This guide shows how to identify users/sites running HetrixTools monitoring on a cPanel server using CloudLinux, CageFS, and Imunify360.
โ
Step 1: Locate hetrixtools Directories
Use the following command to search for HetrixTools-related directories in user accounts:
find /home -type d -name "hetrixtools"This will return results like:
/home/user1/public_html/hetrixtools
/home/user2/hetrixtoolsEach path helps you identify which cPanel users are using HetrixTools.
โ Step 2: Check All Usersโ Crontabs for HetrixTools References
This step scans user cronjobs for scheduled HetrixTools checks.
for u in $(cut -d: -f1 /etc/passwd); do crontab -l -u "$u" 2>/dev/null; done > /root/hetrixtools_crons.txtThen search the file:
grep -i hetrixtools /root/hetrixtools_crons.txtOutput will look like:
*/5 * * * * /home/user1/hetrixtools/server_uptime.phpThis confirms HetrixTools usage via cron.
โ Step 3: Check CageFS Jail for HetrixTools Presence
To see which users have HetrixTools files within their jailed environment:
for u in $(ls /var/cagefs/); do find /var/cagefs/$u -type d -name "hetrixtools" 2>/dev/null; doneThis works especially if users manually installed HetrixTools while jailed.
โ Step 4: Imunify360 Considerations
If HetrixTools is using custom scripts or PHP scripts, Imunify360 may flag or rate-limit them.
You can check if any files are being quarantined:
imunify360-agent malware list | grep hetrixtoolsTo whitelist a false positive:
imunify360-agent malware ignore add --path /home/username/hetrixtools๐ Security Tips
- Remove if Unused: If the script is no longer in use, remove the cronjob and directory to reduce attack surface.
- Audit Regularly: Include
hetrixtoolschecks in your monthly server audits. - Monitor Resource Use: HetrixTools cronjobs can be aggressiveโensure they donโt violate LVE limits under CloudLinux.