Integrate malware scanner with IP reputation system

- Source ip-reputation.sh library
- Correlate infected files with Apache POST logs
- Flag uploading IPs in reputation database with RCE attack type
- Add +25 reputation penalty for malware uploaders
- Log flagged IPs to flagged_ips.log for review
- Limit analysis to 20 most recent files for performance

modules/security/malware-scanner.sh

@@ -13,6 +13,7 @@ source "$SCRIPT_DIR/lib/common-functions.sh" 2>/dev/null || true
 source "$SCRIPT_DIR/lib/system-detect.sh" 2>/dev/null || true
 source "$SCRIPT_DIR/lib/user-manager.sh" 2>/dev/null || true
 source "$SCRIPT_DIR/lib/reference-db.sh" 2>/dev/null || true
+source "$SCRIPT_DIR/lib/ip-reputation.sh" 2>/dev/null || true
 
 # Arrays for docroots and scanners
 declare -a docroot_array
@@ -858,6 +859,49 @@ done
         sort -u "$INFECTED_LIST"
         echo ""
         echo "ACTION REQUIRED: Review and quarantine/remove infected files"
+        echo ""
+
+        # IP Reputation Integration: Flag IPs that uploaded malware
+        echo "----------------------------------------"
+        echo "Analyzing upload sources..."
+        echo "----------------------------------------"
+
+        # Correlate infected files with Apache logs to find uploading IPs
+        local flagged_ips=0
+        while read -r infected_file; do
+            # Extract file path components
+            local filename=$(basename "$infected_file")
+            local filepath=$(dirname "$infected_file")
+
+            # Try to find corresponding Apache access logs
+            # Look for POST requests to the directory containing the infected file
+            if [ -d "/var/log/apache2/domlogs" ]; then
+                # Search last 7 days of logs for POST requests to this path
+                find /var/log/apache2/domlogs -type f -name "*.com" -o -name "*.net" -o -name "*.org" 2>/dev/null | while read -r logfile; do
+                    # Check if this log corresponds to the domain/user
+                    grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
+                        # Extract IP from Apache log line
+                        local ip=$(echo "$logline" | awk '{print $1}')
+                        if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+                            # Flag this IP in reputation database
+                            if type flag_ip_attack &>/dev/null; then
+                                flag_ip_attack "$ip" "RCE" 25 "Malware scanner: Uploaded $filename" >/dev/null 2>&1
+                                echo "  → Flagged IP: $ip (uploaded to $filepath)" >> "$LOG_DIR/flagged_ips.log"
+                                ((flagged_ips++))
+                            fi
+                        fi
+                    done
+                done
+            fi
+        done < <(sort -u "$INFECTED_LIST" | head -20)  # Limit to first 20 files to avoid long processing
+
+        if [ $flagged_ips -gt 0 ]; then
+            echo "✓ Flagged $flagged_ips IPs in reputation database"
+            echo "  (See $LOG_DIR/flagged_ips.log for details)"
+        else
+            echo "  No upload IPs identified (files may be older than log retention)"
+        fi
+        echo ""
     else
         echo "✓ No infected files detected by automated scan."
         echo ""