diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh index e0208ce..967d9a4 100755 --- a/modules/security/malware-scanner.sh +++ b/modules/security/malware-scanner.sh @@ -220,46 +220,61 @@ install_all_scanners() { # Try control panel-specific methods first if [ -f "/usr/local/cpanel/cpanel" ]; then - # cPanel method + # cPanel method - use cPanel's package management only if rpm -qa 2>/dev/null | grep -q "cpanel-clamav"; then echo -e "${GREEN}✓ ClamAV already installed (cPanel)${NC}" else + echo " → Installing via cPanel package manager..." /scripts/update_local_rpm_versions --edit target_settings.clamav installed 2>/dev/null || true - /scripts/check_cpanel_rpms --fix --targets=clamav 2>&1 | grep -E "Installing|Updating|up to date" || true + /scripts/check_cpanel_rpms --fix --targets=clamav 2>&1 | tail -3 fi + # IMPORTANT: Don't fall through to standard yum - cPanel packages conflict! elif [ -f "/usr/local/psa/version" ]; then # Plesk method - use standard package manager echo " → Detected Plesk system, using standard package manager..." if command -v yum &>/dev/null; then - yum install -y clamav clamav-update 2>&1 | grep -E "Installing|Updating|already installed" || true + yum install -y clamav clamav-update 2>&1 | grep -E "Installing|Installed|already installed" || echo " (installation may already be complete)" elif command -v apt-get &>/dev/null; then apt-get update 2>&1 | grep -E "Reading|Building|Hit|Get" | head -3 || true - apt-get install -y clamav clamav-daemon 2>&1 | grep -E "Setting up|already|newest" || true + apt-get install -y clamav clamav-daemon 2>&1 | grep -E "Setting up|already|newest" || echo " (installation may already be complete)" fi elif command -v yum &>/dev/null; then - # RHEL/CentOS based systems - yum install -y clamav clamav-update 2>&1 | grep -E "Installing|Updating|already installed" || true + # RHEL/CentOS based systems (non-cPanel) + echo " → Installing via yum..." + yum install -y clamav clamav-update 2>&1 | grep -E "Installing|Installed|already installed" || echo " (installation may already be complete)" elif command -v apt-get &>/dev/null; then # Debian/Ubuntu: Update package list first, then install ClamAV echo " → Updating package list..." apt-get update 2>&1 | grep -E "Reading|Building|Hit|Get" | head -3 || true echo " → Installing ClamAV..." - apt-get install -y clamav clamav-daemon 2>&1 | grep -E "Setting up|already|newest" || true + apt-get install -y clamav clamav-daemon 2>&1 | grep -E "Setting up|already|newest" || echo " (installation may already be complete)" fi if is_clamav_installed; then echo -e "${GREEN}✓ ClamAV installed${NC}" - # Find freshclam binary - local freshclam_bin=$(command -v freshclam || find /usr -name freshclam 2>/dev/null | head -1) + # Find freshclam binary - try standard locations first before using find + local freshclam_bin="" + for path in /usr/bin/freshclam /usr/sbin/freshclam \ + /usr/local/bin/freshclam /usr/local/sbin/freshclam \ + /usr/local/cpanel/3rdparty/bin/freshclam; do + if [ -x "$path" ]; then + freshclam_bin="$path" + break + fi + done + # Only use find as last resort if standard paths don't work + if [ -z "$freshclam_bin" ]; then + freshclam_bin=$(find /usr/local /usr -name freshclam -type f 2>/dev/null | head -1) + fi # Update virus signatures immediately if [ -n "$freshclam_bin" ]; then - echo " → Updating virus signatures (this may take a moment)..." - if "$freshclam_bin" 2>&1 | grep -qE "updated|Downloaded|up-to-date"; then + echo " → Updating virus signatures (timeout 60s)..." + if timeout 60 "$freshclam_bin" 2>&1 | grep -qE "updated|Downloaded|up-to-date"; then echo -e " ${GREEN}✓${NC} Signatures updated" else - echo -e " ${YELLOW}⚠${NC} Signature update status unclear (may still be current)" + echo -e " ${YELLOW}⚠${NC} Signature update inconclusive (may still be current)" fi fi else @@ -331,12 +346,16 @@ install_all_scanners() { echo -e "${GREEN}✓ Maldet installed${NC}" rm -f "$install_log" - # Update malware signatures immediately + # Update malware signatures immediately with timeout echo " → Updating malware signatures..." - if maldet -u 2>&1 | grep -qE "update completed|signatures"; then - echo -e " ${GREEN}✓${NC} Signatures updated" - else - echo -e " ${YELLOW}⚠${NC} Signature update status unclear (continuing with current definitions)" + # Try to find maldet binary (might not be in PATH yet) + local maldet_bin=$(command -v maldet || find /usr/local -name maldet -type f 2>/dev/null | head -1) + if [ -n "$maldet_bin" ]; then + if timeout 120 "$maldet_bin" -u 2>&1 | grep -qE "update completed|signatures"; then + echo -e " ${GREEN}✓${NC} Signatures updated" + else + echo -e " ${YELLOW}⚠${NC} Signature update inconclusive (continuing with current definitions)" + fi fi else echo -e "${RED}✗ Maldet installation failed${NC}" @@ -372,20 +391,41 @@ install_all_scanners() { rm -f imav-deploy.sh fi - wget -q https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh + # Download deployment script with timeout + if timeout 30 wget -q -O imav-deploy.sh https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh 2>/dev/null; then + if [ ! -f imav-deploy.sh ] || [ ! -s imav-deploy.sh ]; then + echo -e "${RED} Failed to download installation script (empty file)${NC}" + else + # Run deployment script with timeout and capture output + echo " → Running deployment script..." + local deploy_log="/tmp/imav-deploy-$$.log" + if timeout 300 bash imav-deploy.sh > "$deploy_log" 2>&1; then + # Check if any actual installation happened + if grep -qiE "installed|complete|success" "$deploy_log"; then + echo " → Deployment script executed" + else + echo " → Deployment script ran (check for errors below)" + fi - if [ -f imav-deploy.sh ]; then - # Run deployment script with progress indicators - bash imav-deploy.sh 2>&1 | grep -E "Installing|Installed|Complete|Error|Failed" || true - rm -f imav-deploy.sh + # Show any errors from deployment + if grep -qi "error\|failed\|conflict" "$deploy_log"; then + echo -e " ${YELLOW}⚠ Warnings detected:${NC}" + grep -iE "error|failed|conflict" "$deploy_log" | sed 's/^/ /' | head -3 + fi + else + echo -e "${YELLOW} ⚠ Deployment script timed out or failed${NC}" + fi + rm -f "$deploy_log" + rm -f imav-deploy.sh - # Enable cPanel UI plugin if installed - if [ -f "/opt/alt/python35/share/imunify360/scripts/av-userside-plugin.sh" ]; then - echo " → Enabling cPanel UI plugin..." - /opt/alt/python35/share/imunify360/scripts/av-userside-plugin.sh &>/dev/null + # Try to start the service if installed + if command -v systemctl &>/dev/null && is_imunify_installed; then + echo " → Starting ImunifyAV service..." + systemctl start imunify-antivirus 2>/dev/null || true + fi fi else - echo -e "${RED} Failed to download installation script${NC}" + echo -e "${RED} Failed to download installation script (network error or timeout)${NC}" fi if is_imunify_installed; then @@ -398,14 +438,15 @@ install_all_scanners() { # Update malware signatures immediately if [ -n "$imunify_bin" ]; then echo " → Updating malware signatures..." - if "$imunify_bin" update 2>&1 | grep -qE "updated|Success|completed"; then + if timeout 60 "$imunify_bin" update 2>&1 | grep -qiE "updated|Success|completed"; then echo -e " ${GREEN}✓${NC} Signatures updated" else - echo -e " ${YELLOW}⚠${NC} Signature update status unclear (continuing with current definitions)" + echo -e " ${YELLOW}⚠${NC} Signature update inconclusive (continuing with current definitions)" fi fi else echo -e "${RED}✗ ImunifyAV installation failed${NC}" + echo -e "${YELLOW} Note: ImunifyAV FREE is primarily supported on CloudLinux, cPanel, and Plesk systems${NC}" fi else echo -e "${GREEN}✓ ImunifyAV already installed${NC}" @@ -418,23 +459,32 @@ install_all_scanners() { echo -e "${CYAN}[4/4] Installing Rootkit Hunter...${NC}" # Ensure repo is enabled (OS-specific) - if command -v yum &>/dev/null; then - # RHEL/CentOS - EPEL repo (only on RHEL-based systems that have rpm) + if command -v dnf &>/dev/null; then + # CentOS 8+, RHEL 8+, Fedora - use dnf as primary package manager if ! rpm -qa 2>/dev/null | grep -q epel-release; then echo " → Installing EPEL repository..." - yum install -y epel-release 2>&1 | grep -E "Installing|Installed|already installed" || true + dnf install -y epel-release 2>&1 | grep -E "Installing|Installed|already installed" || echo " (repo may already be enabled)" fi - # Install rkhunter - yum install -y rkhunter 2>&1 | grep -E "Installing|Installed|already installed" || true + dnf install -y rkhunter 2>&1 | grep -E "Installing|Installed|already installed" || echo " (installation may already be complete)" + elif command -v yum &>/dev/null; then + # CentOS 7, RHEL 7 - use yum + if ! rpm -qa 2>/dev/null | grep -q epel-release; then + echo " → Installing EPEL repository..." + yum install -y epel-release 2>&1 | grep -E "Installing|Installed|already installed" || echo " (repo may already be enabled)" + fi + # Install rkhunter + yum install -y rkhunter 2>&1 | grep -E "Installing|Installed|already installed" || echo " (installation may already be complete)" elif command -v apt-get &>/dev/null; then # Debian/Ubuntu - universe repo (rkhunter is in universe) echo " → Ensuring universe repository is enabled..." - grep -q "universe" /etc/apt/sources.list 2>/dev/null || \ - sed -i 's/^deb http/deb http universe\ndeb http/' /etc/apt/sources.list 2>/dev/null || true + if ! grep -q "universe" /etc/apt/sources.list 2>/dev/null; then + # Add universe to existing deb lines correctly + sed -i 's/^deb http\(.*\) \(main\|restricted\)$/deb http\1 \2 universe/' /etc/apt/sources.list 2>/dev/null || true + apt-get update 2>&1 | grep -E "Hit|Get|Reading|Building" | head -3 || true + fi - apt-get update 2>&1 | grep -E "Hit|Get|Reading|Building" | head -3 || true - apt-get install -y rkhunter 2>&1 | grep -E "Setting up|already|newest" || true + apt-get install -y rkhunter 2>&1 | grep -E "Setting up|already|newest" || echo " (installation may already be complete)" fi if is_rkhunter_installed; then