PDA

View Full Version : Script to search latest created cPanel accounts for malicious files



Fli
07-07-2015, 08:52 PM
# Works on cPanel/WHM server, searching thru 15 newest cpanel accounts for files with bad code in them & report bad files via email
# In same directry like this script, should be file "find_badware_incpanels_phrasses" which should contain all malicious phrasses that will be searched in new cpanels. All single and double quotation marks must be commented out by slash, example: /"something
one bad phrasse per line.
# To make this script working regularly, automatically, setup this script as cronjob.


# variables (usually only "adminmail" and "thispath" needs to be editted)
[email protected]
thispath=/root/badwarefinder
reportcurrent=$thispath/reportcurrent
reportarchive=$thispath/reportarchive
badphrasses=$thispath/find_badware_incpanels_phrasses
> $reportcurrent

###################################

# add 15 log entries containing 15 newest cpanels into file
tail -n 15 /var/cpanel/accounting.log > /tmp/lastcpanels

# cpanel account loop
while read logline;do
# Add cpanel username and its domains into report for reference
echo "$(echo "$logline" | tail -c-9), $(ls /usr/local/apache/domlogs/$(echo "$logline" | tail -c-9) | grep -v /)" >> $reportcurrent

# search bad phrasses in cpanel account files
while read phrasse;do
/bin/nice -n 19 grep -sRil "$phrasse" /home/$(echo "$logline" | tail -c-9)/public_html >> $reportcurrent
done < $badphrasses

done < /tmp/lastcpanels

# compare archive with current report and output only new file pathes
newfilesonly=$(/bin/nice -n 19 grep -v -x -f $reportarchive $reportcurrent | grep /)
# copy currently found file pathes into reportarchive
cat $reportcurrent | grep public_html >> $reportarchive

# report results via email
if [ "$(echo $newfilesonly | grep public_html | wc -l)" -gt "0" ];then
echo "Some suspicious files found at $(hostname):
$(cat $reportcurrent)

The file/s that was not yet reported are:
$newfilesonly" | mail -s "Suspicious files hosted on $(hostname)" $adminmail
fi