[cPanel Servers] Use clamav to automatically scan running PHP scripts


Staff member
I have created a script that scans running PHP scripts on cpanel servers. I have been using this for a little over a year on servers so it has gone under very large testing.

Things to note:
- Tested on centos 6 only. It may work on centos5, I can't see why not.

- Only works on cPanel servers. Use the cpanel clamav plugin

- Works best with SUphp enabled.

- Supports litespeed webserver, but due to differences in litespeed it can't always be known what the running php script is. To solve that if mlocate/slocate is installed so locate filename works, a fall back is enabled if the script is not found on a match. T

- here is limited support for php as a dso, because apache status must be used and the script running is not always revealed.

- An nginx plugin will not work with the scanner. Has not been tested with cloudlinux's new lsapi.

What does it do?
When a php script is run on a website, and the scanner is running that script is sent through clamav. If a match is found the file is moved to ~username/.quarentine/DATE/filename. An email is sent to the email address listed in /etc/wwwacct.conf which is the same as WHM->basic server set up for notifications.

* index.php is ignored and not scanned. This is because a match on index.php could allow a directory listing.

How to Install

Step 1) Install cpanel's clamav plugin. Either add this in WHM->addon moduls (select clamav) or in SSH run

/scripts/update_local_rpm_versions --edit target_settings.clamav installed
/scripts/check_cpanel_rpms --fix --targets=clamav

Step 2) Get the /admin folder
rsync -a rsync://mirror.trouble-free.net/admin /admin

Step 3) Create symlinks and running files

Step 4) Running the script
Either manually run this with

Or install to run in cron every 5 minutes
/admin/scanner/create.sh cron

Changes to your system are once installed:

This file updates the virus db

If it was installed to run in cron

runs the scanner every 5 minutes

If NC did not exist, it was installed via yum. This allows clamav to reload the database with out a full restart.