ConfigServer Exploit Scanner – Individual User Warning Email Script

Print Friendly, PDF & Email

Parse the CXS Log file for warnings, and email your customers with details of the Malware found in their accounts via a Perl script.

  • Got ConfigServer Exploit Scanner – CXS – installed on your cPanel/WHM server?
  • Doing a full server scan every now and then, and getting swamped with the reports?
  • Want a script that will trawl the reports, and email the cpanel users with their problems automatically?

Then you came to the right place!

Requirements

You need to have CXS installed, and you need to be generating a Scan Report Log file after your periodic scan. This is the file that is in this sort of format:

Jan 21 02:34:45 apollo cxs[526881]: [‘/home/username/public_html/thingybob.info/adsense/volume1.zip’] – ClamAV detected virus = [HTML.Phishing.Bank-581]

It’s important to ensure this file is truncated before each CXS run, otherwise you will be sending out an ever increasing number of warning emails each week!

This Perl script also uses a couple of Perl modules that are normally available by default – Email::Valid and MIME::Lite

That’s it!

Just pop the script somewhere safe, and cron it to run a safe time after your cxs scan is schedules to run (to make sure it parses the completed log file). It will email (via Sendmail) a report to each cPanel user (via the cPanel account’s contact email address) with their affected files in an attached text file.

Version 2!

This version is now aware of resellers, and will email the reseller instead of the cpanel user directly.

#!/usr/local/bin/perl
# This script parses /var/log/cxs.log looking for results with "Fingerprint"
# or "ClamAV". It collects a log file for each user, and then emails the
# results to the cpanel account contact email address if one exists
# Steve Sant stephensant@gmail.com
$cxslog='/var/log/cxs.log';
$from_email='support@yourhost.co.uk';
use Email::Valid;
use MIME::Lite;
$host=`/bin/uname -n`;
$host =~ s/\015?\012?$//;
# Build an array of users that are mentioned in the log file
$cmd="grep -E \"(Fingerprint|ClamAV|decode regex|expression match)\" $cxslog | grep -Eo \"/home/[^/]*/\" | uniq";
$res = qx{$cmd};
@resarray = split(/\n/, $res);
# loop through all users
foreach $row (@resarray) {
# ascertain cpanel user name
$row =~ m/(?:home\/)([^\/]*)/;
$cpuser = $1;
# determine cpanel account owner
$cmd="grep -E '^OWNER=' /var/cpanel/users/$cpuser";
$cpowner = qx{$cmd};
chomp($cpowner);
@cpownerarray = split(/=/, $cpowner);
$cpowner = $cpownerarray[1];
# check we have a contact email address for this cpanel account
$cmd="grep 'CONTACTEMAIL=' /var/cpanel/users/" . ($cpowner='root'?$cpuser:$cpowner);
$email = qx{$cmd};
chomp($email);
@contactarray = split(/=/, $email);
$email = $contactarray[1];
# Check the email address is valid
if (length($email)>5 && Email::Valid->address($email)) {
# collect the data from the cxs logfile
$cmd="grep -E \"${cpuser}.*(Fingerprint|ClamAV|decode regex|expression match)\" $cxslog";
$report = qx{$cmd};
$msg = MIME::Lite->new(
From    => $from_email,
To      => $email,
Subject => "Malware Warning -  cpanel account - $cpuser",
Type    => 'multipart/mixed'
);
$msgbody = "Dear Client, \n\n";
# If report is smaller than 50k then include in body
if (length($report) < 51200) {
$msgbody .= $report;
}
$msg->attach(
Type     =>'TEXT',
Data     => $msgbody
);
if (length($report) >= 51200) {
$msg->attach(
Type => 'text/plain',
Data => $report,
Filename => 'report.txt',
Disposition => 'attachment'
);
}
$msg->send;
print "Mail sent to $email for cpanel account $cpuser" . "\n";
} else {
print "Email was not valid/supplied = $email \n";
}
}

Oh, yes, and obviously, you use this entirely at your own risk – absolutely at your own risk!!!

Tags: , ,

2 Responses to “ConfigServer Exploit Scanner – Individual User Warning Email Script”

  1. Erik February 6, 2015 at 6:56 pm #

    Hello,

    I tryed your script and could be useful ony problem I have is that if one user has more then one file in quarantine it will get as many emails as files is in quarantine eaven so your script in report gathers all files in guarantine and pputs them in email message. First email would be onough coze user gets all data needed but if he has 10 quarantined files he gets 10 emails aout it.

    Best regards, Erik

    • Steve February 27, 2015 at 7:06 am #

      Hi. The script only sends out one message per user, regardless of how many files are detected. You may be thinking of the actual command line switch to notify upon detection, which would, indeed, send a lot of emails. My script relies on a silent scan that builds a log file, which is then later parsed.

Leave a Reply

Bot test * Time limit is exhausted. Please reload the CAPTCHA.