For our servers I created a simple automation script which uses the ClamAV Connector plug-in available through WHM. The idea is based on the suggestions made by cPanel:
Security and Virus Scanning in WHM
The cronjob mentioned on the above page performs a scan on a per account basis. I transfered this concept into a per account email warning send to the users contact email and the server administrator. Only if an infection is found an email will be send. This way detecting hacked websites is faster.
For anybody that finds this useful here's a little tutorial:
First make sure the ClamAV plug-in is installed and running. The below script can be created with any user you prefer, but must be executed by the root user.
Go to your preferred custom scripts directory and create the following file:
Paste the following code in the file and adjust the 3 email params as needed:
Save the file and make it executable:
Edit the crontab (crontab -e) and add the following cronjob:
It's advised to configure the execution time of the above script about 10 minutes after your ClamAV update run (/usr/bin/freshclam) to make sure you have the latest definitions. It is also possible to run this more then once per day, but since running ClamAV results in a higher load it's best to run it during off-peak hours.
I hope this will help you a bit in protecting your servers.
Security and Virus Scanning in WHM
The cronjob mentioned on the above page performs a scan on a per account basis. I transfered this concept into a per account email warning send to the users contact email and the server administrator. Only if an infection is found an email will be send. This way detecting hacked websites is faster.
For anybody that finds this useful here's a little tutorial:
First make sure the ClamAV plug-in is installed and running. The below script can be created with any user you prefer, but must be executed by the root user.
Go to your preferred custom scripts directory and create the following file:
Code:
vi clamscan_daily
Code:
#!/bin/bash
# Set default TO email
# This is a fall-back in case the user has no contact email
EMAIL_TO="[COLOR="#FF0000"][email protected][/COLOR]"
# Set BCC email
# Use this to get a copy of all send out warnings
EMAIL_BCC="[COLOR="#FF0000"]root[/COLOR]"
# Set FROM email
# Use this to add a reply address for your customers or use a no-reply address
EMAIL_FROM="[COLOR="#FF0000"][email protected][/COLOR]"
run_scan () {
# Get the servers hostname
HOSTNAME=`hostname`
for i in `awk '!/nobody/{ print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`
do
# Create tmp file
TMPFILE=`mktemp clamscan-result.XXXXXXXXXX`
# Get user email
if [ -f /home/$i/.contactemail ]
then
EMAIL_TO=`cat /home/$i/.contactemail`
fi
# Prepare email headers
echo "To: $EMAIL_TO" >> $TMPFILE
echo "Bcc: $EMAIL_BCC" >> $TMPFILE
echo "From: $EMAIL_FROM" >> $TMPFILE
echo "Subject: $HOSTNAME: Virus detected on account: $i" >> $TMPFILE
echo "Importance: High" >> $TMPFILE
echo "X-Priority: 1" >> $TMPFILE
# Prepare email body
echo "Attention! Your action is required. Please delete the following infected files:" >> $TMPFILE
echo " " >> $TMPFILE
# Start scanning the users home directory
/usr/bin/clamscan -i -r /home/$i >> $TMPFILE
# Check the last set of results.
# If there are any 'Infected' counts that aren't zero, we have a problem.
if [ `tail -n 12 $TMPFILE | grep Infected | grep -v 0 | wc -l` != 0 ]
then
sendmail -t < $TMPFILE
fi
# clean-up tmp file
rm -f $TMPFILE
done
}
run_scan
Code:
chmod +x clamscan_daily
Code:
30 5 * * * /path/to/your/clamscan_daily > /dev/null 2>&1I hope this will help you a bit in protecting your servers.
Last edited:
