Restoring Cpanel from old drive after crash or hack

By | 13 March 2008

cPanel Restore Guide

=====================================================================
So your cpanel server got hacked or crashed? Lots of that going around these days. And if you didn’t have cpanel backups of all your sites, then your only option is to copy from the old drive… heres the basics..

commands to be executed from root shell preceded by #
1) Order restore from The Planet. In trouble ticket specify to leave the old drive in
2) Once the restore is done, SSH in to box..

mount the old / partition as old (on TP boxes almost always /dev/hda3)

root@box# mount /dev/hda /old

run chkrootkit to make sure you don’t copy back infected files… http://www.chkrootkit.org/

now we can start copying back data from the old drive

root@box# rsync -vrplogDtH /old/usr/local/apache/conf /usr/local/apache
root@box# rsync -vrplogDtH /old/var/named /var
root@box# rsync -vrplogDtH /old/home/* /home
root@box# rsync -vrplogDtH /old/usr/local/cpanel /usr/local
root@box# rsync -vrplogDtH /old/var/lib/mysql /var/lib
root@box# rsync -vrplogDtH /old/var/cpanel /var
root@box# rsync -vrplogDtH /old/usr/share/ssl /usr/share
root@box# rsync -vrplogDtH /old/var/ssl /var
root@box# rsync -vrplogDtH /old/usr/local/cpanel/3rdparty/mailman /usr/local/cpanel/3rdparty
root@box# rsync -vrplogDtH /old/var/log/bandwidth /var/log
root@box# rsync -vrplogDtH /old/usr/local/frontpage /usr/local
root@box# rsync -vrplogDtH /old/var/spool/cron /var/spool
root@box# rsync -vrplogDtH /old/root/.my.cnf /root
root@box# rsync -vrplogDtH /old/etc/httpd/conf/httpd.conf /etc/httpd/conf
root@box# rsync -vrplogDtH /old/etc/sysconfig/network /etc/sysconfig

then change to the old etc, and execute all on one line …

root@box# cd /old/etc

root@box# rsync -vrplogDtH secondarymx domainalias valiases vfilters exim* proftpd* pure-ftpd* passwd* group* *domain* *named* wwwacct.conf cpupdate.conf quota.conf shadow* *rndc* ips* ipaddrpool* ssl hosts /etc

well I hope I got everything… after you move all that stuff you will find yourself fixing up little things here and there….

I recomend updating cpanel afterwards:
/scripts/upcp –force
/scripts/updatenow
/scripts/sysup
/scripts/fixeverything
/scripts/exim4
/up2date

Once everything works.. make sure you don’t get 0wn3d again…
– Update Apache AND Kernel to Latest: WHM > Software > Apache Update
– Mount /tmp as noexec (and symlink /var/tmp to /tmp)
– Configure cPanel’s “cP Hulk” system to make sure hacking attempts are stopped
– Consider installing Mod Security (LINK)
– Consider installing ConfigServer Security&Firewall (LINK) (only if you think you can handle it)
– Consider disabling direct root log in (TUTORIAL) (this will make it so you need to log in as admin and su to root, making one more password for someone to try to figure out)

NOTE: cPanel 11 and later versions of cPanel 10 will regularly update your system software by running up2date, cPanel update, etc.
=====================================================================

Ok, groovy. And to the pro’s out there, don’t kill me because of the UI instructions rather than SSH toward the bottom. It’s to prevent anyone from getting stuck. Plus, those have become much more reliable since this guide was first made.

Source: h**p://forums.theplanet.com/index.php?showtopic=38797&view=findpost&p=588605