The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Automatic user-based email script for clamavconnector plugin

Discussion in 'Security' started by XenomediaBV, May 13, 2013.

  1. XenomediaBV

    XenomediaBV Well-Known Member

    Joined:
    Sep 3, 2009
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    The Netherlands
    cPanel Access Level:
    Root Administrator
    For our servers I created a simple automation script which uses the ClamAV Connector plug-in available through WHM. The idea is based on the suggestions made by cPanel:
    Security and Virus Scanning in WHM

    The cronjob mentioned on the above page performs a scan on a per account basis. I transfered this concept into a per account email warning send to the users contact email and the server administrator. Only if an infection is found an email will be send. This way detecting hacked websites is faster.

    For anybody that finds this useful here's a little tutorial:


    First make sure the ClamAV plug-in is installed and running. The below script can be created with any user you prefer, but must be executed by the root user.

    Go to your preferred custom scripts directory and create the following file:
    Code:
    vi clamscan_daily
    Paste the following code in the file and adjust the 3 email params as needed:
    Code:
    #!/bin/bash
    
    # Set default TO email
    # This is a fall-back in case the user has no contact email
    EMAIL_TO="[COLOR="#FF0000"]admin@domain.com[/COLOR]"
    
    # Set BCC email
    # Use this to get a copy of all send out warnings
    EMAIL_BCC="[COLOR="#FF0000"]root[/COLOR]"
    
    # Set FROM email
    # Use this to add a reply address for your customers or use a no-reply address
    EMAIL_FROM="[COLOR="#FF0000"]noreply@domain.com[/COLOR]"
    
    run_scan () {
    
      # Get the servers hostname
      HOSTNAME=`hostname`
    
      for i in `awk '!/nobody/{ print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`
      do
    
        # Create tmp file
        TMPFILE=`mktemp clamscan-result.XXXXXXXXXX`
    
        # Get user email
        if [ -f /home/$i/.contactemail ]
        then
          EMAIL_TO=`cat /home/$i/.contactemail`
        fi
    
        # Prepare email headers
        echo "To: $EMAIL_TO" >> $TMPFILE
        echo "Bcc: $EMAIL_BCC" >> $TMPFILE
        echo "From: $EMAIL_FROM" >> $TMPFILE
        echo "Subject: $HOSTNAME: Virus detected on account: $i" >> $TMPFILE
        echo "Importance: High" >> $TMPFILE
        echo "X-Priority: 1" >> $TMPFILE
    
        # Prepare email body
        echo "Attention! Your action is required. Please delete the following infected files:" >> $TMPFILE
        echo " " >> $TMPFILE
    
        # Start scanning the users home directory
        /usr/bin/clamscan -i -r /home/$i >> $TMPFILE
    
        # Check the last set of results.
        # If there are any 'Infected' counts that aren't zero, we have a problem.
        if [ `tail -n 12 $TMPFILE | grep Infected | grep -v 0 | wc -l` != 0 ]
        then
          sendmail -t < $TMPFILE
        fi
    
        # clean-up tmp file
        rm -f $TMPFILE
    
      done
    
    }
    
    run_scan
    Save the file and make it executable:
    Code:
    chmod +x clamscan_daily
    Edit the crontab (crontab -e) and add the following cronjob:
    Code:
    30 5 * * * /path/to/your/clamscan_daily > /dev/null 2>&1
    It's advised to configure the execution time of the above script about 10 minutes after your ClamAV update run (/usr/bin/freshclam) to make sure you have the latest definitions. It is also possible to run this more then once per day, but since running ClamAV results in a higher load it's best to run it during off-peak hours.

    I hope this will help you a bit in protecting your servers.
     
    #1 XenomediaBV, May 13, 2013
    Last edited: May 13, 2013
Loading...

Share This Page