cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Integrate malware scanner with IP reputation system

Browse Source 
- Source ip-reputation.sh library
- Correlate infected files with Apache POST logs
- Flag uploading IPs in reputation database with RCE attack type
- Add +25 reputation penalty for malware uploaders
- Log flagged IPs to flagged_ips.log for review
- Limit analysis to 20 most recent files for performance
This commit is contained in:
cschantz
2025-11-14 20:43:18 -05:00
parent 45ec5413ac
commit c859c6a6df
1 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/malware-scanner.sh
+44
View File
@@ -13,6 +13,7 @@ source "$SCRIPT_DIR/lib/common-functions.sh" 2>/dev/null || true
source "$SCRIPT_DIR/lib/system-detect.sh" 2>/dev/null || true source "$SCRIPT_DIR/lib/system-detect.sh" 2>/dev/null || true
source "$SCRIPT_DIR/lib/user-manager.sh" 2>/dev/null || true source "$SCRIPT_DIR/lib/user-manager.sh" 2>/dev/null || true
source "$SCRIPT_DIR/lib/reference-db.sh" 2>/dev/null || true source "$SCRIPT_DIR/lib/reference-db.sh" 2>/dev/null || true
source "$SCRIPT_DIR/lib/ip-reputation.sh" 2>/dev/null || true
# Arrays for docroots and scanners # Arrays for docroots and scanners
declare -a docroot_array declare -a docroot_array
@@ -858,6 +859,49 @@ done
sort -u "$INFECTED_LIST" sort -u "$INFECTED_LIST"
echo "" echo ""
echo "ACTION REQUIRED: Review and quarantine/remove infected files" echo "ACTION REQUIRED: Review and quarantine/remove infected files"
echo ""
# IP Reputation Integration: Flag IPs that uploaded malware
echo "----------------------------------------"
echo "Analyzing upload sources..."
echo "----------------------------------------"
# Correlate infected files with Apache logs to find uploading IPs
local flagged_ips=0
while read -r infected_file; do
# Extract file path components
local filename=$(basename "$infected_file")
local filepath=$(dirname "$infected_file")
# Try to find corresponding Apache access logs
# Look for POST requests to the directory containing the infected file
if [ -d "/var/log/apache2/domlogs" ]; then
# Search last 7 days of logs for POST requests to this path
find /var/log/apache2/domlogs -type f -name "*.com" -o -name "*.net" -o -name "*.org" 2>/dev/null | while read -r logfile; do
# Check if this log corresponds to the domain/user
grep -h "POST.*${filepath}" "$logfile" 2>/dev/null | tail -20 | while read -r logline; do
# Extract IP from Apache log line
local ip=$(echo "$logline" | awk '{print $1}')
if [ -n "$ip" ] && [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
# Flag this IP in reputation database
if type flag_ip_attack &>/dev/null; then
flag_ip_attack "$ip" "RCE" 25 "Malware scanner: Uploaded $filename" >/dev/null 2>&1
echo " → Flagged IP: $ip (uploaded to $filepath)" >> "$LOG_DIR/flagged_ips.log"
((flagged_ips++))
fi
fi
done
done
fi
done < <(sort -u "$INFECTED_LIST" | head -20) # Limit to first 20 files to avoid long processing
if [ $flagged_ips -gt 0 ]; then
echo "✓ Flagged $flagged_ips IPs in reputation database"
echo " (See $LOG_DIR/flagged_ips.log for details)"
else
echo " No upload IPs identified (files may be older than log retention)"
fi
echo ""
else else
echo "✓ No infected files detected by automated scan." echo "✓ No infected files detected by automated scan."
echo "" echo ""