WordPress Developer & Linux Administrator

Bash script to scan reseller's accounts for malware

The ConfigServer eXploit Scanner (cxs) is a very powerful tool for cPanel web hosting servers. While not free, it provides active scanning of files as they are uploaded to the server, and so much more. It truly is one of the best clean-up and discovery tools out there for someone with a cPanel server. With over 3,000 known exploit script fingerprint matches (in addition to standard ClamAV detection), CXS is sure to catch most of what your clients’ sites may be hiding.

CXS let’s you scan per domain, by first letter, or by scanning your entire home directory (ie., all cPanel accounts) for malware. But what if you want to do this on a reseller basis? This script will do just that. It will take input via reseller username on the server, and will perform a detailed scan (with quarantine) for each of that reseller’s hosted accounts!

Example usage

./thisscript <reseller>

You may wish to chmod u+x ./thisscript in order to make it easier to work with.

The Script

Without further delay, here’s the script. Enjoy!

#!/bin/bash
#
#  Date: Feb 18th 2015
#  Author: Will Ashworth (williamashworth.com || linuxscripts.org)
#
#  Process exploit and virus scanning for all users of a given reseller 
#  account. Scripted specifically for cPanel servers on Linux.
#
#  Copyright (C) 2015 Will Ashworth
#
#  This program is free software: you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation, either version 3 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details. http://www.gnu.org/licenses/

reseller=$1
quarantine="/home/quarantine"

if [ -z "$reseller" ]
then
    echo "Reseller is empty. Please provide one! Like this..."
    echo "./thisscript <reseller>"
else
    # Get the users for this reseller
    users=`grep $reseller /etc/trueuserowners | cut -d : -f 1`

    # Loop through the list of users
    for user in $users; do
        # Setup your ideal CXS command here
        /usr/sbin/cxs --nobayes --clamdsock /usr/sbin/clamd --defapache nobody --doptions Mv --exploitscan --fallback --filemax 10000 --options mMOLfSGchexdnwZRD --qoptions Mv --quarantine $quarantine --sizemax 500000 --summary --sversionscan --timemax 30 --user $user --novirusscan --voptions uhe
    done
fi

If you run into any issues, please contact me and let me know thoughts or ideas for improvement. Thanks!

Categories: cPanelTags: , ,

Comments

Your email address will not be published. Required fields are marked *