How to Check if Railgun is Running on Website

When a request is handled by Railgun, Cloudflare inserts a header with diagnostic information to track how the protocol is doing. If you want to see these headers, you’ll need to use a browser that supports examining header information.

View Railgun header in browser

Google Chrome: View > Developer > Developer Tools menu. You can also install Cloudflare’s Claire extension.

Safari: Develop > Show Web Inspector menu

Firefox: Install Firebug

Microsoft Internet Explorer: You can use a tool like Fiddler

When you are looking for the header information, you should be seeing Cloudflare headers like the following in the response:

cf-railgun:   e95b1c46e0 0.02 0.037872 0030 9878

cf-ray:   478149ad1570291

The CF-Railgun header has up to five codes separated by a space. In order, these codes and their corresponding values from the example of cf-railgun: e95b1c46e0 0.02 0.037872 0030 9878 listed above are:

  • Railgun Request ID: e95b1c46e0 (internal process number that allows us to track what connection handled a request )
  • Compression Ratio: 0.02 (the size of the response after Railgun’s delta compression expressed as a percentage)
  • Origin Processing Time: 0.037872 (that Railgun waits for the origin web server to generate the page)
  • Railgun Flags: 0030 (how a request was processed)
  • Version Number: 9878 (indicates the version of the Railgun Listener software on the origin server’s network)

Fix CPU Overload / Abuse Issues ?

Most common things you need to follow will be:

1. Adding cloudflare for your domains which will protect your domains from Unwanted Traffic/Attack/Bot Access 

2. Add robots.txt to understand Search engines to crawl your sites.There are lot of Crawl bots which will give unwanted traffic to your websites which will also cause Overloading on servers like (EP hits)

So create an robots.txt file under your public_html and place the below code : 

User-Agent: *
Disallow: /User-Agent: Googlebot
Allow: /

If you want to add any other search engines to crawl your site you can add it in the above code 

Follow the Above steps for all your domains which is an recommended thing !

For WordPress Users kindly change the File permission of 2 files under your WordPress root wp-cron.php and xmlrpc.php to Permission 000

You can change it from your cPanel > Filemanager As these 2 files will cause overloading on servers by giving unwanted traffic 

Add Heart Beat Plugin to control the admin-ajax.php Once installed WP Admin > Settings > Heartbeat Control > Disable the heartbeat for All 3 Options and click save

Add loginizer which will protect your sites from WP Login attacks (These attacks on most common your websites will be facing daily) So its best way to change your  WP Admin portal URL (VERY RECOMMENDED)

Keep your WP Core,Plugins,Themes Up to date

Remove any Un-used themes or plugins

Don’t use Jetpack Plugin as it will Eat the Resource

Types of Malware

1. Hacker Scripts

Very often during an attack there are a number of files of a certain type uploaded onto a victim’s system. These may be web shells (e.g. c99.php), backdoors, file uploaders, spam mailers, phishing pages, doorways (web pages that are created for the deliberate manipulation of search engine indexes), or defacement content (for example, the hacker’s logo, obscene messages, links, etc.). In some cases you can simply search the name of the suspicious file on the web to find out what it does—script kiddies usually do not bother modifying files much so it will probably turn up in search results.

2. Code Injection

Code injection: A popular method of malware deployment onto a target system is via injections: malicious code can be injected into the .htaccess file to create SEO and mobile redirections; PHP or Perl script injections can be used to create backdoors; malvertising scripts can be injected into static .js (JavaScript) and .html files; and, very often, it can be a combination of injection into an existing file together with the uploading of a command and control script. For example, malicious code can be injected into the exif-header of a .jpg file, and the code can be triggered and executed by some other benign-looking file uploaded in another part of the website.

3. SQL Injection

Database entries are a frequent target for hacker attacks. Static HTML content injections are possible using tags such as <script>, <iframe>, <embed>, or <object>. Such unauthorized code insertions can redirect visitors to related but unaffiliated sites, embed advertisements from which the site owner does not profit, embed mining trojans (e.g. CoinHive JavaScript miner), or spy on users and infect their computers using drive-by attacks. Besides this, many modern CMSs (e.g. IPB, vBulletin, modx and others) use template processors that allow the execution of PHP code, and the templates themselves are stored in the database. This gives attackers the opportunity to add backdoors and webshells to the website template directly in the database itself.

4. Cache Injections

Due to insecure settings of a caching server, for example, when using memcached, some injections can be done on cached data on the fly. In some cases, spam can be injected into website pages without actually hacking the core functionality of a website.

If hackers are able to get privileged (root) access to a server, they can replace some web server components or caching server components with infected versions. Such a web server can then be controlled via remote commands, and it can add dynamic redirects and malicious code to different website pages. As with cache injections, a webmaster is usually not able to spot the infection because all user files and databases appear unaffected. This is the most difficult case, and in some situations it is easier to rebuild the server and migrate user data rather than try to detect all the malware.

5. System components replacement​

By now, I’ll assume that you’ve already checked the files and database dump with AV scanners and that they have not identified anything malicious. If the malicious redirect or script (embedded in the <script> tag) is still somewhere on the pages of your website, redirects will continue sending users to malicious websites.

 Linux and some Unix-like systems, it is hard to find more useful commands for searching files than find and grep. 

This command will look for all files that were modified in the past week.

find . -name '*.ph*' -mtime -7

Sometimes, attackers change file modification dates to avoid detection. In this case, you can use the following command to look for .php and .phtml files that have had their attributes changed.

find . -name '*.ph*' -ctime -7

If you need to look for file changes in a certain time frame, you can also use this find command.

find . -name '*.ph*' -newermt 2015-01-25 ! -newermt 2015-01-30 -ls 

And let’s not underestimate the grep command as well. This command can recursively search for certain patterns in the files, drilling down through all folders and files. Here is an example.

grep -ril 'example.com/google-analytics/jquery-1.6.5.min.js' * 

When your web server is compromised, it is good practice to check files with the guid/suid flag, just to be safe.

sudo find / -perm -4000 -o -perm -2000 

Finally, you can use a command like this to identify what PHP scripts are currently running in the background and possibly impacting website performance.

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk '{ if(!str) { str=$1 } else { str=str","}} END{print str}'` | grep vhosts | grep php 

Malicious code analysis

Now that we know how to search for possibly malicious files, let’s dive a bit deeper and list what exactly we are looking for and where.

1. Check the upload, cache, tmp, backup, log, and images directories.

You need to check all directories that are used for file uploading. For example, with Joomla you should look for .php files in the ./images folder. There is a high chance that if you find something, it will be malicious. For WordPress it is worth checking the wp-content/uploads, backup and theme cache directories.

find ./images -name '*.ph*'

2. Looking for files with weird names

Here are examples of strange file names to look out for: php, fyi.php, n2fd2.php. You should also look for unusual patterns in file names. For example:

  • File names comprising an odd and unreadable mixture of letters, numbers and symbols, e.g. srrfwz.php, ath.php, kirill.php, b374k.php.php, tryag.php.
  • ​Because many users rename files by appending the digit ‘1’, look out for normal-looking file names that append numbers other than 1 to filename parts, e.g. index9.php, wp3-login.php.

3. Looking for files with unusual extensions.

Let’s suppose you have a website based on the WordPress CMS. Files with extensions such as .py, .rb, .pl, .cgi, .so, .c, .phtml, or .php3 would be unusual for such types of websites. If scripts or files with these extensions are found, most probably these are hacker tools. There is a chance of a false alarm, but it is low.​

4. Looking for files with non-standard attributes or creation dates.

As mentioned above, files with modified attributes are suspicious. For example, if all the .php files that were uploaded to the server via FTP/SFTP have the owner file attribute set to ‘user’, and you also see a number of files having this attribute set to ‘www-data’, then it is worth checking the latter. Also, check if the script creation date is earlier than the website creation date. You can use the command templates from the cookbook section to bake up your own search queries, and speed up or optimize them.​

5. Looking for doorways using a large number of .html or .php files.​

If a directory contains a few thousand .php or .html files, there is a high chance that this is a doorway. You can use the following command to find the top 50 directories with the highest file counts (if you have many hosting accounts and files on the server, it is better to use this command in the specific folder/home directory you would like to check to save some execution time):​

find ./ -xdev -type d -print0 | while IFS= read -d '' dir; do echo "$(find "$dir" -maxdepth 1 -print0 | grep -zc .) $dir"; done | sort -rn | head -50

 (Check this thread to find more details on the commands for checking directory file counts.)

Server logs can help​

  • Dependent relations between the date and time when an email was sent (using details in the mail log and email message header), and access_log entries, help to determine how mail spam was sent out, and find the mailer script on the server.
  • FTP xferlog analysis helps to identify which files were uploaded or changed during the attack and by whom.
  • If your mail server and PHP settings are correctly configured you can find the name of the sender PHP script and the full path to it in your mail log or in the full email message header. This helps to quickly find and eliminate the source of spammy deliveries.
  • Some modern CMSs and plugins have more advanced defense techniques to proactively detect cyber attacks. Their logs might show if there was any attack and whether the CMS or plugin was able to protect itself or not.
  • The access_log and error_log files also allow you to track a hacker’s actions, if you were able to identify the script names that were used, the IP address or the HTTP user agent (User-Agent). You can also check the POST request on the day the attack happened. Often, such checks allow you to find which malicious files were uploaded and which were already present before the attack.

Integrity checks

It is much easier to analyze attack vectors and look for malware scripts on websites if some security precautions were already made beforehand. Integrity checks help to identify the changes on the file system in a timely manner, and detect malicious activities quickly. The easiest and most effective way to perform such checks is by using version control systems such as git, SVN, or CVS. For example, with git, if you correctly configure the .gitignore file, the process of integrity checking comes down to executing two commands:

git status # check all changed files
git diff # find malicious code

This guarantees that you have a backup copy of your files, and allows you to quickly restore the website to a previous state. Experienced server administrators can also use inotifytripwireauditd and similar tools to track file and folder access and changes.

Unfortunately, it is not always possible to configure the version control system or any site integrity check services on a server. In the case of shared hosting, it is not possible to use a version control system or system services. To overcome this problem you can use CMS extensions, in the form of a plugin or a stand-alone script, to track file changes. Some CMSs (e.g. Bitrix or DLE) already have built-in integrity checks.

If the website is using custom scripts or is built with static HTML files, you can use the following shell command to make a snapshot of currently stored files:

ls -lahR > original_file.txt

If any malware threats occur you can create another snapshot and then compare them using any comparison software you like, for example, WinDiff, AraxisMerge Tool, BeyondCompare, the diff command (on Linux) or even compare snapshots online.

Thanks – https://www.imunify360.com/blog/how-to-remove-malware-from-a-website-manually

How to fix php 7.2 503 Service Unavailable Litespeed Error

Thanks to EA4 (EasyApache 4), WHM cPanel now allows multiple php versions to be installed simultaneously. Here is a peculiar example of getting php 7.2 enabled on a cpanel server with LiteSpeed and grsec kernel enabled on server.

Assumption: Here we are assuming a scenario where we have WHM cPanel server installed on Centos 6 and configured with ASL (Atomic Secured Linux) available from Atomicorp.com.

When ASL is enabled, server will be booted into ASL kernel powered by grsecurity modules and rules.

The procedure to enable php 7.2 from WHM would be to login to WHM -> EasyApache 4 -> Customize – PHP versions -> Enable 7.2

Once PHP 7.2 is enabled on server, you will need to enable in Litespeed. To do so, login to Litespeed web interface by visiting your server url with port 7080

Once logged in login to Configuration -> Server -> External App -> Add

Then you will need to add Script Handler so click on Script Handler -> Add. Make sure to configure handler type as “LiteSpeed SAPI” and handler name as “[Server Level]: lsphp72”

Save and restart LiteSpeed web server. Now when you configure php 7.2 for a particular account from WHM -> MultiPHP Manager and access the website in browser, you will notice error “503 Service Unavailable, Please try again later”

On debugging you will notice logs in /usr/local/apache/logs/error_logs as follows:


connection to [/tmp/lshttpd/APVH_xxxxxxx_Suphp72.sock.825] on request #0, confirmed, 1, associated process: 14544, running: 1, error: Connection reset by peer!
2018-01-26 09:45:21.065 [NOTICE] [xxxxxxx:59282] No request delivery notification has been received from LSAPI process group [14544], possible run away process.
2018-01-26 09:45:21.066 [NOTICE] [xxxxxxxx:59282] Retry with new process group.
2018-01-26 09:45:21.066 [NOTICE] Graceful stop process group lead by pid: 14544
2018-01-26 09:45:21.067 [INFO] [APVH_xxxxxxx_Suphp72:] PID: 23289, add child process pid: 14593, procinfo: 0x4e5e970
2018-01-26 09:45:21.155 [INFO] [xxxxxxxx:59282] connection to [/tmp/lshttpd/APVH_xxxxxx_Suphp72.sock.413] on request #0, confirmed, 1, associated process: 14593, running: 1, error: Connection reset by peer!
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Max retries has been reached, 503!
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] oops! 503 Service Unavailable
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Content len: 0, Request line: ‘GET /~xxxxxxxx/ HTTP/1.1’
2018-01-26 09:45:21.155 [NOTICE] [xxxxxxx:59282] Redirect: #1, URL: /index.php
2018-01-26 09:45:21.155 [INFO] [xxxxxxx:59282] abort request…, code: 4
2018-01-26 09:45:21.155 [INFO] [xxxxx:59282] File not found [/home/xxxxx/public_html/503.shtml]


Further tailing /var/log/messages, you will notice errors similar to:


Jan 26 11:05:19 xxxxxxx kernel: [1331781.378288] PAX: terminating task: /opt/cpanel/ea-php72/root/usr/bin/lsphp(lsphp):25821, uid/euid: 591/591, PC: 0000036c959c2010, SP: 000003d92b1a9c28
Jan 26 11:05:19 xxxxxxx kernel: [1331781.381445] PAX: bytes at PC: 53 41 57 41 56 41 55 55 48 8b df 48 83 ec 50 48 8b 43 10 48
Jan 26 11:05:19 xxxxxxx kernel: [1331781.383039] PAX: bytes at SP-8: 0000036c92aa5460 00000000004c3253 000003d92b1a9cc0 00000000040b3d70 0000000004187f20 0000036c92a01900 0000036c92a01900 0000036c92a01909 000003d92b1a9cc0 0000000000000004 0000000000000000
Jan 26 11:05:19 xxxxxxx kernel: [1331781.386756] grsec: From xxxxxxx: denied resource overstep by requesting 64 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx PAM-hulk[25770]: Brute force detection active: 580 LOGIN DENIED — EXCESSIVE FAILURES — IP TEMP BANNED
Jan 26 11:05:19 xxxxxxx kernel: [1331781.391657] grsec: From xxxxxxx: denied resource overstep by requesting 120 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.396551] grsec: From xxxxxxx: denied resource overstep by requesting 176 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.401450] grsec: From xxxxxxx: denied resource overstep by requesting 232 for RLIMIT_CORE against limit 0 for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589
Jan 26 11:05:19 xxxxxxx kernel: [1331781.406601] grsec: From xxxxxxx: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25821] uid/euid:591/591 gid/egid:589/589, parent /opt/cpanel/ea-php72/root/usr/bin/lsphp[lsphp:25820] uid/euid:591/591 gid/egid:589/589


 

The error is likely due to the fact that the grsec kernel which is installed on server from ASL, is assuming php 7.2 as insecure and hence, restricting it. This means that PHP is trying to violate the kernels memory protection features.  Unfortunately, PHP 7 needs to operate in this insecure manner.  To allow PHP to operate this way, follow the steps below:

The solution here is to configure the system to allow php to run insecurely. This can be achieved by :

  • Stopping Litespeed webserver on the server using command:

cd /usr/local/lsws/bin

./lswsctrl stop

  • Then give the command:

paxctl -m /opt/cpanel/ea-php72/root/usr/bin/lsphp

  • If you receive error similar to “file /opt/cpanel/ea-php72/root/usr/bin/lsphp does not have a PT_PAX_FLAGS program header, try conversion” then try following solution

paxctl -c /opt/cpanel/ea-php72/root/usr/bin/lsphp

  • and finally restart Litespeed webserver using command:

./lswsctrl restart

Accessing your website now configured with php 7.2 version on a cPanel server with Litespeed and ASL (Automic Secure Linuc) or grsec kernel should now work sucessfully.

 

 

Solution to Centos 6 / Centos 7 VM not booting on Citrix Xenserver

Solution to Centos 6 or Centos 7 vm not booting on Citrix Xenserver after kernel update

With latest kernel update, Centos 6 and Centos 7 vm’s on Citrix Xenserver are found not booting when rebooted.

After installing the latest updates (including the latest kernel), neither boots. The virtual serial consoles provided by the VM services show nothing.

As an alternative the only solution is

  1. to manually boot the affected VM into old kernel

  2. Or to install Centos Plus kernel

  3. Or simply do not update kernels on Centos 6 /  Centos 7 vm’s

This issue is apparently something to do with the new code for the “meltdown” vulnerability and is currently failing on both el6 and el7 latest kernels.

This is being tracked in https://bugs.centos.org/view.php?id=14336

Solution :

If you have already updated the kernel then manually configure grub to boot into old kernel

OR

You can try installing Centos Plus kernel as follows:

  1. Edit the following file:

/etc/yum.repos.d/CentOS-Base.repo

2) Change the following section from


 

[base]
name=CentOS-$releasever – Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#released updates
[updates]
name=CentOS-$releasever – Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6


To:


[base]
name=CentOS-$releasever – Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
exclude = kernel kernel-devel kernel-PAE- *

#released updates
[updates]
name=CentOS-$releasever – Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
exclude = kernel kernel-devel kernel-PAE- *


Then to enable Centos Plus apply the following section to this file from:


#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever – Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6


To:


#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever – Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
includepkgs = kernel *


Once done, you can now install Centos-plus kernel as follows:

yum install kernel-plus

The VPS now when booted into new kernel, will come up in Centos 6 kernel plus with similar output:

uname -r
2.6.32-696.16.1.el6.centos.plus.x86_64

 

Limited Offer : 20% Off on all GeoTrust SSL Certificates

Cheap SSL Certificates

For a limited time, WebHostUK is offering 20% discount on new purchase of GeoTrust SSL Certificates as available on our website https://www.webhostuk.co.uk/ssl-certificates.html

SSL Certificates are now almost mandatory, if your website is accepting any kind of sensitive information such as passwords, credit cards etc. Securing your website with SSL certificate builds trust for your visitor, and allows a secure medium to do the transaction. At WebHostUK, we offer discounted SSL certificates with Free installation and setup. For a very limited period, we are offering additional 20% discount on new SSL purchases.

GeoTrust RapidSSL® 256 bit certificate
Original Price: £32 /year
Discounted Price: £25.5 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust Quick SSL certificate
Original Price: £75 /year
Discounted Price: £60 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust QuickSSL® Premium Certificate
Original Price: £115 /year
Discounted Price: £92 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust True BusinessID® Certificate
Original Price: £130 /year
Discounted Price: £104 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust True BusinessID® Certificate with EV
Original Price: £339 /year
Discounted Price: £271 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

GeoTrust True BusinessID® Wildcard Certificate
Original Price: £499 /year
Discounted Price: £399 /year
Use Coupon Code SSL20 to get 20% discount : Order Now

Hurry ..! Above offer is a limited offer, valid till 30th of April 2017

 

How to Repair a MySQL Database with phpMyAdmin

mysql and PHPmyadmin
PHPmyadmin

Occasionally, database tables become corrupt and you are no longer able to
access them.Always backup your information in case it can’t be restored. Fortunately,
you can fix the table so you can access the data again.

In this post we will learn How to Repair a MySQL Database with phpMyAdmin

1) Login to phpMyAdmin (Login to cPanel / Plesk control panel)

2) Choose the affected database. It should choose it by default so you don’t
need to do anything, If you only have one database.

3)In the right panel, you should see a list of your database tables. Check the
boxes by the tables that need repair.

4)At the bottom of the window just below the list of tables, there is a drop
down menu. Choose “Repair Table”

5)phpMyAdmin informs you whether or not the optimization process is
successful.

6)This should fix your table, and let you access it again. Now that it is
fixed.pMyAdmin is a fairly simple process.