Log Checking

I strongly discourage use of the auto quarantine or auto clean features of maldet. They can easily remove the timestamps and other information needed to properly diagnose an infection.

Michaels question of PHP handler is important; if you are using SuPHP or fcgi you should be able to gain a username from the files ownership to determine the potentially infected account. If you are using DSO then the file would almost certainly be owned by "nobody" which makes it much harder to properly investigate.

I would advise DISABLING the auto quarantine feature, and then running a maldet scan on all users public_html directories, such as:

# maldet -a /home?/?/public_html/

 

Any outdated plugins? More often than not, those are the culprit. Also, there could be code injections hiding in some files, best to force re-install the WP files just to be sure.

What you really need to look at though is what happened at 14:37 in that users apache access log. Check the domlogs for what happened at that time; ideally 'stat' the file so you have both modify and change times to the second.

Also, they can't do anything with that in /tmp anyway, but if it made it to public_html obviously that's a problem.

Like I said before I strongly discourage use of auto quarantine with maldet, at least until you have your investigation done and are happy with the results. Otherwise it can change key times and things you need to properly investigate.

 

I will suggest you please configure LMD with the mod_Sec, So that maldetect will scan your files while uploading on your server.

You can add following code /usr/local/apache/conf/modsec2.user.conf (or similar mod_security2 rules file):

Code:

SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/maldetect/modsec.sh" \
  "log,auditlog,deny,severity:2,phase:2,t:none"

Also you can install ConfigServer eXploit Scanner (http://configserver.com/cp/cxs.html) on your server

 

I tested /usr/local/maldetect/modsec.sh and it's pretty broken. You have to turn on global scanning (to let all users use maldet) and it still scans /tmp on every scan. Not impressive at all. You end up with very slow uploads (that get slower as /tmp gains files), and it dumps a bunch of stuff into the apache error log every time a file is uploaded whether it's good or not.

Sadly, the maldet script, and the maldet binary itself, would need some work for that to be OK in production.

However I was able to use modsecurity and clamdscan to quickly and effectively scan files as they were being uploaded, I'll document that at a later time.

 

To use clamscan to scan files as they are being uploaded (this is similar to the CXS setup):

Add this rule to your modsecurity rules (probably modsec2.user.conf unless your provider gives you a separate file like custom.conf):

Code:

#uncomment these if they are not already set by your rule set.  It doesn't break things if they're set twice.
#SecUploadDir /var/tmp
#SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /usr/local/apache/conf/modsec2/modsec-clamscan.pl" \
"log,auditlog,deny,severity:2,id:'93847'"

I have updated modsec-clamscan.pl from it's open source version, albeit very minor updates, to use the cPanel install of clamdscan (note the "d") which is extremely fast compared with clamscan, and to correct a deprecated option. Create the file /usr/local/apache/conf/modsec2/modsec-clamscan.pl as root owned with 755 permissions, and this content:

Code:

#!/usr/bin/perl

#Use clamdscan, it's much faster than clamscan! I Don't recommend using this with 'normal' clamscan, due to super slow uploads.
$CLAMSCAN = "/usr/local/cpanel/3rdparty/bin/clamdscan";

if (@ARGV != 1) {
  print "Usage: modsec-clamscan.pl FILENAME\n";
  exit;
}

my ($FILE) = @ARGV;

$cmd = "$CLAMSCAN --stdout --no-summary $FILE";
$input = `$cmd`;
$input =~ m/^(.+)/;
$error_message = $1;

# Default behavior is to reject uploads if clamd is down.
# If you want uploads to work if clamd is down/not running, then change this "0" to a "1", however nothing will be scanned!
$output = "0 Unable to parse clamscan output or clamd is not running.";

if ($error_message =~ m/: Empty file\.$/) {
  $output = "1 empty file";
}
elsif ($error_message =~ m/: (.+) ERROR$/) {
  $output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: (.+) FOUND$/) {
  $output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: OK$/) {
  $output = "1 clamscan: OK";
}

print "$output\n";

This will allow modsecurity to use clamdscan to scan files while they are being uploaded through a website.

 

Just wanted to say THANK YOU quizknows for sharing this modsec/clamd integration. I have been banging my head on a wall the last few days trying to get maldet's integration to work - to no avail. I was about to call it quits and stumbled on to this thread...

Everything is working great now. Tested uploading files using multiple domains with different setups (WordPress, vBulletin, Magento), and sure enough files are now being scanned by clamd before they are accepted.

Thanks!

 

No problem, thanks for taking the time to let me know it works for you It's a good free option if you don't have ConfigServer exploit scanner (CXS.)

If you ever purchase CXS (which I do recommend if you host a lot of sites), their file upload scanning script for ModSecurity is also very good and it does have a bit better detection rate than clamav does. I think I've documented in another thread how to get that one going. Regardless, using clamdscan is free and fast so if nothing else it's an easy extra layer of protection.

 

Why not just use Maldet kernel level real time scanning and not rely on other programs to trigger the monitor of a new file?

 

Are you talking about the inotify feature? I'd rather have the file blocked before it's even in the directory, but layered security is always good

Also with modsecurity and CSF, it will block the offending IP address if they keep trying to upload a bad file or otherwise trip modsecurity rules.

 

With WHM 56.0 (build 24) and CPanel 56.0.24 I recieve the following error when attempting to troubleshoot quizknows script when running command line ./clamdscan:

ERROR: Can't parse clamd configuration file /etc/clamd.conf

In a typical WHM/CPanel install, clamdscan has no configuration file -- or at least one that I can find - so errors abound when attempting to institute this script.

 

Does /etc/clamd.conf exist at all? I may suggest you open a cpanel ticket on that one, since I've never had that issue.

Is the clamscan binary (as well as clamdscan binary) present in this directory?:

/usr/local/cpanel/3rdparty/bin/

If not you may need to (re)install the clamd stuff via WHM.

 

Opened a ticket and CPanel support says they don't support 3rd. party features. And yes, there is clamscan and clamdscan present in /urs/local/cpanel/3rdparty/bin/

The technician from CPanel asked that I "ln -s /usr/local/cpanel/3rdparty/etc/clamd.conf /etc/clamd.conf" which I did do and now my error when I run /usr/local/cpanel/3rdparty/bin/clamdscan /home/domain/public_html/? is:

Servname not supported for ai_socktype

Must the clamav service be runing for clamdscan to operate?

I'm simply trying to get the script by quizknows to work.

 

Yes, clamav needs to be running.

The whole point of using clamdscan is it can socket to the running clamav process and run nearly instantly. The old modsec hook called clamscan (not clamdscan) which resulted in a 2-5 second delay for file uploads while clamscan starts up (and shuts down).

Try these commands:
/usr/local/cpanel/3rdparty/bin/clamscan -ir /home/domain/public_html/
/usr/local/cpanel/3rdparty/bin/clamdscan -i /home/domain/public_html/

Keep in mind the 'i' flag means infected so there should only be output returned if a malicious file is found under that path. Clamdscan doesn't support recursion but it's not necessary for single file scans during uploads (obviously).