = total + $1; x = $1; y = 1; while( x > 1024 ) { x = (x + 1023)/1024; y++; } printf("%g%s\t%s\n",int(x*10)/10,pref[y],$2); } END { y = 1; while( total > 1024 ) { total = (total + 1023)/1024; y++; } printf("Total: %g%s\n",int(total*10)/10,pref[y]); }'


find / -xdev -printf '%h\n' | sort | uniq -c | sort -k 1 -n


cd /path/to/dir perl -e 'for(<*>){((stat)[9]<(unlink))}'


##Netstat:

netstat -ant |grep ':80' |awk '{print $5}' |cut -d':' -f1 |sort |uniq -c |sort -n -k1


#Apache Basic screen for and summary of suspicious repeat requests to Apache Web Server This script will look for large query strings, and POSTs that are repeated frequently, assuming you're using the combined log format ( a default for cpanel/apache ).

awk '{ if($6 ~ /POST/ || length($7) >= 150) {print $1,$6,$7,$9} }' $LOGFILE | sort | uniq -c | sort -n


Find the top 7 requesting IPs in today's logs for all sites with a likely wp-login bruteforcing going on:

for each in `ps aux --sort=%cpu | grep wp-login | grep -v root | awk '{print $1}'` ; do echo ===$each===; find /home/$each/access-logs/* ! -iname "*ftp*" | xargs -I marker awk '{ print $1,$6,$7}' marker | sort | uniq -c | sort -n | tail -7; echo "===================="; done


cPanel:

Gather all domains and perform a DNS lookup to find their glue record at the root nameservers:

awk -F ":" '{ print $1}' /etc/userdomains | grep -v "\*" | xargs -I marker sh -c "tldsuff=\$(echo marker | awk -F \".\" '{ print \$NF}') ; gtldserv=\$(dig \$tldsuff ns +short | head -n 1); dig marker ns @\${gtldserv} | grep \"\sNS\s\"| head -n 1"


Exim:

/bin/find /home/*/etc/*/ -type f -name passwd -exec wc -l {} \; | awk '{ SUM += $1 } END { print SUM }'


egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1 | less # For Dovecot


for db in `mysql -e 'show databases' -s --skip-column-names` ; do mysqldump --databases $db > "/backup/$db-$(date +%Y-%m-%d-%H.%M.%S).sql"; done


Working with Windows filesystems via cifs

One-liners below are for working with Windows systems in a bash prompt, like Cygwin or your Linux workstation. Install cifs-utils to use the mount.cifs command like so:

mount.cifs //UNC/PATH /mnt/localmount -o username=webhostingco,domain=.

Expand every domain's log files for one specific month:

for zip in `find /mnt/winshare/Domains -type f -name "*72016.zip"` ; do dir=$(echo $zip | cut -d '/' -f -7) ; unzip $zip -d $dir/ ; done