Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control panel user alerts #409

Merged
merged 7 commits into from
Mar 27, 2023
Merged

Control panel user alerts #409

merged 7 commits into from
Mar 27, 2023

Conversation

colindclare
Copy link

@colindclare colindclare commented Mar 7, 2023
edited
Loading

Description

Adds functionality to enable alerts to control panel user contact emails. Includes the following functions:

  • Auto detects control panel, if one is installed (currently supports cPanel and Interworx)
  • Obtains contact emails through panel-native tools for a given account
  • Sends alerts with a file hit list to discovered contact emails

Changes

  • Add detect_control_panel function to files/internals/functions to determine installed control panel.
  • Add get_panel_contacts to files/internals/functions to discover contact emails
  • Add configuration options for From, Subject, Reply-To headers on alert emails
  • Add flag to enable these alerts (requires email_alert to be enabled as well)
  • Add internal configuration to set the user alert template location
  • Add a base template that will be used to create emails to control panel contacts

Testing

CentOS 6, no control panel 
[root@lmd-cent6 linux-malware-detect]# maldet -a /home/
Linux Malware Detect v1.6.5
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(8544): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(8544): {scan} building file list for /home/, this might take awhile...
maldet(8544): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(8544): {scan} file list completed in 0s, found 1918 files...
maldet(8544): {scan} scan of /home/ (1918 files) in progress...
maldet(8544): {scan} 1918/1918 files scanned: 554 hits 0 cleaned

maldet(8544): {scan} scan completed on /home/: files 1918, malware hits 554, cleaned hits 0, time 138s
maldet(8544): {scan} scan report saved, to view run: maldet --report 230314-2156.8544
maldet(8544): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230314-2156.8544
maldet(8544): {alert} sent scan report to [email protected]

[root@lmd-cent6 linux-malware-detect]# grep ^email_ /usr/local/maldetect/conf.maldet
email_alert="1"
email_addr="[email protected]"
email_ignore_clean="1"
email_panel_user_alerts="0"
email_panel_from="[email protected]"
email_panel_replyto="[email protected]"
CentOS 7, no control panel 
[root@lmd-centos linux-malware-detect]# maldet -a /home/ 
Linux Malware Detect v1.6.5
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(22534): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(22534): {scan} building file list for /home/, this might take awhile...
maldet(22534): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(22534): {scan} file list completed in 0s, found 1934 files...
maldet(22534): {scan} scan of /home/ (1934 files) in progress...
maldet(22534): {scan} 1934/1934 files scanned: 554 hits 0 cleaned

maldet(22534): {scan} scan completed on /home/: files 1934, malware hits 554, cleaned hits 0, time 121s
maldet(22534): {scan} scan report saved, to view run: maldet --report 230314-2031.22534
maldet(22534): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230314-2031.22534
maldet(22534): {alert} sent scan report to [email protected]

[root@lmd-centos linux-malware-detect]# grep ^email_ /usr/local/maldetect/conf.maldet
email_alert="1"
email_addr="[email protected]"
email_ignore_clean="1"
email_panel_user_alerts="0"
email_panel_from="[email protected]"
email_panel_replyto="[email protected]"
Ubuntu 20.04, no control panel 
root@lmd-ubuntu:~/linux-malware-detect# maldet -a /home/
Linux Malware Detect v1.6.5
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(100738): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(100738): {scan} building file list for /home/, this might take awhile...
maldet(100738): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(100738): {scan} file list completed in 0s, found 1924 files...
maldet(100738): {scan} scan of /home/ (1924 files) in progress...
maldet(100738): {scan} 1924/1924 files scanned: 554 hits 0 cleaned

maldet(100738): {scan} scan completed on /home/: files 1924, malware hits 554, cleaned hits 0, time 182s
maldet(100738): {scan} scan report saved, to view run: maldet --report 230314-2054.100738
maldet(100738): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230314-2054.100738
maldet(100738): {alert} sent scan report to [email protected]

root@lmd-ubuntu:~/linux-malware-detect# grep ^email_ /usr/local/maldetect/conf.maldet
email_alert="1"
email_addr="[email protected]"
email_ignore_clean="1"
email_panel_user_alerts="0"
email_panel_from="[email protected]"
email_panel_replyto="[email protected]"

## One additional test to verify that enabling control panel alerts logs an error or otherwise does not send an alert
root@lmd-ubuntu:~/linux-malware-detect# maldet -a /home/
Linux Malware Detect v1.6.5
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(273513): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(273513): {scan} building file list for /home/, this might take awhile...
maldet(273513): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(273513): {scan} file list completed in 1s, found 1924 files...
maldet(273513): {scan} scan of /home/ (1924 files) in progress...
maldet(273513): {scan} 1924/1924 files scanned: 554 hits 0 cleaned

maldet(273513): {scan} scan completed on /home/: files 1924, malware hits 554, cleaned hits 0, time 179s
maldet(273513): {scan} scan report saved, to view run: maldet --report 230317-2008.273513
maldet(273513): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230317-2008.273513
maldet(273513): {alert} sent scan report to [email protected]
maldet(273513): {panel} Detecting control panel and sending alerts...
maldet(273513): {panel} Failed to set control panel. Will not send alerts to control panel account contacts.
CentOS 7, cPanel 108 [root@cpanel linux-malware-detect]# maldet -a /home/ Linux Malware Detect v1.6.5 (C) 2002-2019, R-fx Networks (C) 2019, Ryan MacDonald This program may be freely redistributed under the terms of the GNU GPL v2

maldet(67993): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(67993): {scan} building file list for /home/, this might take awhile...
maldet(67993): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(67993): {scan} file list completed in 0s, found 1801 files...
maldet(67993): {scan} found clamav binary at /usr/local/cpanel/3rdparty/bin/clamscan, using clamav scanner engine...
maldet(67993): {scan} scan of /home/ (1801 files) in progress...
maldet(67993): {scan} processing scan results for hits: 936 hits 0 cleaned
maldet(67993): {scan} scan completed on /home/: files 1801, malware hits 936, cleaned hits 0, time 112s
maldet(67993): {scan} scan report saved, to view run: maldet --report 230317-1119.67993
maldet(67993): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230317-1119.67993
maldet(67993): {alert} sent scan report to [email protected]
maldet(67993): {alert} Panel alerts
maldet(67993): {panel} Detecting control panel and sending alerts...
maldet(67993): {panel} Detected control panel cpanel. Will send alerts to control panel account contacts.

CentOS 7, Interworx [root@lmd-iworx7 linux-malware-detect]# maldet -a /home/ Linux Malware Detect v1.6.5 (C) 2002-2019, R-fx Networks (C) 2019, Ryan MacDonald This program may be freely redistributed under the terms of the GNU GPL v2

maldet(21699): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(21699): {scan} building file list for /home/, this might take awhile...
maldet(21699): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(21699): {scan} file list completed in 0s, found 2003 files...
maldet(21699): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(21699): {scan} scan of /home/ (2003 files) in progress...
maldet(21699): {scan} processing scan results for hits: 1037 hits 0 cleaned
maldet(21699): {scan} scan completed on /home/: files 2003, malware hits 1037, cleaned hits 0, time 119s
maldet(21699): {scan} scan report saved, to view run: maldet --report 230317-1519.21699
maldet(21699): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230317-1519.21699
maldet(21699): {alert} sent scan report to [email protected]
maldet(21699): {alert} Panel alerts
maldet(21699): {panel} Detecting control panel and sending alerts...
maldet(21699): {panel} Detected control panel interworx. Will send alerts to control panel account contacts.

Test to verify that disabling email_alert disables control panel user alerts as well

[root@lmd-iworx7 linux-malware-detect]# grep ^email_alert /usr/local/maldetect/conf.maldet
email_alert="0"
[root@lmd-iworx7 linux-malware-detect]# maldet -a /home/
Linux Malware Detect v1.6.5
(C) 2002-2019, R-fx Networks [email protected]
(C) 2019, Ryan MacDonald [email protected]
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(27655): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(27655): {scan} building file list for /home/, this might take awhile...
maldet(27655): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(27655): {scan} file list completed in 0s, found 2003 files...
maldet(27655): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(27655): {scan} scan of /home/ (2003 files) in progress...
maldet(27655): {scan} processing scan results for hits: 1037 hits 0 cleaned
maldet(27655): {scan} scan completed on /home/: files 2003, malware hits 1037, cleaned hits 0, time 115s
maldet(27655): {scan} scan report saved, to view run: maldet --report 230317-2014.27655
maldet(27655): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230317-2014.27655

Misc

Malware samples for testing obtained from the following repos:
https://github.com/JohnTroony/php-webshells
https://github.com/tennc/webshell

@rfxn rfxn merged commit 458c652 into rfxn:master Mar 27, 2023
rfxn added a commit that referenced this pull request Mar 27, 2023
@rfxn
[New] add detect_control_panel function to files/internals/functions …
4d33628 
…to determine installed control panel; pr #409

[New] add get_panel_contacts to files/internals/functions to discover contact emails; pr #409
[New] add configuration options for From, Subject, Reply-To headers on alert emails; pr #409
[New] add flag to enable these alerts (requires email_alert to be enabled as well); pr #409
[New] add internal configuration to set the user alert template location; pr #409
[New] add a base template that will be used to create emails to control panel contacts; pr #409
@rfxn rfxn mentioned this pull request Apr 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfxn rfxn rfxn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@colindclare @rfxn