From WHMXtra Documentation
Jump to: navigation, search

SSH Rootkit Test

Tests SSH, OpenSSL and LibKey Utils to see if they have been compromised. These tests do not guarantee your server has not been compromised but will do some quick tests to help determine if binaries have been compromised.

User Error Logs

Find old user error logs that might be taking up way too much space and need to be removed.

Find Install Files and Find PHP.ini Files

Find and remove old leftover install files which can provide an attack vector for hackers as well as users custom php.ini files.

Fix Nobody Files and Fix Root Files

Find and fix folders and files on user accounts that are improperly owned by root or nobody users.

Fix 777

Find and fix folders and files on user accounts that are improperly chmod to 777. Find will create a viewable/downloadable report. Fix will repair the permissions. 644 will be used for files. 755 will be used for folders. Scans will report results of clean if everything is ok and Folders/Files Found if it finds any chmod to 777.

Failed SSH Logins

View list of failed ssh login attempts.

Bash History

View bash history for root or a specific user.

SSH Logins

View SSH Logins, view by last logged in, users, IP's or month.

Apache/PHP Security Tester

Test installed apache and php for security issues. Can only be used via the Remote Control Plugin.

Advanced Policy Firewall

Install, remove, configure and manage Advanced Policy Firewall and Brute Force Detection. Note this feature also has an advanced management area we call APF Central for managing APF and BFD, including editing the config, adding and removing IP's and more.


Install and remove Config Server Firewall and LFD protection. Note we only provide the means to install and remove CSF. Management of CSF is done via configservers on addon that will be visible after you install and refresh your screen. You can find it in the plugins section of the WHM menu where Xtra is also located.


Scans logs and bans IP's that it finds are making to many connections (eg brute force attacks).

RK Hunter

RK Hunter is one of the more popular rootkit detectors. This part of Xtra will allow you to install, upgrade, remove and overall manage RK Hunter. This interface will also allow you to run it and view realtime results as well as view the log generated after it finishes running. You may also toggle the cron on and off as well as set the email to send the results to if you wish to receive them via email.

CHK Rootkit Hunter

Similar to RK Hunter but performing slightly different checks. Useful to run with RK Hunter. This interface allows the installation, removal and management of CHK as well as turning the cron on and off and setting the email to send the results to (if you wish). You can also run it from this interface and view the results live.


Performs several types of checks for hidden processes and suspicious processes. Install, remove and view live results with this script.

System Integrity Monitor

SIM is a system and services monitor. It is designed to be intuitive and modular in nature, and to provide a clean and informative status system. Install, remove, update and manage this program via Xtra.

Process Resource Monitor

PRM monitors the process table on a given system and matches process id's with set resource limits in the config file or per-process based rules. Process id's that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more. Install, remove, update and manage this feature in this section.

Linux Socket Monitor

LSM is a bash scripted network socket monitor. It is designed to track changes to Network sockets and Unix domain sockets. LSM identifies changes in both Network Sockets and Unix Domain Sockets. By recording a base set of what sockets should be active then comparing the currently active socket information to that of the base comparison files, we highlight otherwise unknown services.

Network Socket Inode Validation

Network socket inode validation is a rule based utility intended to aid in the validation of inodes against each LISTEN socket on a system. The nature for this app is such that rouge binaries can easily hijack a user, program privileges, or work space; and utilize such to kill the old service & execute a new service on the known port they crashed. The best known examples of this trend is ‘tmp’ path uploaded content via php remote include exploits; which is executed, crashes the web server and starts a rouge httpd process and other such items. The execution cycle of NSIV is very simple, first it determines the running process ID of your binary followed by the trusted inode (that which is associated to the BIN variable). Then, the PORT value is used to check that the binary holding said port open actually references back to the trusted inode, if it does not then we assume the service has been hijacked and the PID is killed / RST executed with optional e-mail alert dispatched.

Linux Malware Detect

Linux Malware Detect is a malware scanner for Linux that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.

Wget / Lynx

Used for updating software and cpanel (and Xtra) WGET and Lynx can also be used by hackers to get exploits onto your server. For security we suggest using this feature to disable them until you need them to upgrade something.


Open Source Tripwire software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.


Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Takes about 5 minutes to install.

Note: Requires some manual work to complete the install, if you aren't familiar with it already don't mess with it. This version not for 64 bit systems.


Lynis is an auditing tool for Unix. It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

MySQL Performance (also known as MySQL Tuner)

Reports various data on how MySQL is performing on your server and suggests possible ways to improve it. Original script by Major Hayden.

List Open Ports

This little script will show you which ports on your server and are currently actively listening for traffic. Useful to check and see if a hacker may have opened a port that you want closed.

List Connections

Shows current and recent connections to the server along with the full status of apache.

List User ID's

Lists the ID's of all system users.

On Guard

On Guard is a script designed by us to monitor files in /tmp, /var/tmp and /dev/shm for malicious files and exploits uploaded to your server by hackers. Once activated the script will monitor these directories and email you if it detects a possibly malicious file so you can check it out before a hacker does any serious damage. Use the interface to install, configure and manage the script as well as the cron job.

Secure Partitions

Secure and set proper permissions on /tmp, /var/tmp and /dev/shm.

Find Shell Scripts

This will search for cgi and php scripts containing shell commands most often used by hackers. Default search checks /home and /home2. If you just want to check a specific user account or a different directory you can use the custom search option.

Find Open Proxies

This script checks your server for open proxy servers. Note there is nothing to run, it quickly checks whenever you visit the page.

Process Checker

Scans all running processes for suspicious ones and kills any it finds. Nothing to run, scan and results come up right away (yes it's real time scanning).