diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh
index 966fd4a..1010292 100755
--- a/modules/security/malware-scanner.sh
+++ b/modules/security/malware-scanner.sh
@@ -1068,10 +1068,10 @@ done
                         fi
                     done
                 done
-            elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
-                # cPanel/Plesk: Use detected log directory
-                # Search last 7 days of logs for POST requests to this path
-                find "$SYS_LOG_DIR" -type f \( -name '*.com' -o -name '*.net' -o -name '*.org' \) 2>/dev/null | while read -r logfile; do
+            elif [ "$CONTROL_PANEL" = "plesk" ]; then
+                # Plesk: Search /var/www/vhosts/*/logs/access*log
+                # Plesk stores logs in /var/www/vhosts/domain.com/logs/access_log or access_ssl_log
+                find /var/www/vhosts/*/logs -type f \( -name 'access_log' -o -name 'access_ssl_log' \) 2>/dev/null | while read -r logfile; do
                     # Check if this log corresponds to the domain/user
                     grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
                         # Extract IP from Apache log line
@@ -1086,6 +1086,26 @@ done
                         fi
                     done
                 done
+            elif [ "$CONTROL_PANEL" = "cpanel" ]; then
+                # cPanel: Search domlogs directory
+                # cPanel stores logs as domain.com, domain.net, etc. in /var/log/apache2/domlogs/
+                if [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
+                    find "$SYS_LOG_DIR" -type f \( -name '*.com' -o -name '*.net' -o -name '*.org' -o -name '*.info' -o -name '*.biz' \) 2>/dev/null | while read -r logfile; do
+                        # Check if this log corresponds to the domain/user
+                        grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
+                            # Extract IP from Apache log line
+                            ip=$(echo "$logline" | awk '{print $1}')
+                            if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+                                # Flag this IP in reputation database
+                                if type flag_ip_attack &>/dev/null; then
+                                    flag_ip_attack "$ip" "RCE" 25 "Malware scanner: Uploaded $filename" >/dev/null 2>&1
+                                    echo "  → Flagged IP: $ip (uploaded to $filepath)" >> "$LOG_DIR/flagged_ips.log"
+                                    ((flagged_ips++))
+                                fi
+                            fi
+                        done
+                    done
+                fi
             fi
         done < <(sort -u "$INFECTED_LIST" | head -20)  # Limit to first 20 files to avoid long processing