I have created a script that scans running PHP scripts on cpanel servers. I have been using this for a little over a year on servers so it has gone under very large testing.
Things to note:
- Tested on centos 6 only. It may work on centos5, I can't see why not.
- Only works on cPanel servers. Use the cpanel clamav plugin
- Works best with SUphp enabled.
- Supports litespeed webserver, but due to differences in litespeed it can't always be known what the running php script is. To solve that if mlocate/slocate is installed so locate filename works, a fall back is enabled if the script is not found on a match. T
- here is limited support for php as a dso, because apache status must be used and the script running is not always revealed.
- An nginx plugin will not work with the scanner. Has not been tested with cloudlinux's new lsapi.
What does it do?
When a php script is run on a website, and the scanner is running that script is sent through clamav. If a match is found the file is moved to ~username/.quarentine/DATE/filename. An email is sent to the email address listed in /etc/wwwacct.conf which is the same as WHM->basic server set up for notifications.
* index.php is ignored and not scanned. This is because a match on index.php could allow a directory listing.
How to Install
Step 1) Install cpanel's clamav plugin. Either add this in WHM->addon moduls (select clamav) or in SSH run
/scripts/update_local_rpm_versions --edit target_settings.clamav installed
/scripts/check_cpanel_rpms --fix --targets=clamav
Step 2) Get the /admin folder
rsync -a rsync://mirror.trouble-free.net/admin /admin
Step 3) Create symlinks and running files
/admin/scanner/create.sh
Step 4) Running the script
Either manually run this with
/admin/scanner/run.sh
Or install to run in cron every 5 minutes
/admin/scanner/create.sh cron
Changes to your system are once installed:
/etc/cron.daily/virusscanner_freshclam.sh
This file updates the virus db
If it was installed to run in cron
/etc/cron.d/virusscanner_php.sh
runs the scanner every 5 minutes
If NC did not exist, it was installed via yum. This allows clamav to reload the database with out a full restart.
Things to note:
- Tested on centos 6 only. It may work on centos5, I can't see why not.
- Only works on cPanel servers. Use the cpanel clamav plugin
- Works best with SUphp enabled.
- Supports litespeed webserver, but due to differences in litespeed it can't always be known what the running php script is. To solve that if mlocate/slocate is installed so locate filename works, a fall back is enabled if the script is not found on a match. T
- here is limited support for php as a dso, because apache status must be used and the script running is not always revealed.
- An nginx plugin will not work with the scanner. Has not been tested with cloudlinux's new lsapi.
What does it do?
When a php script is run on a website, and the scanner is running that script is sent through clamav. If a match is found the file is moved to ~username/.quarentine/DATE/filename. An email is sent to the email address listed in /etc/wwwacct.conf which is the same as WHM->basic server set up for notifications.
* index.php is ignored and not scanned. This is because a match on index.php could allow a directory listing.
How to Install
Step 1) Install cpanel's clamav plugin. Either add this in WHM->addon moduls (select clamav) or in SSH run
/scripts/update_local_rpm_versions --edit target_settings.clamav installed
/scripts/check_cpanel_rpms --fix --targets=clamav
Step 2) Get the /admin folder
rsync -a rsync://mirror.trouble-free.net/admin /admin
Step 3) Create symlinks and running files
/admin/scanner/create.sh
Step 4) Running the script
Either manually run this with
/admin/scanner/run.sh
Or install to run in cron every 5 minutes
/admin/scanner/create.sh cron
Changes to your system are once installed:
/etc/cron.daily/virusscanner_freshclam.sh
This file updates the virus db
If it was installed to run in cron
/etc/cron.d/virusscanner_php.sh
runs the scanner every 5 minutes
If NC did not exist, it was installed via yum. This allows clamav to reload the database with out a full restart.