From 32b620756fcf0ebd28581f9b1685646d35f54314 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 14 Nov 2025 20:43:18 -0500 Subject: [PATCH] Integrate malware scanner with IP reputation system - Source ip-reputation.sh library - Correlate infected files with Apache POST logs - Flag uploading IPs in reputation database with RCE attack type - Add +25 reputation penalty for malware uploaders - Log flagged IPs to flagged_ips.log for review - Limit analysis to 20 most recent files for performance --- modules/security/malware-scanner.sh | 44 +++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh index 5a9cda5..cd23a31 100755 --- a/modules/security/malware-scanner.sh +++ b/modules/security/malware-scanner.sh @@ -13,6 +13,7 @@ source "$SCRIPT_DIR/lib/common-functions.sh" 2>/dev/null || true source "$SCRIPT_DIR/lib/system-detect.sh" 2>/dev/null || true source "$SCRIPT_DIR/lib/user-manager.sh" 2>/dev/null || true source "$SCRIPT_DIR/lib/reference-db.sh" 2>/dev/null || true +source "$SCRIPT_DIR/lib/ip-reputation.sh" 2>/dev/null || true # Arrays for docroots and scanners declare -a docroot_array @@ -858,6 +859,49 @@ done sort -u "$INFECTED_LIST" echo "" echo "ACTION REQUIRED: Review and quarantine/remove infected files" + echo "" + + # IP Reputation Integration: Flag IPs that uploaded malware + echo "----------------------------------------" + echo "Analyzing upload sources..." + echo "----------------------------------------" + + # Correlate infected files with Apache logs to find uploading IPs + local flagged_ips=0 + while read -r infected_file; do + # Extract file path components + local filename=$(basename "$infected_file") + local filepath=$(dirname "$infected_file") + + # Try to find corresponding Apache access logs + # Look for POST requests to the directory containing the infected file + if [ -d "/var/log/apache2/domlogs" ]; then + # Search last 7 days of logs for POST requests to this path + find /var/log/apache2/domlogs -type f -name "*.com" -o -name "*.net" -o -name "*.org" 2>/dev/null | while read -r logfile; do + # Check if this log corresponds to the domain/user + grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do + # Extract IP from Apache log line + local ip=$(echo "$logline" | awk '{print $1}') + if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + # Flag this IP in reputation database + if type flag_ip_attack &>/dev/null; then + flag_ip_attack "$ip" "RCE" 25 "Malware scanner: Uploaded $filename" >/dev/null 2>&1 + echo " → Flagged IP: $ip (uploaded to $filepath)" >> "$LOG_DIR/flagged_ips.log" + ((flagged_ips++)) + fi + fi + done + done + fi + done < <(sort -u "$INFECTED_LIST" | head -20) # Limit to first 20 files to avoid long processing + + if [ $flagged_ips -gt 0 ]; then + echo "✓ Flagged $flagged_ips IPs in reputation database" + echo " (See $LOG_DIR/flagged_ips.log for details)" + else + echo " No upload IPs identified (files may be older than log retention)" + fi + echo "" else echo "✓ No infected files detected by automated scan." echo ""