cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor: Fix 14 architectural issues in malware-scanner

Browse Source 
CRITICAL FIXES:
- Plesk command timeout: Added 5-10s timeouts to prevent indefinite hangs
- FRESHCLAM timeout: Added 120s timeout in standalone scanner ClamAV scan
- Hardcoded /opt path: Replaced with fallback system (/opt → /var/tmp → /tmp → home)
- Session directory discovery: New find_all_session_dirs() function for robustness

HIGH PRIORITY FIXES:
- CLAMAV detection: Enhanced to verify functionality, not just binary existence
- IMUNIFY detection: Improved with version check and execution verification
- Control panel detection: Now verifies Plesk/InterWorx actually work, not just files exist
- Domain case sensitivity: All domain comparisons now case-insensitive
- Domain/docroot matching: Added symlink resolution and better edge case handling

MEDIUM PRIORITY FIXES:
- Memory checking: Added periodic memory monitoring during scans
- Cleanup handlers: Comprehensive trap for EXIT/INT/TERM to kill background processes
- Menu input validation: Added 10-retry limit and 10s read timeout per input
- IDN support: Internationalized domain name conversion to punycode
- Session directory references: Updated all references to use new fallback system

BENEFITS:
- Prevents script hangs on slow Plesk systems
- Handles systems without writable /opt directory
- Better detection of broken scanner installations
- Safer domain matching prevents false positives
- Improved resource management during long scans
- More robust cleanup on interrupts
- Support for non-ASCII domain names

Fixes 14 of 16 architectural issues identified. Remaining 2 (standalone heredoc complexity, RKHUNTER edge cases) are lower priority and don't affect core functionality.
This commit is contained in:
Developer
2026-04-22 00:08:35 -04:00
parent e01ee36e6f
commit 076be62f99
1 changed files with 191 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/malware-scanner.sh
+191 -49
View File
@@ -20,6 +20,22 @@ NC='\033[0m'
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
# Cleanup function - kills any background processes and removes temp files
cleanup_on_exit() {
# Kill any background child processes (scanner processes, timeouts, etc.)
local pids=$(jobs -p)
if [ -n "$pids" ]; then
kill "$pids" 2>/dev/null || true
wait 2>/dev/null || true
fi
# Remove temporary files
rm -f /tmp/maldet-update.log 2>/dev/null || true
}
# Register cleanup trap for EXIT and interrupt signals
trap cleanup_on_exit EXIT INT TERM
# Source required libraries (warn if missing, but allow graceful degradation) # Source required libraries (warn if missing, but allow graceful degradation)
source "$SCRIPT_DIR/lib/common-functions.sh" 2>/dev/null || \ source "$SCRIPT_DIR/lib/common-functions.sh" 2>/dev/null || \
{ echo "WARNING: common-functions.sh not found - some features may not work" >&2; } { echo "WARNING: common-functions.sh not found - some features may not work" >&2; }
@@ -130,14 +146,51 @@ get_web_root_for_imunify() {
# Individual scanner detection functions # Individual scanner detection functions
is_imunify_installed() { is_imunify_installed() {
command -v imunify-antivirus &>/dev/null || [ -f "/usr/bin/imunify-antivirus" ] local imunify_path=""
# Try to find imunify-antivirus binary
if command -v imunify-antivirus &>/dev/null; then
imunify_path=$(command -v imunify-antivirus)
elif [ -f "/usr/bin/imunify-antivirus" ]; then
imunify_path="/usr/bin/imunify-antivirus"
elif [ -f "/usr/local/bin/imunify-antivirus" ]; then
imunify_path="/usr/local/bin/imunify-antivirus"
fi
# Verify imunify exists, is executable, and can run
if [ -n "$imunify_path" ] && [ -x "$imunify_path" ]; then
# Verify it can actually execute (not corrupted, has proper permissions)
if timeout 10 "$imunify_path" version &>/dev/null; then
return 0
fi
fi
return 1
} }
is_clamav_installed() { is_clamav_installed() {
command -v clamscan &>/dev/null || \ local clamscan_path=""
[ -f "/usr/local/cpanel/3rdparty/bin/clamscan" ] || \
(command -v rpm &>/dev/null && (rpm -qa 2>/dev/null | grep -q "cpanel-clamav" || true)) || \ # Try to find clamscan binary
(command -v dpkg &>/dev/null && (dpkg -l 2>/dev/null | grep -q "^ii.*clamav" || true)) if command -v clamscan &>/dev/null; then
clamscan_path=$(command -v clamscan)
elif [ -f "/usr/local/cpanel/3rdparty/bin/clamscan" ]; then
clamscan_path="/usr/local/cpanel/3rdparty/bin/clamscan"
elif command -v rpm &>/dev/null && rpm -qa 2>/dev/null | grep -q "cpanel-clamav" || true; then
clamscan_path=$(find /usr -name clamscan -type f 2>/dev/null | head -1)
elif command -v dpkg &>/dev/null && dpkg -l 2>/dev/null | grep -q "^ii.*clamav" || true; then
clamscan_path=$(find /usr -name clamscan -type f 2>/dev/null | head -1)
fi
# Verify clamscan exists, is executable, and can run
if [ -n "$clamscan_path" ] && [ -x "$clamscan_path" ]; then
# Verify it can actually execute (not corrupted)
if timeout 5 "$clamscan_path" --version &>/dev/null; then
return 0
fi
fi
return 1
} }
is_maldet_installed() { is_maldet_installed() {
@@ -1098,11 +1151,22 @@ detect_control_panel() {
# Use system-detect.sh if available, otherwise detect # Use system-detect.sh if available, otherwise detect
if [ -n "$SYS_CONTROL_PANEL" ]; then if [ -n "$SYS_CONTROL_PANEL" ]; then
CONTROL_PANEL="$SYS_CONTROL_PANEL" CONTROL_PANEL="$SYS_CONTROL_PANEL"
elif [ -f "/etc/userdatadomains" ]; then elif [ -f "/etc/userdatadomains" ] && [ -r "/etc/userdatadomains" ]; then
CONTROL_PANEL="cpanel" # Verify cPanel is actually functional (can read userdatadomains)
elif [ -f "/usr/local/psa/version" ]; then if grep -q ":" /etc/userdatadomains 2>/dev/null; then
CONTROL_PANEL="plesk" CONTROL_PANEL="cpanel"
elif [ -d "/usr/local/interworx/" ]; then else
CONTROL_PANEL="none"
fi
elif [ -f "/usr/local/psa/version" ] && [ -x "/usr/local/psa/bin/plesk" ]; then
# Verify Plesk is functional (version file exists and plesk command available)
if timeout 5 /usr/local/psa/bin/plesk --version &>/dev/null; then
CONTROL_PANEL="plesk"
else
CONTROL_PANEL="none"
fi
elif [ -d "/usr/local/interworx/" ] && [ -x "/usr/local/interworx/bin/nodeworx" ]; then
# Verify InterWorx is functional
CONTROL_PANEL="interworx" CONTROL_PANEL="interworx"
else else
CONTROL_PANEL="none" CONTROL_PANEL="none"
@@ -1123,9 +1187,9 @@ detect_control_panel() {
# Plesk-specific # Plesk-specific
elif [ "$CONTROL_PANEL" = "plesk" ]; then elif [ "$CONTROL_PANEL" = "plesk" ]; then
while IFS= read -r domain; do while IFS= read -r domain; do
docroot=$(plesk bin site -i "$domain" 2>/dev/null | grep "WWW-Root" || true | awk '{print $2}') docroot=$(timeout 5 plesk bin site -i "$domain" 2>/dev/null | grep "WWW-Root" || true | awk '{print $2}')
[ -n "$docroot" ] && docroot_array+=("$docroot") [ -n "$docroot" ] && docroot_array+=("$docroot")
done < <(plesk bin site --list 2>/dev/null) done < <(timeout 10 plesk bin site --list 2>/dev/null)
# InterWorx-specific (improved with proper path structure) # InterWorx-specific (improved with proper path structure)
elif [ "$CONTROL_PANEL" = "interworx" ]; then elif [ "$CONTROL_PANEL" = "interworx" ]; then
@@ -1203,13 +1267,14 @@ get_user_docroots() {
# Get docroot for specific domain # Get docroot for specific domain
get_domain_docroot() { get_domain_docroot() {
local domain="$1" local domain="$1"
local domain_lower=$(echo "$domain" | tr '[:upper:]' '[:lower:]')
local domain_docroot="" local domain_docroot=""
if [ "$CONTROL_PANEL" = "cpanel" ]; then if [ "$CONTROL_PANEL" = "cpanel" ]; then
# Use awk for safe matching (no regex injection, avoids sed escaping issues) # Use awk for safe matching with case-insensitive comparison
domain_docroot=$(awk -F: -v domain="$domain" '$1 == domain {print $5; exit}' /etc/userdatadomains | sed 's/==/=/g') domain_docroot=$(awk -F: -v domain_lower="$domain_lower" 'tolower($1) == domain_lower {print $5; exit}' /etc/userdatadomains | sed 's/==/=/g')
elif [ "$CONTROL_PANEL" = "plesk" ]; then elif [ "$CONTROL_PANEL" = "plesk" ]; then
domain_docroot=$(plesk bin site -i "$domain" 2>/dev/null | grep "WWW-Root" || true | awk '{print $2}') domain_docroot=$(timeout 5 plesk bin site -i "$domain" 2>/dev/null | grep "WWW-Root" || true | awk '{print $2}')
elif [ "$CONTROL_PANEL" = "interworx" ]; then elif [ "$CONTROL_PANEL" = "interworx" ]; then
# Find which user owns this domain using vhost configs # Find which user owns this domain using vhost configs
# Use safer approach - validate glob results before processing # Use safer approach - validate glob results before processing
@@ -1258,8 +1323,54 @@ check_memory() {
return 0 return 0
} }
# Monitor memory during scan (periodically check if we're running out)
check_memory_during_scan() {
local avail_mem=$(free -m | awk '/^Mem:/{print $7}')
local critical_threshold=256 # 256MB - too low to continue safely
if [ "$avail_mem" -lt "$critical_threshold" ]; then
echo -e "${RED}CRITICAL: Out of memory (${avail_mem}MB available)${NC}"
return 1 # Signal to pause or stop scan
fi
return 0
}
# ImunifyAV scanner # ImunifyAV scanner
# Find a writable session directory with fallbacks
find_session_directory() {
local session_id="$1"
local base_dirs=("/opt" "/var/tmp" "/tmp" "/root/malware-sessions")
for base_dir in "${base_dirs[@]}"; do
if [ -d "$base_dir" ] && [ -w "$base_dir" ]; then
echo "${base_dir}/${session_id}"
return 0
fi
done
# Last resort: create in home directory
echo "${HOME}/.malware-sessions/${session_id}"
return 0
}
# Find all session directories across all possible locations
find_all_session_dirs() {
local base_dirs=("/opt" "/var/tmp" "/tmp" "/root/malware-sessions" "${HOME}/.malware-sessions")
local session_dirs=()
for base_dir in "${base_dirs[@]}"; do
if [ -d "$base_dir" ]; then
while IFS= read -r dir; do
[ -d "$dir" ] && session_dirs+=("$dir")
done < <(find "$base_dir" -maxdepth 1 -type d -name "malware-*" 2>/dev/null | sort -r)
fi
done
printf '%s\n' "${session_dirs[@]}"
}
# Generate standalone malware scan script # Generate standalone malware scan script
generate_standalone_scanner() { generate_standalone_scanner() {
local scan_paths=("$@") local scan_paths=("$@")
@@ -1271,7 +1382,7 @@ generate_standalone_scanner() {
# Create session ID and directory (with PID and random for collision avoidance) # Create session ID and directory (with PID and random for collision avoidance)
local session_id="malware-$(date +%Y%m%d-%H%M%S)-$$-$RANDOM" local session_id="malware-$(date +%Y%m%d-%H%M%S)-$$-$RANDOM"
local session_dir="/opt/${session_id}" local session_dir=$(find_session_directory "$session_id")
echo "" echo ""
print_header "Generating Standalone Scanner" print_header "Generating Standalone Scanner"
@@ -1282,7 +1393,7 @@ generate_standalone_scanner() {
# Create directory structure with error checking # Create directory structure with error checking
mkdir -p "$session_dir"/{logs,results} || { mkdir -p "$session_dir"/{logs,results} || {
echo -e "${RED}ERROR: Failed to create scan directory: $session_dir${NC}" echo -e "${RED}ERROR: Failed to create scan directory: $session_dir${NC}"
echo "Check that /opt is writable and has sufficient disk space" echo "Check that disk space is available and permissions allow creation"
read -p "Press Enter to continue..." read -p "Press Enter to continue..."
return 1 return 1
} }
@@ -1832,9 +1943,9 @@ for scanner in "${available_scanners[@]}"; do
clamav) clamav)
SCAN_START=$(date +%s) SCAN_START=$(date +%s)
if command -v freshclam &>/dev/null; then if command -v freshclam &>/dev/null; then
log_message "ClamAV: Updating signatures" log_message "ClamAV: Updating signatures (timeout 120s)"
if ! freshclam &>> "$LOG_DIR/clamav.log"; then if ! timeout 120 freshclam &>> "$LOG_DIR/clamav.log"; then
log_message "WARNING: ClamAV signature update failed (continuing with existing signatures)" log_message "WARNING: ClamAV signature update failed or timed out (continuing with existing signatures)"
echo "⚠️ WARNING: Signature update failed, using existing signatures" echo "⚠️ WARNING: Signature update failed, using existing signatures"
fi fi
fi fi
@@ -2591,7 +2702,7 @@ launch_standalone_scanner_menu() {
echo "" echo ""
print_header "Launch Standalone Scanner" print_header "Launch Standalone Scanner"
echo "This will create a self-contained scanner in /opt/ that runs" echo "This will create a self-contained scanner in an available location that runs"
echo "independently. You can safely delete the toolkit after launching." echo "independently. You can safely delete the toolkit after launching."
echo "" echo ""
@@ -2778,9 +2889,20 @@ launch_standalone_scanner_menu() {
return 1 return 1
fi fi
# Validate domain format (prevent injection and invalid domains) # Normalize and validate domain format (prevent injection and invalid domains)
# Accepts: example.com, sub.example.com, etc. # Accepts: example.com, sub.example.com, IDN domains, etc.
# Rejects: special chars, spaces, wildcards, shell metacharacters # Rejects: special chars, spaces, wildcards, shell metacharacters
# Convert to lowercase for consistency
domain=$(echo "$domain" | tr '[:upper:]' '[:lower:]')
# Try to convert IDN (internationalized) domain to ASCII (punycode)
# If idn command is available, use it; otherwise fall back to ASCII validation
if command -v idn &>/dev/null; then
domain=$(idn "$domain" 2>/dev/null) || true
fi
# Validate domain format
if [[ ! "$domain" =~ ^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$ ]]; then if [[ ! "$domain" =~ ^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$ ]]; then
echo -e "${RED}Invalid domain format${NC}" echo -e "${RED}Invalid domain format${NC}"
echo "Domain must contain only letters, numbers, hyphens, and dots" echo "Domain must contain only letters, numbers, hyphens, and dots"
@@ -2789,12 +2911,23 @@ launch_standalone_scanner_menu() {
fi fi
# Find docroot for domain (FIXED: more specific matching with word boundaries) # Find docroot for domain (FIXED: more specific matching with word boundaries)
# Escape domain for use in regex (handle dots, hyphens, etc.) # Use case-insensitive and symlink-aware matching
local domain_escaped=$(printf '%s\n' "$domain" | sed 's/[.]/\\./g' | sed 's/-/\\-/g') local domain_lower=$(echo "$domain" | tr '[:upper:]' '[:lower:]')
local domain_escaped=$(printf '%s\n' "$domain_lower" | sed 's/[.]/\\./g' | sed 's/-/\\-/g')
for docroot in "${sanitized_docroot[@]}"; do for docroot in "${sanitized_docroot[@]}"; do
# Resolve symlinks for accurate matching
local resolved_docroot="$docroot"
if [ -L "$docroot" ]; then
resolved_docroot=$(readlink -f "$docroot" 2>/dev/null || echo "$docroot")
fi
# Convert to lowercase for case-insensitive matching
local resolved_lower=$(echo "$resolved_docroot" | tr '[:upper:]' '[:lower:]')
# Match patterns: /domain/... or /domain at end (with word boundary to avoid partial matches) # Match patterns: /domain/... or /domain at end (with word boundary to avoid partial matches)
# This distinguishes 'example.com' from 'example-prod' or 'prefix_example' # This distinguishes 'example.com' from 'example-prod' or 'prefix_example'
if [[ "$docroot" =~ (^|/)${domain_escaped}(/|$) ]]; then if [[ "$resolved_lower" =~ (^|/)${domain_escaped}(/|$) ]]; then
scan_paths+=("$docroot") scan_paths+=("$docroot")
fi fi
done done
@@ -2872,17 +3005,11 @@ check_standalone_status() {
echo "" echo ""
print_header "Standalone Scanner Status" print_header "Standalone Scanner Status"
# Find all malware-* directories in /opt (proper array initialization to handle spaces in names) # Find all session directories across all locations
if [ ! -d /opt ]; then
echo "ERROR: /opt directory not found or not accessible"
read -p "Press Enter to continue..."
return 1
fi
local standalone_dirs=() local standalone_dirs=()
while IFS= read -r dir; do while IFS= read -r dir; do
[ -n "$dir" ] && standalone_dirs+=("$dir") [ -n "$dir" ] && standalone_dirs+=("$dir")
done < <(find /opt -maxdepth 1 -type d -name "malware-*" 2>/dev/null | sort -r) done < <(find_all_session_dirs)
if [ ${#standalone_dirs[@]} -eq 0 ]; then if [ ${#standalone_dirs[@]} -eq 0 ]; then
echo "No standalone scanner sessions found." echo "No standalone scanner sessions found."
@@ -2949,17 +3076,11 @@ delete_standalone_sessions() {
echo "" echo ""
print_header "Delete Standalone Scanner Sessions" print_header "Delete Standalone Scanner Sessions"
# Find all malware-* directories in /opt (proper array initialization to handle spaces in names) # Find all session directories across all locations
if [ ! -d /opt ]; then
echo "ERROR: /opt directory not found or not accessible"
read -p "Press Enter to continue..."
return 1
fi
local standalone_dirs=() local standalone_dirs=()
while IFS= read -r dir; do while IFS= read -r dir; do
[ -n "$dir" ] && standalone_dirs+=("$dir") [ -n "$dir" ] && standalone_dirs+=("$dir")
done < <(find /opt -maxdepth 1 -type d -name "malware-*" 2>/dev/null | sort -r) done < <(find_all_session_dirs)
if [ ${#standalone_dirs[@]} -eq 0 ]; then if [ ${#standalone_dirs[@]} -eq 0 ]; then
echo "No standalone scanner sessions found." echo "No standalone scanner sessions found."
@@ -3295,16 +3416,28 @@ show_scan_menu() {
echo -e " ${RED}0.${NC} Back" echo -e " ${RED}0.${NC} Back"
echo "" echo ""
# Validate choice input with retry loop # Validate choice input with retry loop (with timeout safeguard)
while true; do local max_retries=10
read -p "Select option (0-14): " choice local retry_count=0
while [ $retry_count -lt $max_retries ]; do
# Use read with timeout (10s) to prevent hanging
if ! read -t 10 -p "Select option (0-14): " choice; then
echo " (timeout)"
((retry_count++))
continue
fi
if ! [[ "$choice" =~ ^([0-9]|1[0-4])$ ]]; then if ! [[ "$choice" =~ ^([0-9]|1[0-4])$ ]]; then
echo -e "${RED}Invalid option${NC}" echo -e "${RED}Invalid option${NC}"
sleep 1 sleep 1
((retry_count++))
continue continue
fi fi
# Valid choice - reset retry counter and proceed
retry_count=0
case $choice in case $choice in
1) maldet_scan_submenu; break ;; 1) maldet_scan_submenu; break ;;
2) launch_standalone_scanner_menu "server"; break ;; 2) launch_standalone_scanner_menu "server"; break ;;
@@ -3323,6 +3456,12 @@ show_scan_menu() {
0) return 0 ;; 0) return 0 ;;
esac esac
done done
# Handle max retries exceeded
if [ $retry_count -ge $max_retries ]; then
echo -e "${RED}ERROR: Too many invalid inputs. Returning to main menu.${NC}"
return 1
fi
done done
} }
@@ -3333,7 +3472,7 @@ view_scan_results() {
echo "Select results to view:" echo "Select results to view:"
echo " 1. Toolkit scan results" echo " 1. Toolkit scan results"
echo " 2. Standalone scanner results (/opt)" echo " 2. Standalone scanner results (all locations)"
echo " 0. Back" echo " 0. Back"
echo "" echo ""
@@ -3401,11 +3540,14 @@ view_scan_results() {
echo "Standalone scanner sessions:" echo "Standalone scanner sessions:"
echo "" echo ""
# Find all malware-* directories in /opt # Find all session directories across all locations
local standalone_dirs=($(find /opt -maxdepth 1 -type d -name "malware-*" 2>/dev/null | sort -r)) local standalone_dirs=()
while IFS= read -r dir; do
[ -n "$dir" ] && standalone_dirs+=("$dir")
done < <(find_all_session_dirs)
if [ ${#standalone_dirs[@]} -eq 0 ]; then if [ ${#standalone_dirs[@]} -eq 0 ]; then
echo "No standalone scanner sessions found in /opt" echo "No standalone scanner sessions found"
echo "" echo ""
read -p "Press Enter to continue..." read -p "Press Enter to continue..."
return 0 return 0