chmod, chown & remove

Set permissions on all directories under the folder server1 to 755

chmod -R 755 /usr/home/username/server1/

Remove all data (file and directories) from the folder server1

rm -rf /usr/home/username/server1/*

Set the user and group to example:example for all data (files and directories) on/under the directory accounts

chown -R example:example /home/username/public_html/test/accounts

Install ClamAV

Main >> cPanel >> Manage Plugins >> clamavconnector – Check ‘Install and Keep Updated’ box and the press ‘Save’ button at the bottom of the page.

Update Database


Scan /Home Dir and output results to text file name .logs.txt

clamscan -ir /home > logs.txt

If you get -bash: clamscan: command not found



If you get Unable to locate clamd

Follow the steps as given below:

# Red Hat Enterprise Linux 5 / i386:
rpm -Uhv
# Red Hat Enterprise Linux 5 / x86_64:
rpm -Uhv

Then install it through yum:

yum install clamd

And finally restart clamd service:


Situation : clamAV installed from WHM, but not working on the command line.

If you have have already installed ClamAV through WHM, check to make sure that your executables are here
#ls -lah /usr/local/cpanel/3rdparty/bin/*clam*
If they are, make sure that there are no current ClamAV files in /usr/local/bin:
# ls -l /usr/local/bin/*clam*
If both of those check out, you can create symlinks in /usr/local/bin to make scanning your server easier.
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/clamd /usr/local/bin/clamd
ln -s /usr/local/cpanel/3rdparty/bin/clamav-config /usr/local/bin/clamav-config
Double check your work with this command:
# ls -l /usr/local/bin/*clam*
Then you can scan your server’s public_html folders with this command
clamscan -ir /home/*/public_html > /usr/local/src/scan.txt [The scan results will get saved to the “scan.txt” file]

View Results

cat /usr/local/src/scan.txt

Install ConfigServer Tools

ConfigServer ModSecurity Control (cmc)

rm -fv cmc.tgz
tar -xzf cmc.tgz
cd cmc
cd ~

ConfigServer Mail Manage (cmm)

rm -fv cmm.tgz
tar -xzf cmm.tgz
cd cmm
cd ~

ConfigServer Mail Queues (cmq)

rm -fv cmq.tgz
tar -xzf cmq.tgz
cd cmq
cd ~

ConfigServer Explorer (cse)

rm -fv cse.tgz
tar -xzf cse.tgz
cd cse
cd ~

Install Logwatch

yum install logwatch


SSH into server and login as root.

rpm -Uvh logwatch-7.4.0-1.noarch.rpm

Edit file:

nano /usr/share/logwatch/default.conf/logwatch.conf

Update the following:

Output = mail
MailTo = root

Note: Set the e-mail address to an offsite account in case you get hacked.

Hit CTRL+X press y and then enter to save the file.

Install MyTop

Installing TermReadKey

tar -zxf TermReadKey-2.30.tar.gz
cd TermRead*
perl Makefile.PL
make test
make install

Installing DBI

tar -zxf DBI-1.50.tar.gz
cd DBI*
perl Makefile.PL
make test
make install

Installing mytop

tar -zxf mytop-1.4.tar.gz
cd mytop*
perl Makefile.PL
make test
make install

Install rkhunter (Rootkit Hunter) in Linux

Rootkit Hunter

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:

– MD5 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files


yum install rkhunter


cd /usr/local/src
tar -xzf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./ --install

Update rkhunter after installation.

rkhunter --update


You can run a scan using the following command

rkhunter -c

You can view all the available options with rkhunter using the following command

rkhunter --help

If you want to skip the interactive prompts, add the -sk option at the end:

rkhunter -c -sk

Setup Daily Scan Report:

You can setup a daily scan report by using a cron as like follows.

nano /etc/cron.weekly/

( /usr/bin/rkhunter --versioncheck
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob --summary
) | /bin/mail -s "rkhunter (Corp)" [email protected]

chmod 750 /etc/cron.weekly/

You may need to change scripts path in /etc/rkhunter.conf


Install chkrootkit

At command prompt, type:

yum install chkrootkit

Then create the file:

nano /etc/cron.monthly/

You can add the following cronjob:

(cd /usr/lib/chkrootkit-0.49/; ./chkrootkit 2>&1 -q | mail -s "chkrootkit (Corp)" [email protected])

Hit CTRL+X press y and then enter to save the file.

chmod +x /etc/cron.monthly/


Usually, these three will do: system, exec and shell_exec

All the rest will most likely break your scripts.

ini_set,fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid,apache_setenv,define_syslog_variables,eval,fp,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,ini_alter,ini_get_all,inject_code,openlog,phpAds_remoteInfo, phpAds_XmlRpc,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,syslog,show_source,system,shell_exec,phpinfo,allow_url_fopen

Root Breach Email Notification

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers IP address and be warned someone is in there.

Server e-mail every time someone logs in as root

To have the server e-mail you every time someone logs in as root, SSH into server and login as root.

At command prompt type:

nano .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" [email protected]

Hit CTRL+X press y and then enter to save the file.