diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh index b565b2f..65d6a49 100755 --- a/modules/security/malware-scanner.sh +++ b/modules/security/malware-scanner.sh @@ -35,6 +35,10 @@ is_maldet_installed() { command -v maldet &>/dev/null || [ -f "/usr/local/sbin/maldet" ] } +is_rkhunter_installed() { + command -v rkhunter &>/dev/null || [ -f "/usr/bin/rkhunter" ] +} + # Scanner detection detect_scanners() { available_scanners=() @@ -51,6 +55,10 @@ detect_scanners() { available_scanners+=("maldet") fi + if is_rkhunter_installed; then + available_scanners+=("rkhunter") + fi + if [ ${#available_scanners[@]} -eq 0 ]; then echo -e "${RED}No malware scanners detected!${NC}" echo "" @@ -118,7 +126,23 @@ show_scanner_installation_guide() { echo "" fi - echo -e "${YELLOW}Recommendation:${NC} Install at least ClamAV (free) for basic scanning" + # Check Rootkit Hunter + if ! is_rkhunter_installed; then + echo -e "${CYAN}Rootkit Hunter${NC} - Rootkit/backdoor/exploit scanner" + echo " Status: Not installed" + echo " Installation:" + echo " yum install epel-release -y # Enable EPEL repo" + echo " yum install rkhunter -y" + echo " rkhunter --update # Update definitions" + echo " rkhunter --propupd # Initialize baseline" + echo " Docs: https://rkhunter.sourceforge.net/" + echo "" + else + echo -e "${GREEN}✓ Rootkit Hunter${NC} - Installed" + echo "" + fi + + echo -e "${YELLOW}Recommendation:${NC} Install at least ClamAV + RKHunter (both free) for comprehensive protection" echo "" } @@ -131,6 +155,7 @@ install_all_scanners() { echo " • ClamAV (free, open source)" echo " • Maldet (free, Linux-specific)" echo " • ImunifyAV (FREE version)" + echo " • Rootkit Hunter (free, rootkit detection)" echo "" echo -e "${YELLOW}Note: ImunifyAV is FREE. Imunify360 is the paid version.${NC}" echo "" @@ -151,7 +176,7 @@ install_all_scanners() { # Install ClamAV if ! is_clamav_installed; then - echo -e "${CYAN}[1/3] Installing ClamAV...${NC}" + echo -e "${CYAN}[1/4] Installing ClamAV...${NC}" if [ -f "/usr/local/cpanel/cpanel" ]; then # cPanel method - check if already installed but not configured @@ -190,7 +215,7 @@ install_all_scanners() { # Install Maldet if ! is_maldet_installed; then - echo -e "${CYAN}[2/3] Installing Maldet...${NC}" + echo -e "${CYAN}[2/4] Installing Maldet...${NC}" cd /tmp wget -q http://www.rfxn.com/downloads/maldetect-current.tar.gz @@ -221,7 +246,7 @@ install_all_scanners() { # Install ImunifyAV (FREE version) if ! is_imunify_installed; then - echo -e "${CYAN}[3/3] Installing ImunifyAV (FREE)...${NC}" + echo -e "${CYAN}[3/4] Installing ImunifyAV (FREE)...${NC}" echo " This may take several minutes - please wait..." # Use deployment script method (most reliable) @@ -266,6 +291,44 @@ install_all_scanners() { echo -e "${GREEN}✓ ImunifyAV already installed${NC}" fi + echo "" + + # Install Rootkit Hunter + if ! is_rkhunter_installed; then + echo -e "${CYAN}[4/4] Installing Rootkit Hunter...${NC}" + + # Ensure EPEL repo is enabled + if command -v yum &>/dev/null; then + if ! rpm -qa | grep -q epel-release; then + echo " → Installing EPEL repository..." + yum install -y epel-release 2>&1 | grep -E "Installing|Installed|already installed" + fi + + # Install rkhunter + yum install -y rkhunter 2>&1 | grep -E "Installing|Installed|already installed" + elif command -v apt-get &>/dev/null; then + apt-get update && apt-get install -y rkhunter + fi + + if is_rkhunter_installed; then + echo -e "${GREEN}✓ Rootkit Hunter installed${NC}" + + # Update definitions + echo " → Updating rootkit definitions..." + rkhunter --update 2>&1 | grep -E "updated|downloaded" || rkhunter --update &>/dev/null + echo -e " ${GREEN}✓${NC} Definitions updated" + + # Initialize baseline (propupd creates file property database) + echo " → Initializing baseline database..." + rkhunter --propupd &>/dev/null + echo -e " ${GREEN}✓${NC} Baseline initialized" + else + echo -e "${RED}✗ Rootkit Hunter installation failed${NC}" + fi + else + echo -e "${GREEN}✓ Rootkit Hunter already installed${NC}" + fi + echo "" echo "==========================================" echo "Installation Complete" @@ -508,6 +571,11 @@ if command -v maldet &>/dev/null; then log_message "Detected: Maldet" fi +if command -v rkhunter &>/dev/null; then + AVAILABLE_SCANNERS+=("rkhunter") + log_message "Detected: Rootkit Hunter" +fi + if [ ${#AVAILABLE_SCANNERS[@]} -eq 0 ]; then log_message "ERROR: No scanners found!" echo -e "${RED}No malware scanners detected!${NC}" @@ -605,6 +673,26 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do echo "✓ Maldet scan complete" | tee -a "$SUMMARY_FILE" log_message "Maldet: Scan complete" ;; + + rkhunter) + log_message "RKHunter: Updating definitions" + rkhunter --update &>> "$LOG_DIR/rkhunter.log" + + log_message "RKHunter: Starting scan" + # --check: Run all checks + # --skip-keypress: Don't wait for user input + # --report-warnings-only: Only show warnings/issues + rkhunter --check --skip-keypress --report-warnings-only &>> "$LOG_DIR/rkhunter.log" + + # Extract warnings + RKH_WARNINGS=$(grep -c "Warning:" "$LOG_DIR/rkhunter.log" 2>/dev/null || echo 0) + + # Extract any rootkits found + grep "Rootkit" "$LOG_DIR/rkhunter.log" | grep -i "found" >> "$INFECTED_LIST" 2>/dev/null + + echo "✓ RKHunter scan complete - Warnings: $RKH_WARNINGS" | tee -a "$SUMMARY_FILE" + log_message "RKHunter: Scan complete - $RKH_WARNINGS warnings" + ;; esac echo "" | tee -a "$SUMMARY_FILE"