#!/bin/bash # # dear god this is a mess. need to actually read arguments instead... fix later. # hehe this is bad. :| # # Fixed a typo in the clamAV args =) David I. # # v0.6: jshanley@: IN PROGRESS: # - send from a verified email address so it works in the ticket system # - fix "do we email?" logic. Right now it's failing. # - include user information in the email (ui if it exists, etc.) # # V0.5: jshanley@: Scan /tmp as well # v0.4: jshanley@: option to disable cleanup (when called via other scripts) # v0.3: jshanley@: exclude mail directories (lots of phishing mail hits), statistics folders (false positives of shells) # v0.2: jshanley@: Read commandline args. Expand that later. # v0.1: jshanley@: whatever. # TODO: # - better "all" handling # - --email="" to send results via email # - --ticket=ABC-23456 to reprint the ticket ID when done (for those times you run a long scan) # - output logging to $TEMPFOLDER/scan.log if running with --all and/or inside a screen (check for it) and/or we're emailing results. mkdir -p /root/tmp/scan &>/dev/null SCAN_PATH="" CLAMAV_ARGUMENTS="-i -r --max-recursion=200 --max-dir-recursion=200 \ --exclude-dir=\"/home/backup-*\" --exclude-dir=\"/home/*/mail\" --exclude-dir=\"tmp/awstats\" \ --exclude-dir=\"tmp/awstats\" --exclude-dir=\"tmp/webalizer\" --exclude-dir=\"tmp/analog\" \ --exclude-dir=\"tmp/cpbandwidth\" --exclude-dir=\"tmp/webalizerftp\"" SHORTNAME=$(uname -n|sed "s/\..*//g") SCAN_SYSTEM="0" TEMPFOLDER="/root/tmp/scan" TEMPCLAM="/root/tmp" LOGFILE="${TEMPFOLDER}/scan.$$.log" LEAVE_TEMP=0 REDIRECT_OUTPUT="" clear #### --- read commandline args --- print() { echo "$SHORTNAME: `date`: $*" ; echo "$SHORTNAME: `date`: $*" &> $LOGFILE ;} print_wait() { echo -n "$SHORTNAME: `date`: $*" ; echo -n "$SHORTNAME: `date`: $*" &> $LOGFILE ;} print_finish() { echo "$*"; echo "$*" &> $LOGFILE ;} exiterror() { if [ ! -z "$1" ]; then print "ERROR: $*"; fi ; exit 1; } use() { echo "$SHORTNAME: `date`: use: $0 "; exit 2; } preflight() { if [ ! -d "TEMPFOLDER" ]; then mkdir -p "$TEMPFOLDER" &>/dev/null ; fi if [ -z "$1" ] && [ -z "$username" ]; then get_username_from_cwd ; fi # -- if we're not doing --all, validate the username. if [ -z "$SCAN_PATH" ]; then if [ -d "/home/${1}/public_html" ]; then SCAN_PATH="/home/${1}/public_html" USERNAME="$1" elif [ ! -z "$USERNAME" ] && [ -d "/home/$USERNAME" ]; then SCAN_PATH="/home/$USERNAME/public_html" else exiterror "Home directory not found for user $1" fi fi if [ ! -d "$TEMPFOLDER" ]; then mkdir -p "$TEMPFOLDER" &>/dev/null fi touch $LOGFILE &>/dev/null } get_username_from_cwd() { if [ -z "$USERNAME" ] && [ "0" = "$SCAN_SYSTEM" ]; then POSSIBLE_USERNAME=$(pwd|sed -e "s/\/home\///g" -e "s/\/.*//g") if [ ! -z "$POSSIBLE_USERNAME" ] && [ -d "/home/${POSSIBLE_USERNAME}" ]; then USERNAME="${POSSIBLE_USERNAME}" print "Detected username from cwd: $USERNAME" SCAN_PATH="/home/${USERNAME}/public_html" else print "Cant determine username from cwd." use fi fi } prepare(){ print_wait "Preparing ... " mkdir -p "$TEMPFOLDER" &>/dev/null # regardless of where we're started from, put this file in /root/tmp so it's cleaned up. mv $0 "$TEMPFOLDER/" &>/dev/null cd "$TEMPCLAM" if [ -e "./clamav.tar.gz" ]; then rm -rf ./clamav.tar.gz &>/dev/null rm -rf ./clamav &>/dev/null fi wget toolbox.hostgator.com/archives/clamav.tar.gz &>/dev/null tar -zxf clamav.tar.gz &>/dev/null cd clamav/bin print_finish "OK" } scan(){ print "Scanning: $SCAN_PATH" if [ -z "$EMAIL" ]; then ./clamscan $CLAMAV_ARGUMENTS ${SCAN_PATH} echo print "Scanning: /tmp" ./clamscan $CLAMAV_ARGUMENTS "/tmp" # scan /tmp too if [ ! -z "$TICKET" ]; then print "NOTICE: Reference: $TICKET" ; fi else print "NOTICE: Scan results sent to logfile (emailed results)" if [ ! -z "$TICKET" ]; then print "NOTICE: Reference: $TICKET" >> $LOGFILE ; fi ./clamscan $CLAMAV_ARGUMENTS ${SCAN_PATH} &> $LOGFILE print "Scanning: /tmp" &> $LOGFILE ./clamscan $CLAMAV_ARGUMENTS "/tmp" &> $LOGFILE # scan /tmp too fi echo print "Scan Complete." if [ ! -z "$TICKET" ]; then print "Reference: $TICKET"; fi } send_email() { # if we specified a ticket number, but not an email addy to send to, assume we just want results sent to our queue. if [ ! -z "$TICKET" ] && [ -z "$EMAIL" ]; then EMAIL="security@hostgator.com" fi if [ "1" = "$SENDEMAIL" ] && [ ! -z "$EMAIL" ]; then if [ ! -z "$TICKET" ]; then if [ ! -f "/root/bin/email" ]; then mkdir -p /root/bin/ &>/dev/null cd /root/bin wget toolbox.hostgator.com/binaries/email &>/dev/null chmod 100 /root/bin/email &>/dev/null fi cat $LOGFILE | /root/bin/email -f security@hgfix.com -s "`uname -n`: $TICKET: scan results" -a $LOGFILE $EMAIL else cat $LOGFILE | /root/bin/email -f security@hgfix.com -s "`uname -n`: scan results" -a $LOGFILE $EMAIL fi fi } #### --- read commandline args --- #### if [ -z "$*" ] && [ -z "$USERNAME" ]; then get_username_from_cwd fi while [ "0" -ne "$#" ]; do case "$1" in -c | --clean | -clean | --remove | -remove | -r) print "WARNING: Detected risks will be removed." CLAMAV_ARGUMENTS="${CLAMAV_ARGUMENTS} --remove" shift ;; -e | --email) shift EMAIL="$1" print "NOTICE: Sending results to: $EMAIL" ;; -D | --debug | --d* ) debug=1 shift ;; -h | --help | --h* ) use ;; -t | --ticket | --t ) shift TICKET="$1" print "NOTICE: Reference: $TICKET" ;; --all | -all | -a) print "WARNING: Scanning entire /home partition." SCAN_PATH="/home" SCAN_SYSTEM="1" shift ;; --leavetemp) print "WARNING: Set to leave tempfiles/logs behind." LEAVE_TEMP=1 shift ;; --user | -user | -u) # FIXME: take the username as an arg as well. # if --user=all, set SCAN path as well. shift # FIXME: validate this. USERNAME="$1" TODO=1 ;; -v | --verbose | --v* ) verbose=1 shift ;; * ) if [ -d "/home/${1}" ]; then USERNAME="$1" SCAN_PATH="/home/$USERNAME/public_html" fi shift ;; esac done function offline() { case $* in --clean|-clean) print "WARNING: Detected risks will be removed." CLAMAV_ARGUMENTS="${CLAMAV_ARGUMENTS} --remove" shift ;; --all|-all) print "WARNING: Scanning entire /home partition." SCAN_PATH="/home" shift ;; --user|-user) # FIXME: take the username as an arg as well. # if --user=all, set SCAN path as well. TODO=1 shift ;; esac } check_cwd() { STARTING_LOC=$(pwd|grep -E "^\/home"|grep -v "toolbox") if [ ! -z "$STARTING_LOC" ]; then # we started from a user's dir, we need to delete ourselves when done. DELETE_ME=1 fi } ################ fire it up :) ########################### mkdir -p "$TEMPFOLDER" &>/dev/null preflight "$1" "$2" check_cwd prepare scan send_email