Bash 1-Liners
From 5dollarwhitebox.org Media Wiki
Summary
Blah blah... nothing to see here, just some reminders for myself. ;)
Misc BASH
Determine Apache Client IPs and Connection Counts
Good to determine where the mass number of connections are coming from
netstat -lantp | grep ":80" | awk {' print $5 '} | awk -F ":" {' print $1 '} | sort | uniq -c
File Operations
MySQL
Perform MySQL Dump For All Databases Separately
linuxbox /]# for database in $(mysql -e "show databases" | grep "^\|" | grep -v Database); \ do echo -n "backing up $database ... "; \ mysqldump $database > $database.sql && \ echo "ok" || \ echo "failed"; \ done
Note: You may need to configure the '[client]' section of your users '~/.my.cnf'.
Restore MySQL Database From An '--all-databases' Dump File
If you have to extract a single database from an '--all-databases' dump file:
cat all_databases.sql \ > | grep -A <rediculous_number> "Current Database: <database_name>" \ > | grep -B <rediculous_number> "Current Database: <next_database_infile>" > single_database.sql
Grep'ing Logs
Apache: Grep for connections per hour from each IP
cat /var/log/httpd/access_log | grep "05/Sep/2006:.." \
| awk {' print $4":"$1 '} \
| sed 's/\[//g' \
| awk -F : {' print $1":"$2"\t\t"$5 '} \
| sort \
| uniq -c
Sendmail - Finding MailQ IDs sent via apache
Helpful to determine if the message was sent by apache (hack checking, etc)
for i in `echo /var/spool/mqueue/*`; do cat /var/log/maillog | grep `echo $i | sed 's/[qf|df]//g'` | grep "48/48"; done
Sendmail: Breaking log entry down to pull out domain that message was sent to
This one was help full as I needed to see all of the domains that the box had sent mail to, and then performed a 'host' on the domain to get the IP:
linuxbox /]# export DOMS=' ' ; \
> for i in `cat /var/log/maillog* | \
> grep -ow to=\<.*@.*\> | \
> awk -F , {' print $1 '} | \
> awk -F = {' print $2 '} | \
> sed 's/[<>]//g' | \
> awk -F @ {' print $2 '}`; \
> do DOMS="$DOMS $i"; done ; \
> export UNIQ_DOMS=`echo $DOMS`; \
> for dom in $UNIQ_DOMS; do echo $dom; done | sort | uniq -c
Yes, that is all one command delimited by a backslash. Replace 'echo $dom' with in the last line with what ever you want to do with the $dom variable that was pulled out of the log entry.
OK OK OK that one there.... is likely to bork your bash session if the files are large. So I broke it down for each file... something like:
linuxbox /]# for i in `cat /var/log/maillog | \
> grep -ow to=\<.*@.*\> | \
> awk -F , {' print $1 '} | \
> awk -F = {' print $2 '} | \
> sed 's/[<>]//g' | \
> awk -F @ {' print $2 '}`; \
> do echo $i; done | sort | uniq > maillog.domains
Qmail: Determining The Source of a Remote Spammer
This customer had a brute force attach against SMTP which was successful for multiple accounts. The following is the 1-liner user to grab the accounts which were used from that IP:
[root@qmailbox root]# cat /var/log/messages \
| grep 10.1.1.15 \
| grep "smtp_auth: SMTP user" \
| grep "logged in" \
| awk {' print $11 '} \
| awk -F / {' print $6"@"$5 '} \
| sort \
| uniq -c
1422 johnny@domain1.com
1456 johnny2@domain2.com
Qmail: Determine number of times users have authed
Similar to the last one... but whatev. This is handy if you think you might have a user that was compromised or want to see how many times user's have authed successfully:
[root@qmailbox /]# cat /var/log/messages \
| grep -i smtp_auth \
| grep "logged in" \
| awk {' print $11 '} \
| awk -F / {' print $6"@"$5 '} \
| sort \
| uniq -c
Qmail: Grep all mail queue messages for content and provide queue ID
Ok, this seems obscure... but when you are trying to track down the sources of Spam and Apache level compromise you need to investigate messages that are currently in the queue. Most often, you are looking for something specific, and once you find it... you need to know the mail queue ID so that you can look at the rest of the message. Well, this is helpful:
[root@linuxbox /]# for i in $(qmHandle -R -N | awk {' print $1 '} | grep -v "Messages") \
; do export LINE=`qmHandle -m$i | grep "search query"` \
; [ "$LINE" != "" ] && echo "QMAIL ID $i: " && echo $LINE && echo \
; done
Note: Replace 'search query' with what you are searching for.
