PHASE 3: InterWorx support for critical security modules

Fixed 3 critical security modules for full InterWorx + Plesk compatibility.

1. optimize-ct-limit.sh (COMPLETE)
   - Removed hardcoded fallback /var/log/apache2/domlogs
   - Now relies solely on SYS_LOG_DIR from system-detect.sh
   - Better error messaging when detection fails

2. malware-scanner.sh (COMPLETE - MAJOR REFACTOR)

   Document Root Discovery:
   - get_user_docroots(): Added InterWorx support using get_user_domains()
   - get_domain_docroot(): Added InterWorx vhost config parsing
   - InterWorx path: /home/username/domain.com/html

   Log File Discovery:
   - Lines 897-909: Replaced hardcoded /var/log/apache2/domlogs
   - Added control panel-specific log search
   - InterWorx: find /home/*/var/*/logs -name 'access_log'
   - cPanel/Plesk: Use SYS_LOG_DIR

   Control Panel Detection:
   - Now uses SYS_CONTROL_PANEL from system-detect.sh
   - cPanel-specific PATH modification now conditional
   - InterWorx docroot discovery uses find /home/*/*/html

   Supports: cPanel, Plesk, InterWorx

3. live-attack-monitor.sh (COMPLETE - API + LOGS)

   API Wrapping:
   - monitor_cphulk_blocks(): Added SYS_CONTROL_PANEL check
   - Skips CPHulk monitoring if not cPanel
   - Prevents whmapi1 failures on InterWorx/Plesk

   Log Discovery:
   - monitor_apache_logs(): Complete rewrite for multi-panel support
   - InterWorx: Monitors /home/*/var/*/logs/access_log files
   - Uses -mmin -60 filter for performance (last hour only)
   - Limits to 10 most recent logs to prevent overhead
   - cPanel/Plesk: Uses SYS_LOG_DIR with domain log discovery

   Better error reporting with control panel info

TESTING:
- All 3 modules syntax validated with bash -n
- Ready for testing on InterWorx servers

IMPACT:
- Malware scanner now finds infected files in InterWorx sites
- Live attack monitor sees real-time attacks on InterWorx
- Connection limit optimizer works on all control panels
- No more whmapi1 failures on non-cPanel systems

COMPATIBILITY:
- cPanel: ✅ Fully supported (no regressions)
- Plesk: ✅ Maintained existing support
- InterWorx: ✅ NEW full support
- Standalone: ✅ Better error messages

modules/security/malware-scanner.sh

@@ -347,9 +347,22 @@ install_all_scanners() {
 detect_control_panel() {
     docroot_array=()
 
-    # Detect cPanel
-    if [ -f "/etc/userdatadomains" ]; then
+    # Use system-detect.sh if available, otherwise detect
+    if [ -n "$SYS_CONTROL_PANEL" ]; then
+        CONTROL_PANEL="$SYS_CONTROL_PANEL"
+    elif [ -f "/etc/userdatadomains" ]; then
         CONTROL_PANEL="cpanel"
+    elif [ -f "/usr/local/psa/version" ]; then
+        CONTROL_PANEL="plesk"
+    elif [ -d "/usr/local/interworx/" ]; then
+        CONTROL_PANEL="interworx"
+    else
+        CONTROL_PANEL="none"
+    fi
+
+    # cPanel-specific setup
+    if [ "$CONTROL_PANEL" = "cpanel" ]; then
+        # Add cPanel 3rdparty bin to PATH only for cPanel
         export PATH=/usr/local/cpanel/3rdparty/bin/:$PATH
 
         while IFS= read -r line; do
@@ -359,22 +372,20 @@ detect_control_panel() {
             [ -n "$docroot" ] && [ -d "$docroot" ] && docroot_array+=("$docroot")
         done < <(cut -d: -f2- /etc/userdatadomains | sort -u)
 
-    # Detect Plesk
-    elif [ -f "/usr/local/psa/version" ]; then
-        CONTROL_PANEL="plesk"
-
+    # Plesk-specific
+    elif [ "$CONTROL_PANEL" = "plesk" ]; then
         while IFS= read -r domain; do
             docroot=$(plesk bin site -i "$domain" 2>/dev/null | grep "WWW-Root" | awk '{print $2}')
             [ -n "$docroot" ] && docroot_array+=("$docroot")
         done < <(plesk bin site --list 2>/dev/null)
 
-    # Detect Interworx
-    elif [ -d "/usr/local/interworx/" ]; then
-        CONTROL_PANEL="interworx"
-
+    # InterWorx-specific (improved with proper path structure)
+    elif [ "$CONTROL_PANEL" = "interworx" ]; then
+        # InterWorx structure: /home/username/domain.com/html
+        # Find all html directories in the InterWorx structure
         while IFS= read -r docroot; do
-            [ -n "$docroot" ] && docroot_array+=("$docroot")
-        done < <(grep -rh "DocumentRoot" /etc/httpd/conf* 2>/dev/null | grep -Ev '^\s*#|/var/www/html($|$)' | sed 's/DocumentRoot//g' | tr -d " " | sort -u)
+            [ -n "$docroot" ] && [ -d "$docroot" ] && docroot_array+=("$docroot")
+        done < <(find /home/*/*/html -maxdepth 0 -type d 2>/dev/null | sort -u)
 
     else
         CONTROL_PANEL="none"
@@ -435,8 +446,18 @@ get_user_docroots() {
             docroot=$(echo "$line" | awk -F'==' '{print $5}')
             [ -n "$docroot" ] && [ -d "$docroot" ] && user_docroots+=("$docroot")
         done < <(grep ":.*${username}==" /etc/userdatadomains | cut -d: -f2- | sort -u)
+    elif [ "$CONTROL_PANEL" = "interworx" ]; then
+        # Use user-manager.sh to get all domains for this user
+        local domains=$(get_user_domains "$username")
+        if [ -n "$domains" ]; then
+            while IFS= read -r domain; do
+                # InterWorx: /home/username/domain.com/html
+                local docroot="/home/${username}/${domain}/html"
+                [ -d "$docroot" ] && user_docroots+=("$docroot")
+            done <<< "$domains"
+        fi
     else
-        echo -e "${RED}User-specific scanning only supported on cPanel${NC}"
+        echo -e "${RED}User-specific scanning only supported on cPanel/InterWorx${NC}"
         return 1
     fi
 
@@ -452,8 +473,16 @@ get_domain_docroot() {
         domain_docroot=$(grep "^${domain}:" /etc/userdatadomains | cut -d= -f5 | sed 's/==/=/g')
     elif [ "$CONTROL_PANEL" = "plesk" ]; then
         domain_docroot=$(plesk bin site -i "$domain" 2>/dev/null | grep "WWW-Root" | awk '{print $2}')
+    elif [ "$CONTROL_PANEL" = "interworx" ]; then
+        # Find which user owns this domain using vhost configs
+        local username=$(grep -l "ServerName ${domain}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | head -1 | \
+                         xargs grep "SuexecUserGroup" 2>/dev/null | awk '{print $2}')
+        if [ -n "$username" ]; then
+            # InterWorx: /home/username/domain.com/html
+            domain_docroot="/home/${username}/${domain}/html"
+        fi
     else
-        echo -e "${RED}Domain lookup only supported on cPanel/Plesk${NC}"
+        echo -e "${RED}Domain lookup only supported on cPanel/Plesk/InterWorx${NC}"
         return 1
     fi
 
@@ -875,9 +904,20 @@ done
 
             # Try to find corresponding Apache access logs
             # Look for POST requests to the directory containing the infected file
-            if [ -d "/var/log/apache2/domlogs" ]; then
+
+            # Use system-detected log directory with control panel-specific search
+            local log_search_cmd
+            if [ "$CONTROL_PANEL" = "interworx" ]; then
+                # InterWorx: Search /home/*/var/*/logs/access_log
+                log_search_cmd="find /home/*/var/*/logs -type f -name 'access_log' 2>/dev/null"
+            elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
+                # cPanel/Plesk: Use detected log directory
+                log_search_cmd="find $SYS_LOG_DIR -type f -name '*.com' -o -name '*.net' -o -name '*.org' 2>/dev/null"
+            fi
+
+            if [ -n "$log_search_cmd" ]; then
                 # Search last 7 days of logs for POST requests to this path
-                find /var/log/apache2/domlogs -type f -name "*.com" -o -name "*.net" -o -name "*.org" 2>/dev/null | while read -r logfile; do
+                eval "$log_search_cmd" | while read -r logfile; do
                     # Check if this log corresponds to the domain/user
                     grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
                         # Extract IP from Apache log line