Find files modified/created within N days ago

This proved to be useful in cleaning up a compromised site. List all the files created or modified within a certain time frame — in this case we are looking 30 days in the past:

find . -mtime -30 -type f -print

If you want to delete all files created/modified n days ago, you can do something like this:

find . -mtime -30 -type f -exec rm {} \;

Or this:

find . -mtime -30 -type f -print0 | xargs -0 rm

Sorting disk usage by folder in Linux

Normally you would use something like this:

du -k | sort -nr > sorted.txt

But the output is not pretty since we don’t like counting bytes. This will sort it in human readable format:

du -k | sort -nr | awk '
     BEGIN {
        split("KB,MB,GB,TB", Units, ",");
        u = 1;
        while ($1 >= 1024) {
           $1 = $1 / 1024;
           u += 1
        $1 = sprintf("%.1f %s", $1, Units[u]);
        print $0;
    ' > sorted.txt
Categories: Uncategorized. Comments Off on Sorting disk usage by folder in Linux

Pre-analysis of a DDOS attack on a Cpanel or Linux server

Determine the nature of the attack (SYN, GET, ect):

netstat -nat | awk '{print $6}' | sort | uniq -c

The following will list all the IPs connecting to the server in order of most connections.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

We can see which domains are most active (in the case of a GET style attack):

cd /usr/local/apache/domlogs/
ls -ltr |tail -50

Then, we can see which IPs are active on a particular domain and take appropriate action (drop in firewall, ect):

cd /usr/local/apache/domlogs/
tail -f <domainname> | awk {'print $1'}

Tracking SPAM on a Cpanel Server

If you are using a cpanel/WHM server then the MTA will be Exim by default.

Enable Mailheaders by running /scripts/easyapache script.  After that, check the mail header using:

exim -Mvh <message id>

From that you will able to find the source of spam.

Categories: Linux and Technical. Comments Off on Tracking SPAM on a Cpanel Server

Setting up Adaptec Storage Manager on a headless Ubuntu/Debian server

Adaptec RAID cards have huge performance gains over other cards, but the management features in Linux stink. Really bad. If you don’t have a GUI installed, you cannot set up monitoring or alerts, but thankfully you can use a Windows machine to set this up remotely. Additionally, there are no .deb packages so we have to convert the .rpm to a .deb package.

Download the latest installer in RPM format:

sudo bash ### Dang it Debian!  LOL

Convert the .rpm to a .deb package and install it:

apt-get install alien
alien --scripts asm_linux_x64_v6_30_18507.rpm
dpkg -i storman_6.30-18508_amd64.deb

Start the ‘StorMan’ agent:


Add the following to /etc/rc.local (before the ‘exit 0’ line) so it starts automatically as the included init script is broken miserably. Don’t forget the ampersand or else you’ll hang up the boot process:

/usr/StorMan/ &

Now you can remotely connect using a remote Windows or Linux GUI to check RAID status and set up email alerts. It’s painfully obvious Adaptec is catering to the Windows crowd on this one, but at least there’s a work around.

Setting up a large disk array in Linux through LVM

A very large disk array (hardware RAID) combined with LVM (Logical Volume Management) will give you a vast amount of flexibility. Without LVM, you’ll have to reboot the entire machine to realize the new space when adding RAID members. Using LVM, you can take advantage of OLE (On Line Expansion) and expand your existing volumes without rebooting. In this post, I discuss the creation of the initial VG (Volume Group), PV (Physical Volume) and LV (Logical Volume) which compose LVM. I’ll discuss OLE later in another post.

In this example, a large RAID array exists at /dev/sdb. There are no partitions on this disk; it is freshly created in the RAID card’s BIOS.

root@rj04:~# fdisk -l


Disk /dev/sdb: 2977.4 GB, 2977474543616 bytes
255 heads, 63 sectors/track, 361990 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Disk /dev/sdb doesn't contain a valid partition table

1. Create a new PV (Physical Volume) on the new disk. This is the ‘top layer’ of LVM:

pvcreate /dev/hdb

2. Create a new VG (Volume Group) inside the new PV. This is the ‘middle layer’ of LVM:

vgcreate vg0 /dev/hdb

3. Create a new LV (full size). This is the ‘bottom layer’ of LVM where you can put your filesystems:

lvcreate -n lvol0 vg0 -L 2.70T

4. Create and format the filesystem. Remember to choose the correct block size (4k block size allows up to 8Tb size, which is enough for the max our array will expand to):

mkfs -t ext3 -m 0 -v -b 4096 /dev/vg0/lvol0

5. Add mount point, update fstab, and mount the new disk:

mkdir /data ## Create mount
echo "/dev/vg0/lvol0  /data   ext3    defaults        0       2" >> /etc/fstab ## Make filesystem aware of the mount
mount /data  ## Actually mount the disk

6. Verify your work:

root@rj04:~# df -h
Filesystem            Size  Used Avail Use% Mounted on
                      2.7T  202M  2.7T   1% /data

Installing mod_limitipconn on a Cpanel server

Absolutely essential in a shared hosting environment. This example is relevant to Apache 2.2.x.

## Compile mod_ipconnlimit
cd /root
tar xjf mod_limitipconn-0.23.tar.bz2
cd mod_limitipconn-0.23
/usr/local/apache/bin/apxs -cia mod_limitipconn.c  ### this needs to be redone after each apache recompile

## in WHM, add to apache Pre VirtualHost Include (all versions)
<IfModule mod_limitipconn.c>
    # Set a server-wide limit of 10 simultaneous downloads per IP,
    # except for image folders.
    MaxConnPerIP 10
    NoIPLimit image/*
    NoIPLimit images/*

Working with WinPE 3.0 images

Mount a WinPE image:

dism /Mount-Wim /WimFile:winpe.wim /index:1 /MountDir:mount

Inject PNP drivers into the WinPE image:

Dism /image:mount /Add-Driver /driver:C:\drivers\blah\mydriver.inf

Un-mount and commit the image:

Dism /Unmount-Wim /MountDir:mount /Commit

See what’s in the image:

imagex /info install.wim

Merge images:

imagex /export source.wim 1 destination.wim "Image Name" /compress maximum

Create a boot cd ISO:

oscdimg -n -bc:\pe\amd64\ c:\pe\amd64\ISO c:\pe\amd64\winpe_amd64.iso

More info in working with images:

Info on working with unattend.xml

Some notes for older WinPE images; where dism.exe doesn’t work, you need imagex and peimg:

Mount an older WinPE image:

imagex.exe /mountrw winpe.wim 1 mount

Inject PNP drivers into the WinPE image:

peimg.exe /inf=c:\drivers\blah\*.inf mount\Windows

Un-mount and commit the image:

imagex.exe /unmount mount /commit

Each time you ‘commit’ the image it grows in size. Let’s bring it back down to normal:

imagex /compress maximum /export winpe.wim 1 winpe.wim.optimized