after i read all your reasons, i prefer your solution.
Can you send me or post a tutorial with all steps to set your solution?
Run this script in cron every 1 minute.
I'm not a programmer but it helps me. It can be improved.
1) You need to configure your server to receive all emails from CSF
2) You need to create a second email account to receive filtred emails. This email account is checked every 1 minute to see if there are new emails. The script below will do this and suspend the account.
Create a file called hack. Put in /usr/local/hack/ ( i.e. )
and chmod 755 to this file.
Put in cron
*/1 * * * * /usr/local/hack/hack
Configure in this script
1) USER ( user account ) ( line 1 and line 6 )
2) WEBSITE ( website name ) ( line 1 and line 6 )
3) USEREMAIL ( email user ) ( line 1 and line 6 )
3) YOUREMAIL HERE ( put your email to receive notifications )
grep Account /home/USER/mail/WEBSITE/USEREMAIL/new/* > userhack
us=`cut -d ":" -f 2 userhack`
/scripts/suspendacct $us "Website hacked" 1
echo $us| mail -s "PERL HACK "$us" suspended " YOUREMAIL HERE
rm userhack -rf
rm -rf /home/USER/mail/WEBSITE/USEREMAIL/new/*
Filter email received from csf and send to email destination
This second filter should be placed in the second email to avoid false positives.
This filter is more tuned to detect perl files running on TMP. You should and can create another filters.
Edit file called filealert.txt in /etc/csf/alerts and change word Owner: to Account:
Final result ( i.e )
Subject: lfd on [hostname]: Suspicious File Alert
How it works:
1) You need to have 2 emails.
1.1) First email account that will receive all emails from CSF.
1.2) Second email account that will receive filtered email
The script will check every 1 minute and will suspend the account (user) that this email is filtered.
To finish. Another tip. I post this solution here too if you need.
I have a script that blocks ANY site to run perl files via port 80. If a site run
He will be suspended automatically.