From 94e3ca42c11fc9a2e3d6eb0a7a486d57c5ae033d Mon Sep 17 00:00:00 2001 From: cschantz Date: Tue, 23 Dec 2025 16:40:09 -0500 Subject: [PATCH] Simplify client report to bare essentials MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changed from verbose corporate report to concise results-only format. Before (95 lines): - Multiple section headers with decorative borders - Lengthy explanations about what scanners were used - Detailed security observations and attack pattern analysis - General security recommendations (7 bullet points) - Multiple redundant status sections After (15 lines): MALWARE SCAN REPORT - [date] RESULT: ✅ No malware found - your server is clean OR RESULT: ⚠️ X infected file(s) detected INFECTED FILES: • [file paths] NEXT STEPS: 1. Remove infected files immediately 2. Change all passwords 3. Update WordPress/plugins to latest versions Rationale: Customers only need results and next steps, not explanations. Changes applied to both inline and function versions. --- modules/security/malware-scanner.sh | 243 ++++------------------------ 1 file changed, 27 insertions(+), 216 deletions(-) diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh index e184216..cca8ea7 100755 --- a/modules/security/malware-scanner.sh +++ b/modules/security/malware-scanner.sh @@ -1434,100 +1434,32 @@ else # Generate report { - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "SECURITY SCAN REPORT" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "Scan Date: $scan_date" - echo "Scan Coverage: $scan_paths" - echo "" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "OVERALL STATUS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "MALWARE SCAN REPORT - $scan_date" + echo "═══════════════════════════════════════════════════════════" echo "" if [ "$real_threats_count" -eq 0 ]; then - echo "✅ NO ACTIVE MALWARE DETECTED" - echo "" - echo "Your server is clean. No malicious files were found in" - echo "web-accessible directories or user content areas." + echo "RESULT: ✅ No malware found - your server is clean" else - echo "⚠️ MALWARE DETECTED - ACTION REQUIRED" - echo "" - echo "Found $real_threats_count infected file(s) that require immediate attention." - fi - echo "" - - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "SCAN DETAILS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "We performed a comprehensive security scan using multiple" - echo "industry-standard malware detection engines:" - echo "" - echo " • ImunifyAV - Advanced threat detection" - echo " • ClamAV - Open-source antivirus engine" - echo " • Linux Maldet - Web malware specialist" - echo " • Rootkit Hunter - System integrity checker" - echo "" - - if [ "$real_threats_count" -gt 0 ]; then - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "INFECTED FILES REQUIRING ATTENTION" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "RESULT: ⚠️ $real_threats_count infected file(s) detected" echo "" + echo "INFECTED FILES:" echo "$real_threats_list" - echo "RECOMMENDED ACTIONS:" - echo "" - echo "1. Review each file to confirm it is malicious" - echo "2. Remove or quarantine infected files immediately" - echo "3. Change all passwords (hosting, FTP, database, CMS admin)" - echo "4. Review file upload functionality in web applications" - echo "5. Update all web applications, plugins, and themes" - echo "6. Check access logs for unauthorized access patterns" - echo "" + echo "NEXT STEPS:" + echo " 1. Remove infected files immediately" + echo " 2. Change all passwords" + echo " 3. Update WordPress/plugins to latest versions" fi if [ -n "$false_positives_list" ]; then - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "INFORMATIONAL DETECTIONS (No Action Required)" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "The following files triggered alerts but are likely false" - echo "positives. These are log files that contain records of" - echo "attack attempts against your server (which were blocked):" - echo "" - echo "$false_positives_list" - echo "These files are safe and contain evidence of your server" - echo "correctly blocking malicious requests. No action needed." echo "" + echo "───────────────────────────────────────────────────────────" + echo "NOTE: Attack attempts were detected in your server logs." + echo "These were successfully blocked. No action needed." fi - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "ONGOING SECURITY RECOMMENDATIONS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "To maintain server security, we recommend:" - echo "" - echo " ✓ Run malware scans monthly (or after any security incident)" - echo " ✓ Keep all software updated (WordPress, plugins, PHP, etc.)" - echo " ✓ Use strong, unique passwords for all accounts" - echo " ✓ Enable automatic security updates where possible" - echo " ✓ Review file permissions regularly" - echo " ✓ Monitor server logs for suspicious activity" - echo " ✓ Maintain regular backups (stored off-server)" - echo "" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "TECHNICAL DETAILS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" echo "Scan ID: $(basename $SCAN_DIR)" - echo "Report Generated: $(date)" - echo "" - echo "For technical details and full scan logs, please contact" - echo "your system administrator." - echo "" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" } > "$client_report_file" fi @@ -2456,156 +2388,35 @@ generate_client_report() { # Generate report { - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "SECURITY SCAN REPORT" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "Scan Date: $scan_date" - echo "Scan Coverage: $scan_paths" - echo "" - - # Overall status - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "OVERALL STATUS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" + echo "MALWARE SCAN REPORT - $scan_date" + echo "═══════════════════════════════════════════════════════════" echo "" if [ ${#real_threats[@]} -eq 0 ]; then - echo "✅ NO ACTIVE MALWARE DETECTED" - echo "" - echo "Your server is clean. No malicious files were found in" - echo "web-accessible directories or user content areas." + echo "RESULT: ✅ No malware found - your server is clean" else - echo "⚠️ MALWARE DETECTED - ACTION REQUIRED" + echo "RESULT: ⚠️ ${#real_threats[@]} infected file(s) detected" echo "" - echo "Found ${#real_threats[@]} infected file(s) that require immediate attention." - fi - echo "" - - # Scan details - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "SCAN DETAILS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "We performed a comprehensive security scan using multiple" - echo "industry-standard malware detection engines:" - echo "" - echo " • ImunifyAV - Advanced threat detection" - echo " • ClamAV - Open-source antivirus engine" - echo " • Linux Maldet - Web malware specialist" - echo " • Rootkit Hunter - System integrity checker" - echo "" - - # Real threats section - if [ ${#real_threats[@]} -gt 0 ]; then - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "INFECTED FILES REQUIRING ATTENTION" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - + echo "INFECTED FILES:" for file in "${real_threats[@]}"; do - echo "📁 $file" - - # Get detection details from ClamAV log - if [ -f "$clamav_log" ]; then - local detection=$(grep "$file" "$clamav_log" | grep "FOUND" | sed 's/.*: / /' || echo " Detection: Unknown signature") - echo "$detection" - fi - echo "" - done - - echo "RECOMMENDED ACTIONS:" - echo "" - echo "1. Review each file to confirm it is malicious" - echo "2. Remove or quarantine infected files immediately" - echo "3. Change all passwords (hosting, FTP, database, CMS admin)" - echo "4. Review file upload functionality in web applications" - echo "5. Update all web applications, plugins, and themes" - echo "6. Check access logs for unauthorized access patterns" - echo "" - fi - - # False positives section - if [ ${#false_positives[@]} -gt 0 ]; then - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "INFORMATIONAL DETECTIONS (No Action Required)" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "The following files triggered alerts but are likely false" - echo "positives. These are log files that contain records of" - echo "attack attempts against your server (which were blocked):" - echo "" - - for file in "${false_positives[@]}"; do echo " • $file" done echo "" - echo "These files are safe and contain evidence of your server" - echo "correctly blocking malicious requests. No action needed." + echo "NEXT STEPS:" + echo " 1. Remove infected files immediately" + echo " 2. Change all passwords" + echo " 3. Update WordPress/plugins to latest versions" + fi + + if [ ${#false_positives[@]} -gt 0 ]; then echo "" + echo "───────────────────────────────────────────────────────────" + echo "NOTE: Attack attempts were detected in your server logs." + echo "These were successfully blocked. No action needed." fi - # Security observations - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "SECURITY OBSERVATIONS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - - # Check for attack patterns in logs - if [ -f "$clamav_log" ]; then - local attack_signatures=$(grep -o "YARA\.[a-z0-9_]*" "$clamav_log" | sort -u | sed 's/YARA\.//' | head -5) - if [ -n "$attack_signatures" ]; then - echo "Attack Patterns Detected in Logs:" - echo "" - echo "$attack_signatures" | while read sig; do - case "$sig" in - *r57*|*c99*|*shell*) - echo " • Web shell upload attempts (${sig})" - ;; - *sql*) - echo " • SQL injection attempts (${sig})" - ;; - *) - echo " • Malicious activity pattern: ${sig}" - ;; - esac - done - echo "" - echo "These attack attempts were blocked by your server, but" - echo "they indicate your site is being actively targeted." - echo "" - fi - fi - - # General recommendations - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "ONGOING SECURITY RECOMMENDATIONS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "" - echo "To maintain server security, we recommend:" - echo "" - echo " ✓ Run malware scans monthly (or after any security incident)" - echo " ✓ Keep all software updated (WordPress, plugins, PHP, etc.)" - echo " ✓ Use strong, unique passwords for all accounts" - echo " ✓ Enable automatic security updates where possible" - echo " ✓ Review file permissions regularly" - echo " ✓ Monitor server logs for suspicious activity" - echo " ✓ Maintain regular backups (stored off-server)" - echo "" - - # Footer - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - echo "TECHNICAL DETAILS" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" echo "" echo "Scan ID: $session_name" - echo "Report Generated: $(date)" - echo "" - echo "For technical details and full scan logs, please contact" - echo "your system administrator." - echo "" - echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" - } > "$report_file" # Display the report