Latest blog entry

Munin Unable to Generate Mysql Stats

January 27, 2013    |   Posted by admin   |    Category: cPanel Management

Munin plugin is known to have issues while generating Mysql graphs. The mysql graph remains empty due to a bug in the Perl library that causes the path to the mysqladmin to be lost.

The solution is to specify the path to mysqladmin in the /etc/munin/plugin-conf.d/cpanel.conf file. Edit the file

# nano /etc/munin/plugin-conf.d/cpanel.conf

and add the below line in the [mysql*] section

env.mysqladmin /usr/bin/mysqladmin

The mysql section should look like follows

[mysql*]
user root
group wheel
env.mysqladmin /usr/bin/mysqladmin

Restart the munin-node  service and see if it works. If it doesn’t, it indicates munin cannot read the values of mysql variables i.e. the username/password of mysql.

In such a case, have munin read the Mysql password from the .my.cnf file directly which is residing under the /root directory. To achieve this, create a file say, /root/mysqlpass

# nano /root/mysqlpass

and add the following command

/usr/bin/mysqladmin -uroot -p`cat /root/.my.cnf | grep pass \
| sed s/pass// | sed s/=// | sed s/\"//g` $@

The sed command may look confusing but it just removes words and characters around the password.

Set executable permission on the file

# chmod 755 /root/mysqlpass

Now edit the /etc/munin/plugin-conf.d/cpanel.conf file again and replace

env.mysqladmin /usr/bin/mysqladmin

with

env.mysqladmin /root/mysqlpass

Once done, restart the munin-node service and munin will start generating the Mysql graphs

Comments Off on Munin Unable to Generate Mysql Stats

How to find compromised email accounts on a Plesk server?

January 3, 2013    |   Posted by admin   |    Category: Plesk Management

If your emails are bouncing back and IP is getting blacklisted, it is clear your server is used for spamming purpose. To find out if spam emails are sent using a PHP script OR by a client, refer

How to find a Spammer on a Plesk Server?

Sometimes email accounts are hacked and are used for sending spam email. The header of such emails contain “Network” in the received line instead of the UID of the domain.

Below we will see how to trace such accounts.

Now, read the mail queue and you will notice, large number of emails are sent to strange email accounts

# /var/qmail/bin/qmail-qread
 1 Jan 2013 01:50:32 GMT  #768553  1214
        remote  someone@domain1.com
        remote  someone123@domain1.com
        remote  someone@domain2.com
        remote  someone123@domain2.com
        ****list continue...****

 

Now you need to find out the IP that is sending the emails, so use QmHandle tool to read the message header by passing the message ID to it (in above case its “768553”)

# qmHandle -m768553 | less
 Received: (qmail 20390 invoked from network); 1 Jan 2013 01:50:32
 Received: from unknown (HELO User) (1.1.1.1)

This email is invoked from ‘Network’ and the offending IP is 1.1.1.1. Now, search the IP in the server logs i.e. /var/log/messages

# grep 1.1.1.1 /var/log/messages
 Jan  1 12:12:00 smtp_auth: SMTP connect from unknown@ [1.1.1.1]
 Jan  1 12:12:00 smtp_auth: smtp_auth: SMTP user [USER] :
 /var/qmail/mailnames/[DOMAIN]/[USER] logged in from unknown@ [1.1.1.1]

As you can see above, the logs will display the email account accessed by the hacker from IP 1.1.1.1.

Now let’s take a look at the password of the email account we found in the above logs

# /usr/local/psa/admin/bin/mail_auth_view | grep user@domain
 +--------------+--------+------------+
 |    address   |  flags |  password  |
 +--------------+--------+------------+
 |  user@domain |        |   qazxsw   |
 +--------------+--------+------------+

The password isn’t great and no wonder why the email account is compromised.

Now, change the password of the email account from Plesk, restart the IMAP server and monitor the server logs to see the difference

# tail -f /var/log/messages | grep grep 1.1.1.1
 Jan  1 12:20:08 smtp_auth: SMTP connect from unknown@ [1.1.1.1]
 Jan  1 12:20:08 smtp_auth: FAILED: [USER] - password incorrect
 from unknown@ [1.1.1.1]

As you can see above, the hacker from IP 1.1.1.1 can no longer access the email account.

Comments Off on How to find compromised email accounts on a Plesk server?