ConfigServer Exploit Scanner – Individual User Warning Email Script

Parse the CXS Log file for warnings, and email your customers with details of the Malware found in their accounts via a Perl script.

  • Got ConfigServer Exploit Scanner – CXS – installed on your cPanel/WHM server?
  • Doing a full server scan every now and then, and getting swamped with the reports?
  • Want a script that will trawl the reports, and email the cpanel users with their problems automatically?

Then you came to the right place!


You need to have CXS installed, and you need to be generating a Scan Report Log file after your periodic scan. This is the file that is in this sort of format:

Jan 21 02:34:45 apollo cxs[526881]: [‘/home/username/public_html/’] – ClamAV detected virus = [HTML.Phishing.Bank-581]

It’s important to ensure this file is truncated before each CXS run, otherwise you will be sending out an ever increasing number of warning emails each week!

This Perl script also uses a couple of Perl modules that are normally available by default – Email::Valid and MIME::Lite

That’s it!

Just pop the script somewhere safe, and cron it to run a safe time after your cxs scan is schedules to run (to make sure it parses the completed log file). It will email (via Sendmail) a report to each cPanel user (via the cPanel account’s contact email address) with their affected files in an attached text file.

Version 2!

This version is now aware of resellers, and will email the reseller instead of the cpanel user directly.

# This script parses /var/log/cxs.log looking for results with "Fingerprint"
# or "ClamAV". It collects a log file for each user, and then emails the
# results to the cpanel account contact email address if one exists
# Steve Sant
use Email::Valid;
use MIME::Lite;
$host=`/bin/uname -n`;
$host =~ s/\015?\012?$//;
# Build an array of users that are mentioned in the log file
$cmd="grep -E \"(Fingerprint|ClamAV|decode regex|expression match)\" $cxslog | grep -Eo \"/home/[^/]*/\" | uniq";
$res = qx{$cmd};
@resarray = split(/\n/, $res);
# loop through all users
foreach $row (@resarray) {
# ascertain cpanel user name
$row =~ m/(?:home\/)([^\/]*)/;
$cpuser = $1;
# determine cpanel account owner
$cmd="grep -E '^OWNER=' /var/cpanel/users/$cpuser";
$cpowner = qx{$cmd};
@cpownerarray = split(/=/, $cpowner);
$cpowner = $cpownerarray[1];
# check we have a contact email address for this cpanel account
$cmd="grep 'CONTACTEMAIL=' /var/cpanel/users/" . ($cpowner='root'?$cpuser:$cpowner);
$email = qx{$cmd};
@contactarray = split(/=/, $email);
$email = $contactarray[1];
# Check the email address is valid
if (length($email)>5 && Email::Valid->address($email)) {
# collect the data from the cxs logfile
$cmd="grep -E \"${cpuser}.*(Fingerprint|ClamAV|decode regex|expression match)\" $cxslog";
$report = qx{$cmd};
$msg = MIME::Lite->new(
From    => $from_email,
To      => $email,
Subject => "Malware Warning -  cpanel account - $cpuser",
Type    => 'multipart/mixed'
$msgbody = "Dear Client, \n\n";
# If report is smaller than 50k then include in body
if (length($report) < 51200) {
$msgbody .= $report;
Type     =>'TEXT',
Data     => $msgbody
if (length($report) >= 51200) {
Type => 'text/plain',
Data => $report,
Filename => 'report.txt',
Disposition => 'attachment'
print "Mail sent to $email for cpanel account $cpuser" . "\n";
} else {
print "Email was not valid/supplied = $email \n";

Oh, yes, and obviously, you use this entirely at your own risk – absolutely at your own risk!!!

Tags: , ,

2 Responses to “ConfigServer Exploit Scanner – Individual User Warning Email Script”