Automatic user-based email script for clamavconnector plugin

XenomediaBV

Well-Known Member
Sep 3, 2009
60
0
56
The Netherlands
cPanel Access Level
Root Administrator
For our servers I created a simple automation script which uses the ClamAV Connector plug-in available through WHM. The idea is based on the suggestions made by cPanel:
Security and Virus Scanning in WHM

The cronjob mentioned on the above page performs a scan on a per account basis. I transfered this concept into a per account email warning send to the users contact email and the server administrator. Only if an infection is found an email will be send. This way detecting hacked websites is faster.

For anybody that finds this useful here's a little tutorial:


First make sure the ClamAV plug-in is installed and running. The below script can be created with any user you prefer, but must be executed by the root user.

Go to your preferred custom scripts directory and create the following file:
Code:
vi clamscan_daily
Paste the following code in the file and adjust the 3 email params as needed:
Code:
#!/bin/bash

# Set default TO email
# This is a fall-back in case the user has no contact email
EMAIL_TO="[COLOR="#FF0000"][email protected][/COLOR]"

# Set BCC email
# Use this to get a copy of all send out warnings
EMAIL_BCC="[COLOR="#FF0000"]root[/COLOR]"

# Set FROM email
# Use this to add a reply address for your customers or use a no-reply address
EMAIL_FROM="[COLOR="#FF0000"][email protected][/COLOR]"

run_scan () {

  # Get the servers hostname
  HOSTNAME=`hostname`

  for i in `awk '!/nobody/{ print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`
  do

    # Create tmp file
    TMPFILE=`mktemp clamscan-result.XXXXXXXXXX`

    # Get user email
    if [ -f /home/$i/.contactemail ]
    then
      EMAIL_TO=`cat /home/$i/.contactemail`
    fi

    # Prepare email headers
    echo "To: $EMAIL_TO" >> $TMPFILE
    echo "Bcc: $EMAIL_BCC" >> $TMPFILE
    echo "From: $EMAIL_FROM" >> $TMPFILE
    echo "Subject: $HOSTNAME: Virus detected on account: $i" >> $TMPFILE
    echo "Importance: High" >> $TMPFILE
    echo "X-Priority: 1" >> $TMPFILE

    # Prepare email body
    echo "Attention! Your action is required. Please delete the following infected files:" >> $TMPFILE
    echo " " >> $TMPFILE

    # Start scanning the users home directory
    /usr/bin/clamscan -i -r /home/$i >> $TMPFILE

    # Check the last set of results.
    # If there are any 'Infected' counts that aren't zero, we have a problem.
    if [ `tail -n 12 $TMPFILE | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
      sendmail -t < $TMPFILE
    fi

    # clean-up tmp file
    rm -f $TMPFILE

  done

}

run_scan
Save the file and make it executable:
Code:
chmod +x clamscan_daily
Edit the crontab (crontab -e) and add the following cronjob:
Code:
30 5 * * * /path/to/your/clamscan_daily > /dev/null 2>&1
It's advised to configure the execution time of the above script about 10 minutes after your ClamAV update run (/usr/bin/freshclam) to make sure you have the latest definitions. It is also possible to run this more then once per day, but since running ClamAV results in a higher load it's best to run it during off-peak hours.

I hope this will help you a bit in protecting your servers.
 
Last edited: