Racker Hacker

There’s lots of situations where you’d want to use a bulk IP change in Plesk:

• Server is moving and needs to change IP’s
• An IP is the destination for some type of DDOS attack
• An IP needs to be removed from the server

So how do you shift tons of domains from one IP to another without spending hours in Plesk clicking and clicking? Do the following instead:

Get into MySQL and find out which IP you’re moving from and to:
mysql -u admin -p`cat /etc/psa/.psa.shadow`
mysql> select * from IP_Addresses;

You should see a printout of all of the available IP’s on the server. Make a note of the “id” of the IP you’re moving from and to. In this example, here’s what we’re doing:

Moving FROM “192.168.1.192″ (id = 2)
Moving TO “192.168.1.209″ (id =3)

Now we can start shifting the physically hosted domains over in the database:
mysql> update hosting set ip_address_id=3 where ip_address_id=2;

We also need to change the domains that are set up for standard or frame forwarding:
mysql> update forwarding set ip_address_id=3 where ip_address_id=2;

Now we’re stuck with the arduous task of updating DNS records. Plesk is kind enough to store this data in four different ways:
mysql> update dns_recs set displayHost='192.168.1.209' where displayHost='192.168.1.192';
mysql> update dns_recs set host='192.168.1.209' where host='192.168.1.192';
mysql> update dns_recs set displayVal='192.168.1.209' where displayVal='192.168.1.192';
mysql> update dns_recs set val='192.168.1.209' where val='192.168.1.192';

Everything domain related is now moved, but the clients that the domains belong to might not have this new IP address in their IP pool. First, we need to find out our component ID’s from the repository table (which generally should be the same as the IP_Addresses.id column, but not always)
mysql> SELECT clients.login, IP_Addresses.ip_address,Repository.* FROM clients LEFT JOIN Repository ON clients.pool_id = Repository.rep_id LEFT JOIN IP_Addresses ON Repository.component_id = IP_Addresses.id;

For this example, we’ll pretend that the output consists of 2’s for these clients. We can flip the IP’s in the clients’ IP pools by running the following:
mysql> update Repository set component_id=3 where component_id=2;

Now that everything is changed in Plesk’s database, it’s time to change up the Apache and BIND configuration files. Luckily, this can be done pretty easily with Plesk’s command line tools:
# /usr/local/psa/admin/bin/websrvmng -av
# mysql -Ns -uadmin -p`cat /etc/psa/.psa.shadow` -D psa -e 'select name from domains' | awk '{print "/usr/local/psa/admin/sbin/dnsmng update " $1 }' | sh

All that is left is to force Apache and BIND to pick up the new configuration:
# /etc/init.d/httpd reload
# /etc/init.d/named reload

Just wait for the DNS records to propagate and you should be all set! The instructions are cumbersome, I know, but it’s easier than clicking for-ev-er.

Moving domains from client to client in Plesk is pretty quick from the command line. Just replace DOMAIN with the domain name you want to move and CLIENTLOGIN with the client’s username:

/usr/local/psa/bin/domain.sh --update DOMAIN -clogin CLIENTLOGIN

If odd bounced e-mails are coming back to the server or the server is listed in a blacklist, some accounts may be compromised on the server. Here’s how to diagnose the issue:

Read the queue and look for messages with funky senders or lots of recipients.

# /var/qmail/bin/qmail-qread
10 Feb 2007 07:31:08 GMT  #476884  10716  
        remote  debbarger@earthlink.net
        remote  debbiabbis@hotmail.com
        remote  debbiak@aol.com
        *** lots more recicpients below ***

This is a phishing e-mail being sent out to imitate PayPal. Now you need to find which IP is sending this e-mail, so grab the message ID and pass it to qmHandle:

# qmHandle -m476884 | less
Received: (qmail 20390 invoked from network); 10 Feb 2007 07:31:08 -0600
Received: from unknown (HELO User) (207.219.92.194)

In this case, the offender is from 207.219.92.194. Now we can dig for the login in /var/log/messages:

# grep -i 207.219.92.194 /var/log/messages
Feb 10 10:19:33 s60418 smtp_auth: SMTP connect from unknown@ [207.219.92.194]
Feb 10 10:19:33 s60418 smtp_auth: smtp_auth: SMTP user [USER] : /var/qmail/mailnames/[DOMAIN]/[USER] logged in from unknown@ [207.219.92.194]

Just for giggles, let’s find out what their password is:

# mysql -u admin -p`cat /etc/psa/.psa.shadow`
mysql> use psa;
mysql> select CONCAT(mail_name,"@",name) as email_address,accounts.password
from mail left join domains on domains.id=mail.dom_id left join accounts on
accounts.id=mail.account_id where mail_name like '[USER]‘;
+—————————+———-+
| email_address             | password |
+—————————+———-+
| [USER]@[DOMAIN]           | password |
+—————————+———-+
1 row in set (0.00 sec)

Well, ‘password’ isn’t a great password. Log into Plesk and change this password ASAP. To verify your work, tail /var/log/messages and you should see this:

# tail -f /var/log/messages
Feb 10 10:27:08 s60418 smtp_auth: SMTP connect from unknown@ [207.219.92.194]
Feb 10 10:27:08 s60418 smtp_auth: smtp_auth: FAILED: [USER] - password incorrect from unknown@ [207.219.92.194]

Big thanks goes to Jon B. and Mike J. for this.

You can delete them based on what they’re doing:
iptables -D INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT

Or you can delete them based on their number and chain name:
iptables -D PORTSEN 4

If you need to enable SSL in ProFTPD, try this out:

<IfModule mod_tls.c>
TLSEngine on
TLSRequired off
TLSRSACertificateFile /etc/httpd/conf/ssl.crt/server.crt
TLSRSACertificateKeyFile /etc/httpd/conf/ssl.key/server.key
TLSVerifyClient off
</IfModule>

Need to redirect all users except for yourself to another site until yours is live?

RewriteCond %{REMOTE_ADDR} !"^64\.39\.0\.38"
RewriteRule .* http://othersite.com/

Check for a SYN flood:

# netstat -alnp | grep :80 | grep SYN_RECV -c 1024

Adjust network variables accordingly:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
echo 0 >/proc/sys/net/ipv4/tcp_sack
echo 0 >/proc/sys/net/ipv4/tcp_timestamps

If you think an e-mail account has been hacked in Plesk, use this to hunt down which one it could be:

cat /var/log/messages | grep -i smtp_auth | grep "logged in" | awk {' print $11 '} | awk -F / {' print $6"@"$5 '} | sort | uniq -c | sort -n | tail

If you have a Cisco device logging to RHEL, here’s all that’s necessary:

# vi /etc/sysconfig/syslog
SYSLOGD_OPTIONS="-m 0 -r"

Check the facility listed in the Cisco configuration, and convert it into the linux syslog facility levels found on Cisco’s syslog configuration documentation:

For example, Cisco’s facility 19 is the same as linux’s facility 3.

# vi /etc/syslog.conf
*.info;mail.none;authpriv.none;cron.none;local3.none;   /var/log/messages
local3.*                                                /var/log/cisco.log

Add local3.none; to the /var/log/messages line and add the local3.* line at the bottom of the file.

Restart syslog with /etc/init.d/syslog restart. Verify that the syslog server is listening on port 514 and then tail your new /var/log/cisco.log:

# netstat -plan | grep 514
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               3770/syslogd

This is always a great reference for all of your PCRE regex needs: PHP PCRE Cheat Sheet