The Wonderful World of Linux A mostly dead cpanel/linux blog

How to Install The Newest ImageMagick in Centos

For whatever reason I always had trouble installing the ImageMagick RPM’s from their website. So when I got a good guide written down I figured Id share it with everyone. Here’s how to install the latest and greatest ImagickMagic rpm’s to Centos 5 and Centos 6 and should be compatible with most cpanel systems!

Prerequisites

Lets download all of the development tools and prerequisites

yum -y install gcc gcc-c++ make
yum -y install rpmdevtool libtool-ltdl-devel freetype-devel ghostscript-devel libwmf-devel lcms-devel bzip2-devel librsvg2 librsvg2-devel libtool-ltdl-devel autotrace-devel fftw3-devel libtiff-devel giflib-devel libXt-devel xz-devel 

The we’ll download all the rpms:

#ImageMagick
wget -rnd ftp://ftp.imagemagick.org/pub/ImageMagick/linux/CentOS/$(uname -i)/

#lifttw3 for  CentOS 5 Only
if [ "$(cat /etc/redhat-release | cut -d' ' -f3 | cut -d'.' -f1)" == 5 ]
then
	wget -rnd http://pkgs.repoforge.org/fftw3/fftw3-3.1.1-1.el5.rf.$(uname -i).rpm
	wget -rnd http://pkgs.repoforge.org/fftw3/fftw3-devel-3.1.1-1.el5.rf.$(uname -i).rpm
fi

#And Djvulibre
wget http://pkgs.repoforge.org/djvulibre/djvulibre-devel-3.5.22-1.el5.rf.$(uname -i).rpm
wget http://pkgs.repoforge.org/djvulibre/djvulibre-3.5.22-1.el5.rf.$(uname -i).rpm

We need to copy libltdl to livltdl.so.3. You’ll get an error on Centos 5 most likely. You can ignore it if you do.

if [ "$(uname -i)" == "x86_64" ]
then
	cp /usr/lib64/libltdl.so /usr/lib64/libltdl.so.3
else
	cp /usr/lib/libltdl.so /usr/lib/libltdl.so.3
fi

Finally, install the RPMs…

rpm -Uvh *.rpm --nodeps --force

And verify!

[[email protected] imagemagick]# convert --version
Version: ImageMagick 6.8.6-9 2013-08-25 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2013 ImageMagick Studio LLCFeatures: DPC OpenMP
Delegates: bzlib cairo djvu fftw fontconfig freetype gslib jng jp2 jpeg lcms ltdl lzma openexr png ps png rsvg tiff webp wmf x xml zlib

You can also give it a test by creating a sample image from text:

convert -background 'rgb(3,27,5)' -fill white -font Helvetica-Bold -size 250x100  -pointsize 42 -gravity center label:'Linux Rulez!!' linux.gif

ImageMagick PHP Extension

You may also need to install the ImageMagick PHP Extension and its just as annoying. Lets get started, we need to create some folders and link some files:

mkdir -p $(MagickWand-config --prefix)/include/ImageMagick/
ln -s /usr/include/ImageMagick-6/wand $(MagickWand-config --prefix)/include/ImageMagick/wand

Download the file:

cd /root
wget http://pecl.php.net/get/imagick-3.1.0RC2.tgz
tar xzf imagick-3.1.0RC2.tgz
cd imagick-3.1.0RC2

And install:

phpize
./configure PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
make
make install

Add it to the php.ini:

echo "extension=imagick.so;" >> /usr/local/lib/php.ini

And verify!!

[[email protected] ~]# php -i | grep imagick
imagick
imagick module => enabled
imagick module version => 3.1.0RC2
imagick classes => Imagick, ImagickDraw, ImagickPixel, ImagickPixelIterator
imagick.locale_fix => 0 => 0
imagick.progress_monitor => 0 => 0

Change PECL tmp Directory

If you’ve ever ran into the “/tmp/foobar does not exist or is not executable” after running “pecl install foobar” then its likely because /tmp is set to noexec in the fstab. Obviously removing the noexec flag and rebooting or remounting will fix the problem but generally the time required to do this and the fact that processes will need to be temporarily halted doesnt make this necessarily the best option. Lets do a quick little fix!

mkdir /root/tmp
pecl config-set temp_dir /root/tmp

If this yells at you and says it failed, try this:

pear config-set temp_dir /root/tmp

Then “pecl install foobar”!

Find Which Accounts are Potential Spammers in cPanel/Exim

So you’ve discovered that all of a sudden your server load has shot and your email inbox is getting filled up with hundreds of bounce backs. You sir may be spamming! Now if you are a spammer, this isnt really much of a shock.

But if you’re not a spammer you may be wondering what happened. Well odds are your website got hacked or your personal machine has a virus/malware. Now usually if your website gets hacked its because you are using an outdated version of your CMS software. Because wordpress doesn’t auto update and we don’t always login every day (especially if your wordpress just hosts a static website) it can be hard to keep up with the constant updates. And of course in doing so all the little hackers out there are now able to exploit whatever security holes you didn’t patch. On top of this it isn’t just the wordpress core we have to worry about, but also the plugins and the themes. Joomla and drupal and practically all other CMS’s follow the same logic. Keep your apps up to date and your chances of being compromised slim down quickly. What happens though when you are compromised? Usually the attacker places a php file on the server that acts as part of a ddos or a script that sends out a ton of spam. If your personal machine was compromised then whatever application you are running to connect to your email (such as outlook, thunderbird, etc) is usually used (or they just grab any IMAP/SMTP connection info) and use that to start spamming.

Ok, so we know that someone on the server is spamming. We don’t know if its a script or if its because someone’s personal machine got attacked. Lets take a look a couple one liners to help out with this. First, lets look at a command which searches for all external logins (meaning the personal local machine was compromised)

$ exigrep @ /var/log/exim_mainlog | grep _login | sed -n 's/.*_login:\(.*\)S=.*/\1/p' | sort | uniq -c | sort -nr -k1
1 [email protected]
3 [email protected]
59 [email protected]

So this will exigrep through our mail log and return any line containing an @ (meaning pretty much everything) cut out the dovecot_login or courier_login (whichever one you use) and then sort it and count how many instances there are. In this case you can see that the email account [email protected] is sending much, much more than the other two email accounts it found. This doesn’t immediately mean that its a spamming account, it could be legitimate of course but it gets you on the right path.

Now lets look at a few one liners for checking which user/account has been hacked:

$ exigrep @ /var/log/exim_mainlog | grep U= | sed -n 's/.*U=\(.*\)S=.*/\1/p' | sort | uniq -c | sort -nr -k1
3 user1 P=local
74 user2 P=local

So here the user “user2” is sending the most email on the system so we know that this user is likely responsible for the spam. Lets see if we can track down the script!

grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort |uniq -c| grep cwd | sort -n | grep /home/

Running this will look at any lines in the exam log that contains the “cwd” string. This should help narrow it down the folder where the spam is happening. But we can get even more specific! Note that this command doesn’t have as high of a success rate as the previous ones but when it works it saves so much headache.

grep X-PHP-Script /var/spool/exim/input/*/*-H | awk '{print $3}' | sort | uniq -c | sort -nr

Now unlike the others this actually searches the active email queue. So if you have hundreds or thousands of email queued up (and you can check this by running exam -bpc) this should work. It looks for the X-PHP-Script field in the header of the emails. This should be enabled by default in cpanel, if not it can be enabled in the whm. But anyways this should again sort and count exactly which script sent the email! Pretty cool, right!

So there you have it, if you are unfortunate enough to have a compromised system this will better help identify where the problem lies. And once you know, you can help fix it and safe guard yourself for the future. In addition to the wordpress and CMS tips above, you may want to look at even more security oriented plugins:

WP-Security

Ive seen this used quite a bit over the interwebs and although Ive always been on the problem side of it, it should give you a little extra security to prevent such attacks. For PC based compromises, you gotta have a virus scanner and a malware scanner, here are my favorites:

Windows Defender MalwareBytes

People will argue that you use avast or avg over windows defender, personally I don’t think its necessary. Windows Defender generally does a good job at actively scanning your computer and catching anything that comes through. Its quiet, sits in the background, integrates great with windows and is completely free (and even free for businesses up to 10 computers)! The second is malwarebytes and Ive seen it personally catch more malware than any competitor. Its completely free but does have a paid option for more and worthwhile features.

“Is there anything else I can do?” Uh yeah! Stop them before they even get to your server! Thats where the following tools come into play:

6Scan CloudFlare

6scan is a paid product and will scan and even fix many of the vulnerabilities you encounter. Rather than finding out your hacked by a visitor, a bounce back or the google malware page, 6scan will not only alert you but also help fix the issue! Cloudflare, in addition to speeding up your website through their CDN, it also includes a firewall to help block many of the known attackers out there. Oh, and its free with paid versions available for higher speed, better analytics and more finely tuned security settings.

Hopefully after you read this you know how to not only identify hacked accounts and spamming accounts but also know a few more steps to help prevent the same thing from happening in the future. I would love to hear about some of your stories or strategies so please leave them in the comments below!

Installing Git on cPanel/CentOS Servers

Git is awesome, plain and simple! If you would like to install this on a cPanel and/or a CentOS based server you have 2 options: Installing from and RPM or installing from source.

RPM/Yum Based

You should just simply be able to do a yum install on the server and git will e pulled from the “updates” repo:

yum install git

If you run into a dependency issue with perl-Git, check and make sure that perl is not entered into the excludes in /etc/yum.conf. Now one issue with simply pulling from the basic repo is that the version may not be as up to date as possible. On my server I pulled down version 1.7.1, however the latest stable version of git is 1.8.2. You may be able to find much more up to date versions in the EPEL repo or RPMForge. You can also install the latest available version straight from source:

Source Install

First off, you’ll want to make sure you have any and all dependencies taken care of:

yum -y install curl-devel expat-devel gettext-devel openssl-devel zlib-devel

Now lets grab the latest version and git (See what I did there?) to work!!

cd /usr/local/src/
wget https://github.com/git/git/archive/master.tar.gz
tar xzf master
cd git*
make prefix=/usr/local all
make prefix=/usr/local install 

And thats it! Now feel free to learn git (http://try.github.com) and give it a shot!

[email protected] [~]# git --version
git version 1.8.2.GIT

Rebuilding Spamd on cPanel

Spamd on cpanel seems to always fail for me. I dont if its something special within my config or if its just a cpanel thing in general. Because I am a lazy admin I dont always bother with fixing things but jump to rebuilding them…this usually does the trick for me:

rpm -e `rpm -qa | grep spam`
/usr/local/cpanel/scripts/installspam --force
sa-learn -D --force-expire
sa-update -D
/usr/local/cpanel/scripts/spamassassin_dbm_cleaner
/usr/local/cpanel/scripts/fixspamassassinfailedupdate
/usr/local/cpanel/scripts/restartsrv_spamd

This just completely reinstalls spamd and cleans up any messes. Does the trick for me!