REFACTOR: Class D modules - Panel-specific conditionals

Completed Class D refactoring (panel-specific modules). MODULES REFACTORED: 1. enable-cphulk.sh (ALREADY COMPLIANT) - Already checks SYS_CONTROL_PANEL at startup (line 35) - Exits gracefully if not cPanel - Shows detected panel in error message - All whmapi1 calls only reachable after panel check - No changes needed ✅ 2. system-health-check.sh (ENHANCED) - Already had conditional checks for CPHulk (lines 606, 1706) - Enhanced control panel version detection (line 940-947) - Now uses SYS_CONTROL_PANEL_VERSION from system-detect.sh - Supports cPanel, Plesk, InterWorx version reporting - All panel-specific features properly gated ARCHITECTURE COMPLIANCE: ✅ Panel-specific features wrapped in conditionals ✅ Graceful degradation when feature unavailable ✅ Clear error messages mentioning panel requirements ✅ Uses system-detect.sh variables ✅ All syntax validated VERIFIED COMPLIANT: ✅ mysql-query-analyzer.sh - Already uses get_user_databases() TESTING: - Both modules passed `bash -n` syntax check - enable-cphulk.sh will exit gracefully on non-cPanel - system-health-check.sh will skip cPanel features on other panels PROGRESS UPDATE: - Class A: ✅ 7 modules (no changes needed) - Class B: ✅ 6/6 modules COMPLETE - Class C: ✅ 3/6 modules (bot-analyzer, malware-scanner, mysql-query) - Class D: ✅ 2/2 modules COMPLETE - Acronis: ✅ 13 modules (no changes needed) Total: 31/38 modules architecture-compliant! Remaining: 7 modules (website error analyzers + WordPress) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
REFACTOR: Class B modules - Multi-panel log discovery
2025-11-19 20:08:31 -05:00 · 2025-11-19 20:06:50 -05:00 · 2025-11-19 19:52:16 -05:00 · 2025-11-19 19:48:34 -05:00 · 2025-11-19 19:45:07 -05:00 · 2025-11-19 18:57:11 -05:00
57 changed files with 16432 additions and 3756 deletions
@@ -54,3 +54,4 @@ id_ed25519.pub
 # Config files that might contain sensitive data
 config.local.*
 *.credentials
+downloads/
@@ -1,197 +0,0 @@
-# Server Toolkit - Audit Report
-**Date:** 2025-10-31
-**Status:** Production Ready (with notes)
-
-## ✅ PASSING CHECKS
-
-### Syntax Validation
-All shell scripts pass `bash -n` syntax check:
- ✓ launcher.sh
- ✓ lib/common-functions.sh
- ✓ lib/system-detect.sh
- ✓ lib/user-manager.sh
- ✓ lib/reference-db.sh
- ✓ lib/mysql-analyzer.sh
- ✓ modules/security/bot-analyzer.sh
- ✓ modules/performance/mysql-query-analyzer.sh
- ✓ test-domain-detection.sh
- ✓ diagnostic-report.sh
-
-### File Permissions
-All scripts have correct execute permissions (755).
-
-### Core Functionality
- ✓ Domain detection working
- ✓ User selection with arrow-key menu working
- ✓ Search functionality working
- ✓ Cleanup/Reset function working
- ✓ System detection working
- ✓ Bot analyzer working
-
---
-
-## ⚠️ INCOMPLETE MODULES
-
-The following menu categories exist but have NO implemented scripts:
-
-### 1. WordPress Management (Option 2)
-**Menu shows 11 options, but ALL scripts missing:**
- wp-health-check.sh
- wp-cron-status.sh
- wp-cron-mass-fix.sh
- wp-cron-mass-create.sh
- wp-plugin-audit.sh
- wp-theme-audit.sh
- wp-mass-update.sh
- wp-malware-scan.sh
- wp-cleanup-spam.sh
- wp-mass-delete.sh
- wp-mass-backup.sh
-
-**Impact:** Users clicking options 1-11 will see "Module not found" error.
-
-### 2. Backup & Recovery (Option 4)
-**Menu shows 7 options, all missing:**
- auto-backup.sh
- restore-backup.sh
- backup-mysql.sh
- backup-files.sh
- backup-config.sh
- backup-schedule.sh
- backup-verify.sh
-
-### 3. Monitoring & Alerts (Option 5)
-**Menu shows 5 options, all missing:**
- live-traffic.sh
- resource-monitor.sh
- error-log-watcher.sh
- alert-setup.sh
- uptime-monitor.sh
-
-### 4. Troubleshooting & Diagnostics (Option 6)
-**Menu shows 9 options, all missing:**
- error-hunter.sh
- slow-query-finder.sh
- disk-space-analyzer.sh
- permission-fixer.sh
- dns-tester.sh
- ssl-cert-checker.sh
- email-delivery-test.sh
- connection-tester.sh
- system-health.sh
-
-### 5. Reporting & Analytics (Option 7)
-**Menu shows 6 options, all missing:**
- server-report.sh
- security-audit.sh
- performance-report.sh
- usage-analytics.sh
- export-to-pdf.sh
- email-report.sh
-
---
-
-## 📋 RECOMMENDATIONS
-
-### For Distribution NOW:
-**Option A - Disable Incomplete Menus:**
-Comment out or remove menu options 2, 4, 5, 6, 7 from launcher.sh.
-Only show:
- Option 1: Security & Threat Analysis (WORKS - has bot-analyzer)
- Option 3: Performance (WORKS - has mysql-query-analyzer)
- Option 8: Cleanup/Reset (WORKS)
- Option 9: Configuration (WORKS)
-
-### For Future Development:
-1. Implement scripts one category at a time
-2. Test each script before uncommenting menu option
-3. Update WHATS_NEW.md when adding new modules
-
---
-
-## 🗂️ CLEAN FILE STRUCTURE
-
-Current structure (cleaned):
-```
-server-toolkit/
-├── launcher.sh ✓
-├── diagnostic-report.sh ✓
-├── test-domain-detection.sh ✓
-├── README.md ✓
-├── TROUBLESHOOTING.md ✓
-├── SETUP_GUIDE.md ✓
-├── WHATS_NEW.md ✓
-├── REFDB_FORMAT.txt ✓
-├── config/
-│   ├── settings.conf ✓
-│   ├── whitelist-ips.txt ✓
-│   └── whitelist-user-agents.txt ✓
-├── lib/
-│   ├── common-functions.sh ✓
-│   ├── system-detect.sh ✓
-│   ├── user-manager.sh ✓
-│   ├── reference-db.sh ✓
-│   └── mysql-analyzer.sh ✓
-└── modules/
-    ├── security/
-    │   └── bot-analyzer.sh ✓ (WORKING)
-    ├── performance/
-    │   └── mysql-query-analyzer.sh ✓ (WORKING)
-    ├── wordpress/ (EMPTY - future)
-    ├── backup/ (EMPTY - future)
-    ├── monitoring/ (EMPTY - future)
-    ├── troubleshooting/ (EMPTY - future)
-    └── reporting/ (EMPTY - future)
-```
-
---
-
-## ✅ CLEANED FILES
-
-Removed during audit:
- ❌ install.sh (unnecessary - users pull complete folder)
- ❌ .REFDB_FORMAT.txt (duplicate/outdated)
- ❌ .INTERACTIVE_MODE.txt (unknown old file)
- ❌ bot-analyzer.sh.backup (leftover from edits)
-
---
-
-## 🎯 PRODUCTION READINESS
-
-**Status: READY** for distribution with caveats:
-
-### What Works Now (Production Ready):
-1. ✅ Bot Analyzer (full-featured, tested)
-2. ✅ MySQL Query Analyzer
-3. ✅ Domain detection
-4. ✅ User selection with search
-5. ✅ Cleanup/Reset tools
-6. ✅ Diagnostic reporting
-
-### What to Do Before Public Release:
-1. **Disable incomplete menu options** in launcher.sh (or clearly mark as "Coming Soon")
-2. **Update README.md** to list only working features
-3. **Add installation instructions** to README.md
-
-### Suggested README.md Updates:
-```markdown
-## Current Features
- ✅ Bot & Botnet Analysis (comprehensive security scanning)
- ✅ MySQL Query Performance Analysis
- 🚧 WordPress Management (coming soon)
- 🚧 Backup & Recovery (coming soon)
- 🚧 Monitoring & Alerts (coming soon)
-```
-
---
-
-## 📝 NEXT STEPS
-
-1. Review incomplete menus in launcher.sh (lines 145-260)
-2. Either:
-   - Comment out incomplete options
-   - OR add "(Coming Soon)" labels
-3. Update README.md with current features only
-4. Consider adding ROADMAP.md for planned features
-
-**Bottom line:** The toolkit core is solid and production-ready. Just need to manage user expectations about incomplete features.
@@ -1,750 +0,0 @@
-# SERVER TOOLKIT - COMPREHENSIVE AUDIT REPORT
-**Date:** 2025-11-01
-**Auditor:** Claude (Sonnet 4.5)
-**Audit Type:** Full Codebase Security, Functionality, and Data Integrity Review
-
---
-
-## EXECUTIVE SUMMARY
-
-### Overall Health: **GOOD** ✓
- **Syntax:** All 13 shell scripts pass `bash -n` validation
- **Critical Bugs Found:** 2 (both fixed during audit)
- **Security Issues:** 0 critical, minor improvements recommended
- **Missing Features:** Several identified and documented
- **Data Integrity:** Reference database comprehensive, minor enhancements recommended
-
-### Key Findings
-1. ✅ **FIXED:** Missing `show_banner()` and `press_enter()` functions in common-functions.sh
-2. ✅ **FIXED:** Cleanup function incomplete - missing new report file patterns
-3. ⚠️ **ENHANCEMENT NEEDED:** Reference database could track network/hardware metrics
-4. ✅ **VERIFIED:** System detection working correctly
-5. ✅ **VERIFIED:** Cleanup/reset functionality now comprehensive
-
---
-
-## 1. CODE STRUCTURE AUDIT
-
-### Directory Organization: **EXCELLENT** ✓
-```
-/root/server-toolkit/
-├── launcher.sh              ✓ Main entry point
-├── lib/                     ✓ 5 library files
-│   ├── common-functions.sh  ✓ Shared utilities
-│   ├── system-detect.sh     ✓ Platform detection
-│   ├── user-manager.sh      ✓ User selection
-│   ├── reference-db.sh      ✓ Data caching
-│   └── mysql-analyzer.sh    ✓ MySQL utilities
-├── modules/                 ✓ Organized by category
-│   ├── diagnostics/         ✓ 1 module (system-health-check.sh)
-│   ├── performance/         ✓ 3 modules (mysql, network, hardware)
-│   ├── security/            ✓ 1 module (bot-analyzer.sh)
-│   └── [6 other categories] ⚠️ Placeholder directories
-├── config/                  ✓ Configuration files
-├── tools/                   ✓ Utility scripts
-└── [Documentation]          ✓ Comprehensive docs
-```
-
-### File Count
- **Total Scripts:** 13
- **Working Modules:** 5
- **Library Files:** 5
- **Config Files:** 3
- **Documentation:** 7 files
-
---
-
-## 2. SYNTAX AND CODE QUALITY
-
-### Syntax Validation: **PASS** ✓
-All scripts validated with `bash -n`:
-```bash
-✓ launcher.sh
-✓ lib/common-functions.sh
-✓ lib/system-detect.sh
-✓ lib/user-manager.sh
-✓ lib/reference-db.sh
-✓ lib/mysql-analyzer.sh
-✓ modules/diagnostics/system-health-check.sh
-✓ modules/performance/mysql-query-analyzer.sh
-✓ modules/performance/network-bandwidth-analyzer.sh
-✓ modules/performance/hardware-health-check.sh
-✓ modules/security/bot-analyzer.sh
-✓ tools/test-domain-detection.sh
-✓ tools/diagnostic-report.sh
-```
-
-### Code Standards
- ✅ Consistent bash strict mode (`set -eo pipefail`)
- ✅ Proper error handling with `|| true` on grep/find
- ✅ Safe variable substitution (`${var:-default}`)
- ✅ Proper arithmetic (`current=$((current + 1))`)
- ✅ No unsafe practices (eval, unescaped variables in SQL)
-
---
-
-## 3. CRITICAL BUGS FOUND AND FIXED
-
-### BUG #1: Missing Common Functions
-**Severity:** HIGH
-**Impact:** New modules (network-bandwidth-analyzer.sh, hardware-health-check.sh) would fail when calling `show_banner()` and `press_enter()`
-**Location:** `lib/common-functions.sh`
-
-**Problem:**
-```bash
-# These functions were called but not defined:
-show_banner()    # Called by new modules
-press_enter()    # Called by new modules
-```
-
-**Solution Applied:**
-```bash
-# Added to common-functions.sh:
-press_enter() {
-    echo ""
-    read -p "Press Enter to continue..." _
-}
-
-show_banner() {
-    if [ -n "$1" ]; then
-        print_banner "$1"
-    else
-        print_banner "Server Toolkit"
-    fi
-}
-```
-
-**Status:** ✅ FIXED
-
---
-
-### BUG #2: Incomplete Cleanup Function
-**Severity:** MEDIUM
-**Impact:** Cleanup/reset would not remove new report files, leaving orphaned data
-**Location:** `launcher.sh:266-375`
-
-**Problem:**
-```bash
-# Missing cleanup patterns for:
- /tmp/system_health_report_*
- /tmp/network_bandwidth_report_*
- /tmp/hardware_health_report_*
-```
-
-**Solution Applied:**
-```bash
-# Added to cleanup_all_data():
-find /tmp -maxdepth 1 -name "system_health_report_*" -exec rm -f {} \;
-find /tmp -maxdepth 1 -name "network_bandwidth_report_*" -exec rm -f {} \;
-find /tmp -maxdepth 1 -name "hardware_health_report_*" -exec rm -f {} \;
-```
-
-**Status:** ✅ FIXED
-
---
-
-## 4. CLEANUP/RESET FUNCTIONALITY AUDIT
-
-### Comprehensive Coverage: **EXCELLENT** ✓
-
-The cleanup function now removes:
-1. ✅ System reference database (`.sysref`, `.sysref.timestamp`)
-2. ✅ Temporary session directories (`/tmp/server-toolkit-*`)
-3. ✅ Bot analyzer reports (`/tmp/bot_analysis_*`)
-4. ✅ MySQL analysis reports (`/tmp/mysql_analysis_*`)
-5. ✅ System health reports (`/tmp/system_health_report_*`) - **NEW**
-6. ✅ Network bandwidth reports (`/tmp/network_bandwidth_report_*`) - **NEW**
-7. ✅ Hardware health reports (`/tmp/hardware_health_report_*`) - **NEW**
-8. ✅ Generic toolkit temp files (`/tmp/toolkit_*`)
-9. ✅ All cache files (`/tmp/*.cache`, `/root/server-toolkit/*.cache`)
-10. ✅ Environment variables (all `SYS_*` vars)
-11. ✅ Function definitions (forces library reload)
-12. ✅ Re-initialization with fresh detection
-
-### What is Preserved (Correct): **VERIFIED** ✓
- ✅ Configuration files (`config/settings.conf`)
- ✅ User whitelists (`config/whitelist-ips.txt`, `config/whitelist-user-agents.txt`)
- ✅ Scripts themselves
- ✅ Server data (websites, databases, user files)
-
-### Cleanup Completeness Score: **100%** ✓
-
---
-
-## 5. REFERENCE DATABASE AUDIT
-
-### Current Structure: **COMPREHENSIVE** ✓
-
-**Tracked Data Types:**
-1. ✅ **SYSTEM** - Control panel, OS, web server, database, PHP versions, hostname, CPU cores
-2. ✅ **USERS** - Username, primary domain, DB count, domain count, disk usage, home directory
-3. ✅ **DATABASES** - DB name, owner, domain, size, table count
-4. ✅ **DOMAINS** - Domain, owner, document root, log path, PHP version, type, aliases
-5. ✅ **WORDPRESS** - Domain, owner, path, DB name, DB user, version, plugin count, theme count
-6. ✅ **LOGS** - Currently disabled (performance reasons)
-7. ✅ **HEALTH_BASELINE** - System metrics, resource usage, service status, issue counts
-
-### Health Baseline Metrics (Comprehensive): ✓
-```
-HEALTH|TIMESTAMP|datetime
-HEALTH|MEMORY_TOTAL_MB|value|date
-HEALTH|MEMORY_USED_PERCENT|value|date
-HEALTH|CPU_LOAD_1MIN|value|date
-HEALTH|CPU_CORES|value|date
-HEALTH|DISK_USED_PERCENT|value|date
-HEALTH|IOWAIT_PERCENT|value|date
-HEALTH|EMAIL_QUEUE_SIZE|value|date
-HEALTH|ZOMBIE_PROCESSES|value|date
-HEALTH|HTTPD_STATUS|status|date
-HEALTH|MYSQL_STATUS|status|date
-HEALTH|FIREWALL_STATUS|status|date
-HEALTH|CRITICAL_ISSUES|count|date
-HEALTH|HIGH_ISSUES|count|date
-HEALTH|MEDIUM_ISSUES|count|date
-HEALTH|LOW_ISSUES|count|date
-```
-
-### Missing Data (Recommendations):
-
-#### 🔍 NETWORK METRICS (Should be added)
-```
-HEALTH|NETWORK_INTERFACE|eth0|date
-HEALTH|NETWORK_MTU|1500|date
-HEALTH|NETWORK_RX_ERRORS|0|date
-HEALTH|NETWORK_TX_ERRORS|0|date
-HEALTH|NETWORK_RX_DROPPED|0|date
-HEALTH|NETWORK_TX_DROPPED|0|date
-HEALTH|TCP_RETRANS_PERCENT|12.89|date
-HEALTH|PACKET_LOSS_PERCENT|0|date
-```
-
-**Rationale:** Network analyzer collects this data but doesn't store for trending
-
-#### 🔍 HARDWARE METRICS (Should be added)
-```
-HEALTH|DISK_SMART_STATUS|PASSED|/dev/sda|date
-HEALTH|DISK_REALLOCATED_SECTORS|0|/dev/sda|date
-HEALTH|DISK_PENDING_SECTORS|0|/dev/sda|date
-HEALTH|DISK_TEMPERATURE|35|/dev/sda|date
-HEALTH|MEMORY_ECC_ERRORS|0|date
-HEALTH|CPU_MCE_ERRORS|0|date
-HEALTH|RAID_STATUS|optimal|date
-```
-
-**Rationale:** Hardware health check should save baseline for failure prediction
-
-#### 🔍 SECURITY METRICS (Should be added)
-```
-HEALTH|SSH_FAILED_ATTEMPTS|10210|date
-HEALTH|TOP_ATTACKER_IP|128.14.227.179|date
-HEALTH|CPHULK_STATUS|enabled|date
-HEALTH|CPHULK_BLOCKED_IPS|0|date
-```
-
-**Rationale:** Security baseline for attack trend analysis
-
-#### 🔍 SERVICE RESPONSE TIMES (Optional - Advanced)
-```
-HEALTH|APACHE_RESPONSE_TIME_MS|150|date
-HEALTH|MYSQL_RESPONSE_TIME_MS|25|date
-HEALTH|DNS_RESPONSE_TIME_MS|10|date
-```
-
-**Rationale:** Performance baseline for degradation detection
-
-### Cache Freshness: **OPTIMAL** ✓
- TTL: 1 hour (3600 seconds)
- Auto-rebuild on stale access
- Manual rebuild available
- Timestamp tracking working
-
---
-
-## 6. MODULE FUNCTIONALITY AUDIT
-
-### Working Modules (5/49 = 10%)
-
-#### 1. System Health Check ✓ **EXCELLENT**
- **Location:** `modules/diagnostics/system-health-check.sh`
- **Phases:** 22 comprehensive analysis phases
- **Features:** Severity scoring, baseline tracking, cPHulkd integration
- **Recent Enhancements:** Hardware error proactivity, cPanel-specific recommendations
- **Issues:** None found
- **Score:** 10/10
-
-#### 2. Bot Analyzer ✓ **EXCELLENT**
- **Location:** `modules/security/bot-analyzer.sh`
- **Features:** Threat scoring, CSF blocking, domain analysis, botnet detection
- **Issues:** None found
- **Score:** 10/10
-
-#### 3. MySQL Query Analyzer ✓ **GOOD**
- **Location:** `modules/performance/mysql-query-analyzer.sh`
- **Features:** Slow query detection, live monitoring
- **Issues:** None found
- **Score:** 9/10
-
-#### 4. Network & Bandwidth Analyzer ✓ **EXCELLENT** (NEW)
- **Location:** `modules/performance/network-bandwidth-analyzer.sh`
- **Features:** vnstat integration, per-domain traffic, connection analysis, MTU checks
- **Testing:** ✅ Validated during audit
- **Bugs Found:** 2 (fixed - missing functions)
- **Score:** 9/10 (deducted 1 for initial bugs)
-
-#### 5. Hardware Health Check ✓ **EXCELLENT** (NEW)
- **Location:** `modules/performance/hardware-health-check.sh`
- **Features:** SMART disk health, memory ECC, CPU MCE, RAID status
- **Testing:** ✅ Syntax validated
- **Bugs Found:** 1 (fixed - missing functions)
- **Score:** 9/10 (deducted 1 for initial bugs)
-
-### Not Implemented (44 modules)
-See menu structure - all other menu options are placeholders
-
---
-
-## 7. ERROR HANDLING AND EDGE CASES
-
-### Error Handling Patterns: **EXCELLENT** ✓
-
-**Grep Safety:**
-```bash
-# All grep commands properly handled:
-result=$(grep "pattern" file 2>/dev/null || true)
-```
-
-**Find Safety:**
-```bash
-# All find commands have error suppression:
-files=$(find /path -name "*.txt" 2>/dev/null || true)
-```
-
-**Arithmetic Safety:**
-```bash
-# All arithmetic uses safe patterns:
-current=$((current + 1))  # NOT ((current++))
-```
-
-**Variable Safety:**
-```bash
-# All potentially unbound vars use defaults:
-${var:-default}
-${var:-}
-```
-
-### Edge Cases Handled:
- ✅ No users on system
- ✅ No databases
- ✅ No domains
- ✅ No WordPress installations
- ✅ Missing system commands (smartctl, dmidecode, vnstat, sensors)
- ✅ Non-cPanel systems
- ✅ Empty log files
- ✅ Stale reference database
- ✅ First-time execution
- ✅ Interrupted execution (cleanup temp dirs)
-
-### Edge Cases NOT Handled (Minor):
- ⚠️ Very large reference database (>100MB) - no size limiting
- ⚠️ Systems with >10,000 users - progress indicators may be slow
- ⚠️ Extremely large log files (>10GB) - analysis may timeout
-
---
-
-## 8. SECURITY AUDIT
-
-### Security Posture: **GOOD** ✓
-
-**Secure Practices:**
- ✅ No `eval` usage
- ✅ No unquoted variables in command execution
- ✅ Proper MySQL query escaping (using `-e` flag, not string interpolation)
- ✅ Temp file creation uses `mktemp`
- ✅ No passwords stored in plain text
- ✅ No credentials in code
- ✅ Proper file permissions checks before operations
- ✅ Root requirement explicitly checked
-
-**Potential Concerns (Minor):**
- ⚠️ Some temp files in `/tmp` not using `mktemp -d` (report files use predictable names)
-  - **Risk:** Low (reports contain public system info only)
-  - **Recommendation:** Consider using `mktemp` for all temp files
-
- ⚠️ CSF commands run without input validation
-  - **Risk:** Low (only called with controlled input from script)
-  - **Recommendation:** Add IP format validation before CSF calls
-
-### Privilege Escalation: **SECURE** ✓
- ✅ Requires root (appropriate for system management)
- ✅ No unnecessary privilege dropping
- ✅ No unsafe sudo usage
-
---
-
-## 9. SYSTEM DETECTION ACCURACY
-
-### Detection Coverage: **COMPREHENSIVE** ✓
-
-**Control Panels:**
- ✅ cPanel (tested)
- ✅ Plesk (code reviewed)
- ✅ InterWorx (code reviewed)
- ✅ None/Standalone (code reviewed)
-
-**Operating Systems:**
- ✅ AlmaLinux (tested)
- ✅ CentOS, RHEL, Rocky, CloudLinux (code reviewed)
-
-**Web Servers:**
- ✅ Apache (tested)
- ✅ Nginx, LiteSpeed, OpenLiteSpeed (code reviewed)
-
-**Databases:**
- ✅ MariaDB (tested)
- ✅ MySQL (code reviewed)
- ✅ None (handled)
-
-**PHP Detection:**
- ✅ Multiple versions (tested - found 8.0.30, 8.1.33, 8.2.29)
-
-### Detection Accuracy: **100%** ✓
-All detection on test system correct:
- Control Panel: cPanel 11.130.0.15 ✓
- OS: AlmaLinux 9.6 ✓
- Web Server: Apache 2.4.65 ✓
- Database: MariaDB 10.6.23 ✓
- Hostname: cloudvpstemplate.host.pickledperil.com ✓
-
---
-
-## 10. MISSING FEATURES AND RECOMMENDATIONS
-
-### High Priority Additions
-
-#### 1. Network Metrics in Reference Database
-**Why:** Network analyzer collects but doesn't persist data for trending
-**Impact:** Cannot compare current vs historical network performance
-**Implementation:** Add `save_network_baseline()` function to health check
-**Effort:** Low (2-3 hours)
-
-#### 2. Hardware Metrics in Reference Database
-**Why:** Hardware health check should track SMART data over time
-**Impact:** Cannot predict disk failures by tracking reallocated sector trends
-**Implementation:** Add `save_hardware_baseline()` function to health check
-**Effort:** Medium (4-6 hours)
-
-#### 3. Security Metrics in Reference Database
-**Why:** SSH attack trends not tracked
-**Impact:** Cannot identify escalating attack patterns
-**Implementation:** Add security metrics to health baseline
-**Effort:** Low (2-3 hours)
-
-#### 4. Reference Database Size Limiting
-**Why:** No upper limit on database size
-**Impact:** Could grow unbounded on very large systems
-**Implementation:** Add rotation/pruning for old HEALTH entries
-**Effort:** Medium (3-4 hours)
-
-### Medium Priority Additions
-
-#### 5. Better Error Messages for Missing Commands
-**Why:** Some modules just say "not installed" without context
-**Impact:** User may not understand which package to install
-**Implementation:** Add package name hints (e.g., "smartctl not found - install smartmontools")
-**Effort:** Low (1-2 hours)
-
-#### 6. Progress Indicators for Long Operations
-**Why:** Some operations (disk scanning) provide no feedback
-**Impact:** User may think script hung
-**Implementation:** Add progress indicators to hardware health check
-**Effort:** Low (2 hours)
-
-#### 7. Report Archiving
-**Why:** Reports accumulate in /tmp indefinitely
-**Impact:** /tmp bloat
-**Implementation:** Archive old reports or auto-delete after 7 days
-**Effort:** Low (2 hours)
-
-### Low Priority (Nice to Have)
-
-#### 8. Bandwidth Quota Tracking
-**Why:** Network analyzer doesn't track against hosting limits
-**Implementation:** Allow user to set monthly bandwidth cap, alert on approaching
-**Effort:** Medium (4 hours)
-
-#### 9. Email Notifications
-**Why:** No alerting when critical issues found
-**Implementation:** Email reports to admin when CRITICAL issues detected
-**Effort:** Medium (6 hours)
-
-#### 10. Comparison Reports
-**Why:** Can't easily see "what changed since last scan"
-**Implementation:** Diff between current and previous health report
-**Effort:** High (8-10 hours)
-
---
-
-## 11. DATA PERSISTENCE AND INTEGRITY
-
-### Reference Database Integrity: **EXCELLENT** ✓
-
-**Data Consistency:**
- ✅ Pipe-delimited format consistent
- ✅ Field counts consistent per record type
- ✅ No corrupted entries found
- ✅ Proper escaping (no pipes in data fields)
-
-**Update Mechanism:**
- ✅ Atomic writes (write to new file, then move)
- ✅ Timestamp tracking working
- ✅ TTL enforcement working
- ✅ Rebuild on corruption (auto-triggered)
-
-**Cross-References:**
- ✅ User → Domains working
- ✅ User → Databases working
- ✅ Domain → WordPress working
- ✅ Database → Owner working
-
-### Data Not Being Persisted (Should Be):
-
-1. **Network Performance Trends**
-   - Current: Measured each run, not saved
-   - Should: Track TCP retransmission rate over time
-   - Benefit: Identify network degradation trends
-
-2. **Hardware Health Trends**
-   - Current: SMART checked each run, not saved
-   - Should: Track reallocated sectors over time
-   - Benefit: Predict disk failure before it happens
-
-3. **Attack Pattern History**
-   - Current: Bot analyzer shows current attacks
-   - Should: Track attack volume over time
-   - Benefit: Identify coordinated/escalating attacks
-
-4. **Service Response Times**
-   - Current: Not measured
-   - Should: Track Apache/MySQL response times
-   - Benefit: Identify performance degradation
-
---
-
-## 12. TESTING RECOMMENDATIONS
-
-### Current Testing: **MINIMAL**
- Unit tests: None
- Integration tests: None
- Manual testing: Ad-hoc during development
-
-### Recommended Testing Strategy:
-
-#### 1. Smoke Tests (Quick Validation)
-```bash
-#!/bin/bash
-# tests/smoke-test.sh
-bash -n /root/server-toolkit/launcher.sh || exit 1
-bash -n /root/server-toolkit/lib/*.sh || exit 1
-bash -n /root/server-toolkit/modules/*/*.sh || exit 1
-echo "✓ All syntax valid"
-```
-
-#### 2. Integration Tests
-```bash
-# Test cleanup
-rm -f .sysref*
-./launcher.sh # Should rebuild database
-grep "^USER|" .sysref || exit 1
-echo "✓ Database rebuild working"
-
-# Test cleanup
-./launcher.sh # Choose option 8 (cleanup)
-[ ! -f .sysref ] || exit 1
-echo "✓ Cleanup working"
-```
-
-#### 3. Module Tests
- Test each module in isolation
- Test with missing dependencies
- Test with edge cases (no users, no domains, etc.)
-
---
-
-## 13. PERFORMANCE ANALYSIS
-
-### Reference Database Build Time: **EXCELLENT** ✓
- Current system: ~2-3 seconds
- 100 users: ~10-15 seconds (estimated)
- 1000 users: ~60-90 seconds (estimated)
-
-### Module Performance:
- System Health Check: **5-10 seconds** ✓
- Bot Analyzer: **30-60 seconds** (depends on log size) ✓
- MySQL Query Analyzer: **10-20 seconds** ✓
- Network Analyzer: **5-10 seconds** ✓
- Hardware Health Check: **10-15 seconds** (with smartctl) ✓
-
-### Bottlenecks Identified:
-1. ⚠️ `du -sm` on large home directories (>100GB) - can be slow
-   - **Recommendation:** Add timeout or use `du --max-depth=1`
-
-2. ⚠️ WordPress detection (`find -name wp-config.php`) on large systems
-   - **Recommendation:** Limit search depth or use locate database
-
-3. ⚠️ SMART checks on many disks (>10 disks)
-   - **Recommendation:** Parallelize or add progress indicator
-
---
-
-## 14. DOCUMENTATION AUDIT
-
-### Documentation Quality: **EXCELLENT** ✓
-
-**Files Present:**
- ✅ README.md - Comprehensive overview
- ✅ TROUBLESHOOTING.md - Common issues and fixes
- ✅ AUDIT-REPORT.md - Previous audit
- ✅ PROJECT-STRUCTURE.md - Architecture docs
- ✅ SETUP_GUIDE.md - Installation instructions
- ✅ REFDB_FORMAT.txt - Reference database specification (EXCELLENT)
- ✅ WHATS_NEW.md - Changelog
-
-**Missing Documentation:**
- ⚠️ API documentation for library functions
- ⚠️ Module development guide
- ⚠️ Contributing guidelines
-
---
-
-## 15. FINAL RECOMMENDATIONS
-
-### Must Do (Before Production)
-1. ✅ **DONE** - Fix missing `show_banner()` and `press_enter()` functions
-2. ✅ **DONE** - Fix cleanup function to remove all report types
-3. 🔄 **ADD** - Network metrics to reference database
-4. 🔄 **ADD** - Hardware metrics to reference database
-5. 🔄 **ADD** - Input validation for CSF IP addresses
-
-### Should Do (Near Term)
-6. 🔄 Add reference database size limiting/rotation
-7. 🔄 Add package name hints for missing commands
-8. 🔄 Add progress indicators to hardware health check
-9. 🔄 Create smoke test suite
-10. 🔄 Add report archiving/cleanup
-
-### Nice to Have (Future)
-11. Bandwidth quota tracking and alerting
-12. Email notifications for critical issues
-13. Comparison reports (diff between scans)
-14. Unit test coverage
-15. API documentation
-
---
-
-## 16. AUDIT SUMMARY
-
-### Scores
-
-| Category | Score | Status |
-|----------|-------|--------|
-| Code Quality | 95/100 | ✅ Excellent |
-| Security | 90/100 | ✅ Good |
-| Functionality | 85/100 | ✅ Good |
-| Error Handling | 95/100 | ✅ Excellent |
-| Documentation | 90/100 | ✅ Excellent |
-| Testing | 40/100 | ⚠️ Needs Improvement |
-| Performance | 85/100 | ✅ Good |
-| Data Integrity | 95/100 | ✅ Excellent |
-
-### Overall Score: **89/100** - **EXCELLENT** ✅
-
---
-
-## 17. WHAT WE'RE NOT TRACKING (BUT SHOULD BE)
-
-### Reference Database Gaps
-
-1. **Network Performance History**
-   - TCP retransmission rate trends
-   - Packet loss over time
-   - Interface errors trending
-   - Bandwidth usage per day/week/month
-
-2. **Hardware Health Trends**
-   - SMART attribute changes (reallocated sectors increasing?)
-   - Disk temperature trends
-   - Memory error accumulation
-   - CPU error history
-
-3. **Security Event History**
-   - SSH attack volume trends
-   - Blocked IP history
-   - Attack pattern changes
-   - Geographic attack sources
-
-4. **Service Availability**
-   - Service downtime tracking
-   - Restart frequency
-   - Error log growth rate
-
-5. **Resource Usage Trends**
-   - Disk usage growth rate (predict when full)
-   - Memory usage patterns
-   - CPU load trends
-   - Email queue size trends
-
-### Implementation Priority
-
-**High Priority:**
- Network: TCP retransmission, packet loss
- Hardware: SMART reallocated sectors, disk temperature
- Security: SSH attack counts
-
-**Medium Priority:**
- Service: Downtime tracking
- Resource: Disk growth rate
-
-**Low Priority:**
- Advanced trending and prediction
- Anomaly detection
-
---
-
-## 18. CHANGELOG (Audit Actions)
-
-### Fixed During Audit:
-1. **2025-11-01 16:35** - Added `show_banner()` function to lib/common-functions.sh
-2. **2025-11-01 16:35** - Added `press_enter()` function to lib/common-functions.sh
-3. **2025-11-01 16:38** - Added system_health_report_* cleanup to launcher.sh
-4. **2025-11-01 16:38** - Added network_bandwidth_report_* cleanup to launcher.sh
-5. **2025-11-01 16:38** - Added hardware_health_report_* cleanup to launcher.sh
-6. **2025-11-01 16:38** - Updated cleanup message to list all report types
-
-### Validated During Audit:
- ✅ All 13 scripts pass syntax validation
- ✅ System detection accurate (cPanel, AlmaLinux, Apache, MariaDB)
- ✅ Reference database format correct and complete
- ✅ Cleanup function comprehensive
- ✅ Error handling robust
- ✅ Security practices sound
-
---
-
-## CONCLUSION
-
-The Server Toolkit is in **excellent** condition with only minor enhancements recommended. The codebase is well-structured, properly documented, and follows bash best practices. The two bugs found during audit were minor and have been fixed.
-
-The main area for improvement is **data persistence** - while the toolkit collects comprehensive data, not all of it is being saved for historical trending. Adding network, hardware, and security metrics to the reference database would enable powerful trend analysis and predictive maintenance.
-
-**Recommended Next Steps:**
-1. Review and approve the fixes made during this audit
-2. Implement network metrics persistence
-3. Implement hardware metrics persistence
-4. Add basic smoke tests
-5. Consider adding email alerting for critical issues
-
-**Overall Assessment:** ✅ **PRODUCTION READY** with recommended enhancements
-
---
-
-**End of Audit Report**
@@ -0,0 +1,495 @@
+# Control Panel Quick Reference Guide
+**Version:** 1.0
+**Purpose:** Fast lookup of control panel differences while coding
+
+---
+
+## Quick Panel Detection
+
+```bash
+# cPanel
+[ -f "/usr/local/cpanel/version" ]                    # Version file
+[ -f "/etc/userdatadomains" ]                          # User/domain mapping
+command -v whmapi1                                     # WHM API
+
+# Plesk
+[ -f "/usr/local/psa/version" ]                        # Version file
+command -v plesk                                       # Plesk CLI
+
+# InterWorx
+[ -d "/usr/local/interworx" ]                          # Install directory
+[ -f "/etc/interworx/iworx.ini" ]                      # Config file
+[ -x "/usr/local/interworx/bin/listaccounts.pex" ]    # CLI tool
+```
+
+---
+
+## File System Paths
+
+### User Home Directories
+| Panel | Path | Notes |
+|-------|------|-------|
+| **cPanel** | `/home/username` | Standard Linux |
+| **Plesk** | `/var/www/vhosts/domain.com` | Domain-centric |
+| **InterWorx** | `/home/username` | Standard Linux |
+
+### Document Roots
+| Panel | Primary Site | Addon Domain | Subdomain |
+|-------|-------------|--------------|-----------|
+| **cPanel** | `/home/user/public_html` | `/home/user/public_html/addon` | `/home/user/public_html/sub` |
+| **Plesk** | `/var/www/vhosts/domain/httpdocs` | N/A (separate subscription) | `/var/www/vhosts/domain/sub.domain/httpdocs` |
+| **InterWorx** | `/home/user/domain.com/html` | `/home/user/addon.com/html` | `/home/user/domain.com/sub/html` |
+
+### Access Logs
+| Panel | Location | Filename Pattern |
+|-------|----------|------------------|
+| **cPanel** | `/var/log/apache2/domlogs/` or `/usr/local/apache/domlogs/` | `domain.com`, `domain.com-ssl_log` |
+| **Plesk** | `/var/www/vhosts/system/domain.com/logs/` | `access_log`, `access_ssl_log` |
+| **InterWorx** | `/home/user/var/domain.com/logs/` | `access_log` (combined HTTP+HTTPS) |
+
+### Error Logs
+| Panel | Location | Notes |
+|-------|----------|-------|
+| **cPanel** | `/var/log/apache2/domlogs/domain-error_log` | Centralized per-domain |
+| **Plesk** | `/var/www/vhosts/system/domain.com/logs/error_log` | Per-domain |
+| **InterWorx** | `/home/user/var/domain.com/logs/error_log` | Per-domain in user home |
+
+### PHP Error Logs
+| Panel | Location | Notes |
+|-------|----------|-------|
+| **cPanel** | `/home/user/public_html/error_log` | In document root |
+| **Plesk** | `/var/www/vhosts/domain/httpdocs/error_log` | In document root |
+| **InterWorx** | `/home/user/domain.com/html/error_log` | In document root |
+
+### SSL Certificates
+| Panel | Location | Format |
+|-------|----------|--------|
+| **cPanel** | `/etc/letsencrypt/live/domain.com/` or `/var/cpanel/ssl/` | Let's Encrypt or AutoSSL |
+| **Plesk** | `/etc/letsencrypt/live/domain.com/` | Let's Encrypt |
+| **InterWorx** | `/etc/letsencrypt/live/domain.com/` | Let's Encrypt |
+
+### Mail Directories
+| Panel | Location | Structure |
+|-------|----------|-----------|
+| **cPanel** | `/home/user/mail/domain.com/account/` | Per-domain folders |
+| **Plesk** | `/var/qmail/mailnames/domain.com/account/` | Qmail structure |
+| **InterWorx** | `/home/user/var/domain.com/mail/account/` | Per-domain in user home |
+
+### Cron Jobs
+| Panel | Location | Format |
+|-------|----------|--------|
+| **cPanel** | `/var/spool/cron/username` | Standard crontab |
+| **Plesk** | `/var/spool/cron/username` | Standard crontab |
+| **InterWorx** | `/var/spool/cron/username` | Standard crontab |
+
+---
+
+## Configuration Files
+
+### User Configuration
+| Panel | Location | Format | Contains |
+|-------|----------|--------|----------|
+| **cPanel** | `/var/cpanel/users/username` | Key-value | DNS, IP, disk quota, domains |
+| **Plesk** | Plesk Database | SQL | All config in MySQL/PostgreSQL |
+| **InterWorx** | NodeWorx Database + vhost configs | Mixed | listaccounts.pex CLI or DB queries |
+
+### Domain Configuration
+| Panel | Location | Format | Contains |
+|-------|----------|--------|----------|
+| **cPanel** | `/var/cpanel/userdata/user/domain.com` | Apache-like | DocumentRoot, ServerAlias, PHP handlers |
+| **Plesk** | Plesk Database | SQL | Vhost config in database |
+| **InterWorx** | `/etc/httpd/conf.d/vhost_domain.com.conf` | Apache vhost | Auto-generated from templates |
+
+### Apache Main Config
+| Panel | Include Location | How Domains Added |
+|-------|------------------|-------------------|
+| **cPanel** | `/etc/apache2/conf.d/includes/` | Auto-generated from userdata |
+| **Plesk** | `/etc/httpd/conf.d/zz*.conf` | Generated from Plesk DB |
+| **InterWorx** | `/etc/httpd/conf.d/vhost_*.conf` | One file per domain |
+
+---
+
+## Database Management
+
+### Database Prefixes
+| Panel | Prefix Pattern | Example | Max Prefix Length |
+|-------|----------------|---------|-------------------|
+| **cPanel** | `username_` | `johndoe_wordpress` | 16 chars total (7 for username + _ + 8 for dbname) |
+| **Plesk** | None (user-scoped) | `wordpress` | No prefix |
+| **InterWorx** | `first8charsOfDomain_` | `examplec_wordpress` | First 8 chars of domain (dots removed) |
+
+### MySQL User Prefixes
+| Panel | User Pattern | Example | Notes |
+|-------|--------------|---------|-------|
+| **cPanel** | `username_` | `johndoe_wpuser` | Same as database prefix |
+| **Plesk** | None | `wpuser` | Scoped to database |
+| **InterWorx** | `first8charsOfDomain_` | `examplec_wpuser` | Same as database prefix |
+
+### Database File Locations
+| Panel | Data Directory | Notes |
+|-------|----------------|-------|
+| **cPanel** | `/var/lib/mysql/` | Standard MySQL |
+| **Plesk** | `/var/lib/mysql/` | Standard MySQL |
+| **InterWorx** | `/var/lib/mysql/` | Standard MySQL |
+
+---
+
+## CLI Tools & APIs
+
+### WHM/Root Level APIs
+| Panel | Tool | Example Command | Auth Required |
+|-------|------|-----------------|---------------|
+| **cPanel** | `whmapi1` | `whmapi1 listaccts` | Root or API token |
+| **Plesk** | `plesk bin server` | `plesk bin server --info` | Root |
+| **InterWorx** | `nodeworx` | `nodeworx -u -n -c Siteworx -a listAccounts` | Root + setup |
+
+### User-Level APIs
+| Panel | Tool | Example Command | Auth Required |
+|-------|------|-----------------|---------------|
+| **cPanel** | `uapi` | `uapi --user=john DomainInfo list_domains` | User or API token |
+| **Plesk** | `plesk bin subscription` | `plesk bin subscription --list` | Root |
+| **InterWorx** | `siteworx` | `siteworx -u -n -c Siteworx -a listDomains` | User + setup |
+
+### Account Listing
+| Panel | Command | Output Format |
+|-------|---------|---------------|
+| **cPanel** | `whmapi1 listaccts` | JSON |
+| **cPanel** | `/etc/trueuserdomains` | Text: `domain.com: username` |
+| **cPanel** | `/etc/userdatadomains` | Text: `domain: user==owner==main==domain==docroot` |
+| **Plesk** | `plesk bin subscription --list` | Text list of domains |
+| **InterWorx** | `/usr/local/interworx/bin/listaccounts.pex` | Text: `username domain.com` |
+
+### Domain Listing (for specific user)
+| Panel | Command | Output |
+|-------|---------|--------|
+| **cPanel** | `grep "^DNS" /var/cpanel/users/$user` | DNS records from user file |
+| **cPanel** | `grep ":${user}==" /etc/userdatadomains` | All domains for user |
+| **Plesk** | `plesk bin subscription --list` | All subscriptions (filter by owner) |
+| **InterWorx** | `listaccounts.pex` then parse vhosts | Username + primary domain |
+
+### Database Listing
+| Panel | Command | Notes |
+|-------|---------|-------|
+| **cPanel** | `mysql -e "SHOW DATABASES" \| grep "^${username}_"` | Filter by prefix |
+| **Plesk** | `plesk bin database --list` | All databases (filter by domain) |
+| **InterWorx** | `mysql -e "SHOW DATABASES" \| grep "^${domain_prefix}_"` | **Use domain prefix!** |
+
+---
+
+## PHP Configuration
+
+### PHP Handler Types
+| Panel | Handlers Supported | Default | Location |
+|-------|-------------------|---------|----------|
+| **cPanel** | DSO, suPHP, FastCGI, FPM | EasyApache 4 FPM | `/opt/cpanel/ea-php*/` |
+| **Plesk** | Apache module, FPM, FastCGI | FPM | `/opt/plesk/php/*/` |
+| **InterWorx** | mod_php, FPM, FastCGI | FPM | `/etc/php-fpm.d/` |
+
+### PHP.INI Locations
+| Panel | Global | Per-Domain | Per-Directory |
+|-------|--------|------------|---------------|
+| **cPanel** | `/opt/cpanel/ea-php*/root/etc/php.ini` | `/home/user/.php.ini` | `/home/user/public_html/.user.ini` |
+| **Plesk** | `/etc/php.ini` | `/var/www/vhosts/system/domain/conf/php.ini` | `.user.ini` in directory |
+| **InterWorx** | `/etc/php.ini` | `/home/user/domain/conf/php.ini` | `.user.ini` in directory |
+
+### PHP Version Selection
+| Panel | Mechanism | Granularity |
+|-------|-----------|-------------|
+| **cPanel** | MultiPHP Manager (WHM) or `.htaccess` | Per-domain or per-directory |
+| **Plesk** | Plesk Panel or plesk CLI | Per-domain or per-subdirectory |
+| **InterWorx** | SiteWorx Panel or php-fpm pools | Per-domain |
+
+---
+
+## Email Configuration
+
+### Mail Server Software
+| Panel | MTA | POP3/IMAP | Webmail |
+|-------|-----|-----------|---------|
+| **cPanel** | Exim | Dovecot | Horde, RoundCube, SquirrelMail |
+| **Plesk** | Postfix or Qmail | Dovecot or Courier | RoundCube, Horde |
+| **InterWorx** | Postfix | Dovecot | RoundCube, SquirrelMail |
+
+### Email Account Locations
+| Panel | Config Location | Password Storage |
+|-------|-----------------|------------------|
+| **cPanel** | `/home/user/etc/domain/passwd` | Shadow file in etc/ |
+| **Plesk** | Plesk Database | Database |
+| **InterWorx** | `/home/user/var/domain/mail/` | Database + files |
+
+---
+
+## FTP Configuration
+
+### FTP Server
+| Panel | FTP Daemon | Config Location |
+|-------|------------|-----------------|
+| **cPanel** | Pure-FTPd or ProFTPD | `/etc/pure-ftpd.conf` or `/etc/proftpd.conf` |
+| **Plesk** | ProFTPD | `/etc/proftpd.conf` |
+| **InterWorx** | ProFTPD | `/etc/proftpd.conf` |
+
+### FTP Account Listing
+| Panel | Location | Format |
+|-------|----------|--------|
+| **cPanel** | `/etc/proftpd/$user` or Pure-FTPd DB | Config files or virtual users |
+| **Plesk** | Plesk Database | SQL |
+| **InterWorx** | `/etc/proftpd.conf` includes | Parsed from config |
+
+---
+
+## Security Features
+
+### Brute Force Protection
+| Panel | Feature | How it Works | CLI Access |
+|-------|---------|--------------|------------|
+| **cPanel** | cPHulk | Tracks failed logins, bans IPs | `whmapi1 cphulkd_*` |
+| **Plesk** | fail2ban | Monitors logs, uses iptables | `fail2ban-client` |
+| **InterWorx** | ModSecurity + fail2ban | WAF + log monitoring | `fail2ban-client` |
+
+### Firewall Integration
+| Panel | Default Firewall | Location |
+|-------|-----------------|----------|
+| **cPanel** | CSF (optional) or firewalld | `/etc/csf/` or `firewall-cmd` |
+| **Plesk** | firewalld or iptables | `firewall-cmd` or `/etc/sysconfig/iptables` |
+| **InterWorx** | firewalld or iptables | `firewall-cmd` or `/etc/sysconfig/iptables` |
+
+### ModSecurity
+| Panel | Enabled by Default | Config Location |
+|-------|-------------------|-----------------|
+| **cPanel** | Optional (EasyApache 4) | `/etc/apache2/conf.d/modsec/` |
+| **Plesk** | Optional (Extensions) | `/etc/httpd/conf.d/mod_security.conf` |
+| **InterWorx** | Optional | `/etc/httpd/conf.d/mod_security.conf` |
+
+---
+
+## Backup Systems
+
+### Native Backup Tools
+| Panel | Tool | Backup Location | Incremental Support |
+|-------|------|-----------------|---------------------|
+| **cPanel** | cPanel Backup | `/backup/` | Yes (JetBackup addon) |
+| **Plesk** | Plesk Backup Manager | `/var/lib/psa/dumps/` | No (full only) |
+| **InterWorx** | NodeWorx Backup | `/backup/` or custom | Yes |
+
+### Backup File Format
+| Panel | Format | Compression | Includes |
+|-------|--------|-------------|----------|
+| **cPanel** | tar.gz | gzip | Home dir, DBs, email, config |
+| **Plesk** | tar | Optional gzip | Subscription data, DBs, mail |
+| **InterWorx** | tar.gz | gzip | SiteWorx account, DBs, email |
+
+---
+
+## WordPress Detection
+
+### wp-config.php Locations
+```bash
+# cPanel
+find /home/*/public_html -name "wp-config.php"
+find /home/*/public_html/* -name "wp-config.php"  # Addon domains
+
+# Plesk
+find /var/www/vhosts/*/httpdocs -name "wp-config.php"
+
+# InterWorx
+find /home/*/*/html -name "wp-config.php"
+```
+
+### WordPress Paths by Panel
+| Panel | Single Site | Multisite | Addon Domain WP |
+|-------|------------|-----------|-----------------|
+| **cPanel** | `/home/user/public_html/` | `/home/user/public_html/wp/` | `/home/user/public_html/addon/` |
+| **Plesk** | `/var/www/vhosts/domain/httpdocs/` | `/var/www/vhosts/domain/httpdocs/wp/` | N/A (separate subscription) |
+| **InterWorx** | `/home/user/domain.com/html/` | `/home/user/domain.com/html/wp/` | `/home/user/addon.com/html/` |
+
+---
+
+## Common File Patterns
+
+### .htaccess Locations
+```bash
+# All panels - in document root
+/home/user/public_html/.htaccess          # cPanel primary
+/home/user/domain.com/html/.htaccess      # InterWorx
+/var/www/vhosts/domain/httpdocs/.htaccess # Plesk
+```
+
+### robots.txt Locations
+```bash
+# Same as .htaccess
+# In document root
+```
+
+### Log Rotation
+| Panel | Rotation Config | Default Retention |
+|-------|----------------|-------------------|
+| **cPanel** | `/etc/logrotate.d/cpanel` | 30 days |
+| **Plesk** | `/etc/logrotate.d/plesk` | Varies |
+| **InterWorx** | `/etc/logrotate.d/interworx` | 30 days |
+
+---
+
+## Process Ownership
+
+### Apache/Web Server Processes
+| Panel | User | Group | Notes |
+|-------|------|-------|-------|
+| **cPanel** | `nobody` (main) | `nobody` | Requests run as user via suEXEC/suPHP/FPM |
+| **Plesk** | `apache` or `www-data` | `apache` or `www-data` | Depends on OS |
+| **InterWorx** | `apache` | `apache` | Requests run as user via suEXEC/FPM |
+
+### PHP-FPM Pools
+| Panel | Pool Config | User/Group |
+|-------|-------------|------------|
+| **cPanel** | `/opt/cpanel/ea-php*/root/etc/php-fpm.d/` | Per-user pools (username:username) |
+| **Plesk** | `/etc/php-fpm.d/` | Per-domain pools |
+| **InterWorx** | `/etc/php-fpm.d/` | Per-domain pools (username:username) |
+
+---
+
+## Quick Code Snippets
+
+### Get All Users
+```bash
+# cPanel
+cat /etc/trueuserowners | cut -d: -f2 | sort -u
+
+# Plesk
+plesk bin subscription --list | awk '{print $1}'
+
+# InterWorx
+/usr/local/interworx/bin/listaccounts.pex --output user
+```
+
+### Get Domains for User
+```bash
+# cPanel
+grep "^DNS" /var/cpanel/users/$user | awk '{print $2}'
+
+# Plesk
+plesk bin subscription --list -o $user
+
+# InterWorx
+grep -l "SuexecUserGroup ${user}" /etc/httpd/conf.d/vhost_*.conf | \
+    sed 's|.*/vhost_||; s|\.conf$||'
+```
+
+### Get Disk Usage for User
+```bash
+# All panels (if user has /home directory)
+du -sh /home/$user
+
+# cPanel (from quota)
+quota -u $user | tail -1 | awk '{print $2}'
+
+# Plesk
+plesk bin subscription --info domain.com | grep "Disk space used"
+```
+
+### Check if Domain Exists
+```bash
+# cPanel
+grep -q "^${domain}:" /etc/userdatadomains
+
+# Plesk
+plesk bin subscription --info "$domain" &>/dev/null
+
+# InterWorx
+[ -f "/etc/httpd/conf.d/vhost_${domain}.conf" ]
+```
+
+---
+
+## Panel-Specific Quirks
+
+### cPanel Gotchas
+- **Addon domains** share public_html with primary domain
+- **Parked domains** are aliases (same document root as primary)
+- **Database names** limited to 64 chars (including prefix!)
+- **User passwords** != database passwords != FTP passwords
+- **Main IP** stored in `/var/cpanel/mainip`
+
+### Plesk Gotchas
+- **Each domain** is a separate subscription (even for same owner)
+- **No shared hosting** structure (each domain isolated)
+- **Database prefixes** don't exist (databases scoped to subscription)
+- **Mail users** are separate from system users
+- **CLI requires** lots of `--info` calls (no simple config files)
+
+### InterWorx Gotchas
+- **Database prefix** is domain-based, NOT username-based!
+- **Logs are per-domain** in user home (not centralized)
+- **No separate** HTTP/HTTPS logs (combined in access_log)
+- **Domain config** is one vhost file per domain
+- **Listaccounts.pex** only returns username + primary domain (not addon domains)
+
+---
+
+## Migration Implications
+
+### cPanel → InterWorx
+- ✅ User home structure similar
+- ⚠️ Document root changes (public_html → domain.com/html)
+- ⚠️ Database prefixes change (username_ → domain_)
+- ⚠️ Log locations move to user home
+- ✅ Email structure compatible with migration
+
+### cPanel → Plesk
+- ❌ Completely different structure
+- ❌ Domain-centric vs user-centric
+- ❌ No shared hosting model
+- ❌ Requires full account restructure
+
+### Plesk → InterWorx
+- ⚠️ Structure change (vhosts → home)
+- ⚠️ Database prefix added
+- ✅ Can map subscriptions to users
+- ⚠️ Mail system different
+
+---
+
+## Testing Commands
+
+### Verify Panel Detection
+```bash
+# Should return: cpanel, plesk, interworx, or none
+source /root/server-toolkit/lib/system-detect.sh
+echo $SYS_CONTROL_PANEL
+```
+
+### Verify Log Discovery
+```bash
+source /root/server-toolkit/lib/system-detect.sh
+echo $SYS_LOG_DIR
+ls -la "$SYS_LOG_DIR" | head
+```
+
+### Verify User Functions
+```bash
+source /root/server-toolkit/lib/user-manager.sh
+eval $(get_user_info "someuser")
+echo "User: $USERNAME"
+echo "Primary: $PRIMARY_DOMAIN"
+echo "All domains: $ALL_DOMAINS"
+```
+
+---
+
+## References
+
+### Official Documentation
+- cPanel: https://docs.cpanel.net/
+- Plesk: https://docs.plesk.com/
+- InterWorx: https://www.interworx.com/support/docs/
+
+### Useful Files to Study
+- `/etc/userdatadomains` (cPanel domain mapping)
+- `/etc/trueuserowners` (cPanel user→domain)
+- `/etc/trueuserdomains` (cPanel domain→user)
+- `/etc/httpd/conf.d/vhost_*.conf` (InterWorx vhosts)
+- `/var/www/vhosts/` (Plesk structure)
+
+---
+
+**Last Updated:** 2025-11-19
+**Maintainer:** Server Toolkit Team
@@ -0,0 +1,399 @@
+# InterWorx Compatibility Audit Report
+**Generated:** 2025-11-19
+**Toolkit Version:** Latest from git
+
+## Executive Summary
+
+Out of **38 total modules**, **16 modules** have cPanel-specific dependencies that will break on InterWorx servers.
+
+### Compatibility Status:
+
+- ✅ **3 modules** - Already InterWorx compatible (using SYS_LOG_DIR)
+- ⚠️ **16 modules** - Need InterWorx fixes (hardcoded paths + API calls)
+- ✓ **19 modules** - Control panel agnostic (no paths)
+
+### CRITICAL NEW FINDINGS (Deep Audit):
+
+**whmapi1/uapi API Dependencies Found:**
+- These cPanel APIs will FAIL silently on InterWorx!
+- Found in: live-attack-monitor.sh, enable-cphulk.sh, system-health-check.sh
+
+**WordPress Module Crisis:**
+- wordpress-cron-manager.sh: 33 userdata references, 9 public_html references
+- Completely broken on InterWorx without major refactor
+
+---
+
+## Critical Path Differences: cPanel vs InterWorx
+
+| Resource | cPanel Location | InterWorx Location |
+|----------|----------------|-------------------|
+| **Access Logs** | `/var/log/apache2/domlogs/domain.com` | `/home/user/var/domain.com/logs/access_log` |
+| **Error Logs** | `/var/log/apache2/domlogs/domain-error_log` | `/home/user/var/domain.com/logs/error_log` |
+| **Document Root** | `/home/user/public_html` | `/home/user/domain.com/html` |
+| **User Config** | `/var/cpanel/users/username` | NodeWorx DB or listaccounts.pex |
+| **Domain Config** | `/var/cpanel/userdata/user/domain` | `/etc/httpd/conf.d/vhost_domain.conf` |
+| **Main IP** | `/var/cpanel/mainip` | `/usr/local/interworx/iworx.ini` |
+| **PHP Error Logs** | `/home/user/public_html/error_log` | `/home/user/domain.com/html/error_log` |
+
+---
+
+## Modules Requiring Fixes
+
+### PRIORITY 1: Critical Security Modules
+
+#### 1. **live-attack-monitor.sh** ⚠️ CRITICAL PRIORITY
+**Issues:**
+- Line 1256: `LOG_DIR="${SYS_LOG_DIR:-/var/log/apache2/domlogs}"`
+- Line 1261-1262: Hardcoded `/var/log/httpd/access_log`
+- Line 1267: Comment mentions "cPanel domlogs"
+- Line 1537: CPHulk detection (cPanel-only feature)
+- **NEW:** Uses `whmapi1 cphulkd_list_blocks` - cPanel API call!
+- **NEW:** Uses `whmapi1 cphulkd_add_whitelist` - cPanel API call!
+
+**Fix Required:**
+- Already uses `SYS_LOG_DIR` (GOOD!)
+- But fallback is wrong - should use system-detect.sh
+- Add InterWorx log discovery like bot-analyzer
+- Wrap ALL whmapi1 calls in `if [ "$SYS_CONTROL_PANEL" = "cpanel" ]`
+- CPHulk features should be cPanel-only conditional
+
+**Impact:** Real-time attack monitoring won't see attacks on InterWorx + API calls will fail
+
+---
+
+#### 2. **malware-scanner.sh** ⚠️ HIGH PRIORITY
+**Issues:**
+- Line 31: `/usr/local/cpanel/3rdparty/bin/clamscan` check
+- Line 182: cPanel detection check
+- Line 353: PATH with cPanel 3rdparty
+- Line 429: `get_user_docroots()` function
+- Line 878-880: Hardcoded `/var/log/apache2/domlogs` search
+
+**Fix Required:**
+- Use system-detect.sh for ClamAV path detection
+- Fix `get_user_docroots()` to use user-manager.sh functions
+- Support InterWorx document roots: `/home/user/domain.com/html`
+- Fix log file discovery for malware analysis
+
+**Impact:** Malware scanner won't find infected files in InterWorx sites
+
+---
+
+#### 3. **optimize-ct-limit.sh** ⚠️ MEDIUM PRIORITY
+**Issues:**
+- Line 292: `log_dir="${SYS_LOG_DIR:-/var/log/apache2/domlogs}"`
+
+**Fix Required:**
+- Already uses `SYS_LOG_DIR` (GOOD!)
+- Fallback should be removed (rely on system-detect.sh)
+
+**Impact:** Can't analyze connection limits on InterWorx
+
+---
+
+### PRIORITY 2: Website Diagnostic Modules
+
+#### 4. **website-error-analyzer.sh** ⚠️ HIGH PRIORITY
+**Issues:**
+- Line 19: `DOMLOGS_DIR="/var/log/apache2/domlogs"`
+- Line 140: Hardcoded Apache error log paths
+- Line 153: `/var/cpanel/users/*` for user lookup
+- Line 161: `find /home/*/public_html -name "error_log"`
+- Line 176-177: Reads `/var/cpanel/users/$FILTER_USER`
+- Line 339: User lookup via `/var/cpanel/users/*`
+- Line 341: `.user.ini` in `public_html`
+- Line 815: Error log path in `public_html`
+
+**Fix Required:**
+- Use `SYS_LOG_DIR` from system-detect.sh
+- Use `get_user_info()` and `get_user_domains()` from user-manager.sh
+- Support InterWorx document roots: `/home/user/domain.com/html`
+- Support InterWorx error logs: `/home/user/var/domain.com/logs/error_log`
+
+**Impact:** Can't diagnose website errors on InterWorx
+
+---
+
+#### 5. **500-error-tracker.sh** ⚠️ HIGH PRIORITY
+**Issues:**
+- Line 60: `DOMLOGS_DIR="/var/log/apache2/domlogs"`
+- Line 83: `/var/cpanel/users/*` for domain→user lookup
+- Line 233: `docroot="/home/$user/public_html"`
+- Line 261: Error log in `public_html`
+- Line 264-265: Hardcoded domlog paths
+- Line 454: `/var/cpanel/userdata/$user/$domain`
+- Line 679: Fix suggestion mentions `public_html`
+
+**Fix Required:**
+- Use `SYS_LOG_DIR` from system-detect.sh
+- Use `get_user_info()` for user lookups
+- Support InterWorx document roots: `/home/user/domain.com/html`
+- Support InterWorx error logs in `/home/user/var/domain.com/logs/`
+
+**Impact:** Can't track 500 errors on InterWorx
+
+---
+
+#### 6. **wordpress-cron-manager.sh** ⚠️ CRITICAL PRIORITY
+**Issues:**
+- **33 references to `/var/cpanel/userdata`** - HEAVY dependency!
+- **9 references to `public_html`** - Wrong document root
+- Domain→user lookup completely relies on userdata files
+- Checks userdata for servername, main_domain, etc.
+- WordPress detection searches in `/home/*/public_html`
+
+**Fix Required:**
+- Complete refactor required!
+- Replace ALL userdata reads with `get_user_info()` and `get_user_domains()`
+- Support InterWorx document roots: `/home/user/domain.com/html`
+- WordPress detection must search both public_html AND domain.com/html
+- Domain→user mapping must use user-manager.sh functions
+
+**Impact:** WordPress cron management completely broken on InterWorx
+
+---
+
+### PRIORITY 3: Live Monitoring Tools
+
+#### 7. **web-traffic-monitor.sh** ⚠️ MEDIUM PRIORITY
+**Issues:**
+- Line 12-13: Hardcoded `/var/log/apache2/domlogs`
+- Line 32: Error message mentions "domlogs"
+
+**Fix Required:**
+- Use `SYS_LOG_DIR` from system-detect.sh
+- Add InterWorx log discovery
+
+**Impact:** Can't monitor live web traffic on InterWorx
+
+---
+
+#### 7. **tail-apache-access.sh** ⚠️ LOW PRIORITY
+**Issues:**
+- Line 8: Hardcoded `/var/log/apache2/domlogs/*`
+
+**Fix Required:**
+- Use `SYS_LOG_DIR` from system-detect.sh
+- Support InterWorx: `tail -f /home/*/var/*/logs/access_log`
+
+**Impact:** Simple log tailing won't work
+
+---
+
+#### 8. **tail-apache-error.sh** ⚠️ LOW PRIORITY
+**Issues:**
+- Line 8: Hardcoded `/var/log/httpd/error_log`
+
+**Fix Required:**
+- Use system-detect.sh to find Apache error log location
+- InterWorx: Per-domain error logs at `/home/user/var/domain.com/logs/error_log`
+
+**Impact:** Can't tail error logs on InterWorx
+
+---
+
+### PRIORITY 4: Performance Analysis
+
+#### 9. **network-bandwidth-analyzer.sh** ⚠️ MEDIUM PRIORITY
+**Issues:**
+- Line 187-192: Hardcoded log directory detection
+
+**Fix Required:**
+- Use `SYS_LOG_DIR` from system-detect.sh
+- Add InterWorx log discovery
+
+**Impact:** Can't analyze bandwidth usage on InterWorx
+
+---
+
+### PRIORITY 5: cPanel-Specific Modules (Expected)
+
+#### 10. **enable-cphulk.sh** ℹ️ N/A - cPanel Only
+**Issues:**
+- Line 42: `/usr/local/cpanel/bin/cphulk_pam_ctl` check
+- Line 58, 68, 287: cPanel-specific commands
+- Line 131, 133: `/var/cpanel/` and `/usr/local/cpanel/` paths
+
+**Fix Required:**
+- None - this is cPanel-specific
+- Should check `SYS_CONTROL_PANEL=cpanel` before running
+- Add warning for non-cPanel systems
+
+---
+
+### PRIORITY 6: Diagnostic Tools
+
+#### 11. **system-health-check.sh** ⚠️ LOW PRIORITY
+**Issues:**
+- Line 492-493: Hardcoded `/var/log/httpd/error_log`
+- Line 606-608: cPanel CPHulk checks
+- Line 941-942: cPanel version detection
+- Line 1205: Error log path in suggestion
+
+**Fix Required:**
+- Use system-detect.sh for log paths
+- Make CPHulk checks conditional on `SYS_CONTROL_PANEL=cpanel`
+- Control panel version already detected in system-detect.sh
+
+**Impact:** Health checks may miss issues on InterWorx
+
+---
+
+### PRIORITY 7: Backup Tools
+
+#### 12. **acronis-configure.sh** ℹ️ DOCUMENTATION ONLY
+**Issues:**
+- Line 52: Echo message mentions `public_html`
+
+**Fix Required:**
+- Update documentation to mention both cPanel and InterWorx paths
+- No functional impact (just display text)
+
+---
+
+## Modules Already Compatible ✅
+
+These modules already use `SYS_LOG_DIR` or user-manager.sh functions:
+
+1. **bot-analyzer.sh** ✅ - FIXED in Phase 1 & 2
+2. **optimize-ct-limit.sh** ✅ - Uses SYS_LOG_DIR (just needs fallback removed)
+3. **mysql-query-analyzer.sh** ✅ - Uses get_user_* functions
+
+---
+
+## Modules That Are Control Panel Agnostic ✅
+
+These modules don't use control panel-specific paths (21 total):
+- All Acronis backup modules (13 modules)
+- Hardware health check
+- SSH attack monitor
+- Firewall activity monitor
+- Tail secure log
+- Tail mail log
+- IP reputation manager
+- Cleanup toolkit data
+- WordPress modules
+
+---
+
+## Recommended Implementation Plan
+
+### Phase 3: Critical Security Modules (NEXT)
+1. **malware-scanner.sh** - Fix document root discovery + cPanel path assumptions
+2. **live-attack-monitor.sh** - Fix log discovery + wrap whmapi1 calls
+3. **optimize-ct-limit.sh** - Remove hardcoded fallback
+
+### Phase 4: Critical Website Modules
+1. **wordpress-cron-manager.sh** - MAJOR REFACTOR (33 userdata refs, 9 public_html refs)
+2. **website-error-analyzer.sh** - Full InterWorx support
+3. **500-error-tracker.sh** - Full InterWorx support + PHP handler detection
+
+### Phase 5: Monitoring Tools
+1. **web-traffic-monitor.sh**
+2. **network-bandwidth-analyzer.sh**
+3. **tail-apache-access.sh**
+4. **tail-apache-error.sh**
+
+### Phase 6: System Tools
+1. **system-health-check.sh** - Make cPanel checks conditional + wrap whmapi1 references
+
+---
+
+## cPanel API Compatibility Issue
+
+### The Problem:
+Several modules use cPanel's whmapi1/uapi commands that **do not exist on InterWorx**.
+
+### Affected Modules:
+1. **live-attack-monitor.sh** - `whmapi1 cphulkd_list_blocks`, `whmapi1 cphulkd_add_whitelist`
+2. **enable-cphulk.sh** - Multiple whmapi1 calls (cPanel-only module, expected)
+3. **system-health-check.sh** - whmapi1 references in help messages
+
+### Solution:
+Wrap ALL API calls in control panel detection:
+```bash
+if [ "$SYS_CONTROL_PANEL" = "cpanel" ]; then
+    whmapi1 cphulkd_list_blocks
+fi
+```
+
+### InterWorx Alternatives:
+- CPHulk equivalent: InterWorx has ModSecurity + fail2ban (different approach)
+- No direct API equivalent for CPHulk features
+- Should detect and skip gracefully with warning
+
+---
+
+## Standard Fix Pattern
+
+For all modules, follow this pattern:
+
+### 1. Replace hardcoded paths with system-detect.sh:
+```bash
+# OLD (BAD):
+LOG_DIR="/var/log/apache2/domlogs"
+
+# NEW (GOOD):
+LOG_DIR="${SYS_LOG_DIR}"  # Auto-detected in system-detect.sh
+```
+
+### 2. Use user-manager.sh functions:
+```bash
+# OLD (BAD):
+user=$(grep -l "DNS.*$domain" /var/cpanel/users/* 2>/dev/null | ...)
+
+# NEW (GOOD):
+eval $(get_user_info "$username")
+# Now you have: $USER_EXISTS, $PRIMARY_DOMAIN, $ALL_DOMAINS, $HOME_DIR
+```
+
+### 3. Support both document root patterns:
+```bash
+# OLD (BAD):
+docroot="/home/$user/public_html"
+
+# NEW (GOOD):
+if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
+    docroot="/home/$user/$domain/html"
+else
+    docroot="/home/$user/public_html"
+fi
+```
+
+### 4. Add InterWorx log discovery:
+```bash
+if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
+    find /home/*/var/*/logs -name "access_log" ...
+else
+    find "$LOG_DIR" -type f ! -name "*-bytes_log" ...
+fi
+```
+
+---
+
+## Testing Checklist
+
+For each fixed module, test on:
+- [ ] cPanel server (regression test)
+- [ ] InterWorx server (new functionality)
+- [ ] Standalone server (no control panel)
+
+---
+
+## Estimated Effort
+
+- **Phase 3:** 2-3 hours (3 critical security modules)
+- **Phase 4:** 2-3 hours (2 website diagnostic modules)
+- **Phase 5:** 1-2 hours (4 simple monitoring tools)
+- **Phase 6:** 1 hour (system health check)
+
+**Total:** ~8 hours to achieve full InterWorx parity
+
+---
+
+## Current Progress
+
+- ✅ Phase 1: user-manager.sh InterWorx support (COMPLETE)
+- ✅ Phase 2: bot-analyzer.sh + system-detect.sh improvements (COMPLETE)
+- ⏳ Phase 3: Critical security modules (PENDING)
@@ -0,0 +1,537 @@
+# Multi-Control-Panel Architecture
+**Version:** 1.0
+**Date:** 2025-11-19
+**Status:** ACTIVE STANDARD
+
+## Executive Summary
+
+This document defines the **standard architecture** for building control panel-agnostic tools in the Server Management Toolkit. All new code and refactored modules MUST follow these patterns to ensure compatibility with cPanel, Plesk, InterWorx, and future control panels.
+
+---
+
+## Supported Control Panels
+
+### Current Support Levels:
+- **cPanel** - ✅ Full support (primary platform)
+- **Plesk** - ⚠️ Partial support (needs expansion)
+- **InterWorx** - 🚧 In progress (Phases 1-3 complete)
+- **Standalone** - ✅ Basic support (no control panel)
+
+### Future Targets:
+- DirectAdmin
+- CyberPanel
+- Webmin/Virtualmin
+
+---
+
+## Core Principles
+
+### 1. **Never Hardcode Paths**
+```bash
+# ❌ BAD - Hardcoded cPanel path
+LOG_DIR="/var/log/apache2/domlogs"
+docroot="/home/$user/public_html"
+
+# ✅ GOOD - Use system detection
+LOG_DIR="${SYS_LOG_DIR}"  # From system-detect.sh
+eval $(get_user_info "$username")  # Returns $HOME_DIR, $PRIMARY_DOMAIN
+docroot="${HOME_DIR}/${PRIMARY_DOMAIN}/html"  # Constructed dynamically
+```
+
+### 2. **Use Abstraction Libraries**
+```bash
+# ❌ BAD - Direct control panel-specific code
+user=$(grep -l "DNS.*$domain" /var/cpanel/users/* 2>/dev/null | ...)
+
+# ✅ GOOD - Use user-manager.sh abstraction
+eval $(get_user_info "$username")
+# Now you have: $USER_EXISTS, $USERNAME, $PRIMARY_DOMAIN, $ALL_DOMAINS, etc.
+```
+
+### 3. **Conditional Panel-Specific Features**
+```bash
+# ❌ BAD - Assumes cPanel exists
+whmapi1 cphulkd_list_blocks
+
+# ✅ GOOD - Conditional with graceful fallback
+if [ "$SYS_CONTROL_PANEL" = "cpanel" ]; then
+    whmapi1 cphulkd_list_blocks
+else
+    echo "CPHulk is cPanel-specific, skipping..."
+fi
+```
+
+### 4. **Design for Extension**
+```bash
+# ✅ GOOD - Easy to add new panels
+case "$SYS_CONTROL_PANEL" in
+    cpanel)
+        # cPanel-specific logic
+        ;;
+    plesk)
+        # Plesk-specific logic
+        ;;
+    interworx)
+        # InterWorx-specific logic
+        ;;
+    directadmin)
+        # Future: DirectAdmin logic
+        ;;
+    *)
+        echo "Unsupported control panel: $SYS_CONTROL_PANEL"
+        return 1
+        ;;
+esac
+```
+
+---
+
+## Standard Library Usage
+
+### system-detect.sh
+**Purpose:** Runtime detection of control panel, OS, paths, and system resources
+**Exports:**
+- `SYS_CONTROL_PANEL` - Control panel type (cpanel, plesk, interworx, none)
+- `SYS_LOG_DIR` - Apache/web server log directory
+- `SYS_USER_HOME_BASE` - Base directory for user homes
+- `SYS_WEB_SERVER` - Web server type (apache, nginx, litespeed)
+- `SYS_FIREWALL` - Firewall type (csf, firewalld, iptables, ufw)
+- `SYS_CSF_ACTIVE` - CSF availability flag
+
+**Usage:**
+```bash
+# Automatically sourced when loading common-functions.sh
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+# Variables are now available
+if [ "$SYS_CONTROL_PANEL" = "cpanel" ]; then
+    # cPanel-specific code
+fi
+```
+
+### user-manager.sh
+**Purpose:** Control panel-agnostic user/domain/database management
+**Functions:**
+
+#### get_user_info()
+```bash
+eval $(get_user_info "username")
+# Returns (via eval):
+# - USER_EXISTS=yes/no
+# - USERNAME=username
+# - PRIMARY_DOMAIN=example.com
+# - ALL_DOMAINS=space-separated list
+# - EMAIL=user@example.com
+# - HOME_DIR=/home/username
+# - DISK_USED=1024M
+```
+
+#### get_user_domains()
+```bash
+domains=$(get_user_domains "username")
+# Returns newline-separated list of domains
+```
+
+#### get_user_databases()
+```bash
+databases=$(get_user_databases "username")
+# Returns newline-separated list of databases
+# Note: InterWorx uses domain prefix, not username!
+```
+
+**Critical Note:** Database prefixes differ!
+- cPanel: `username_dbname`
+- InterWorx: `first8charsOfDomain_dbname`
+- Plesk: `dbname` (user-scoped)
+
+---
+
+## Path Mapping Reference
+
+| Resource | cPanel | Plesk | InterWorx | Standalone |
+|----------|--------|-------|-----------|------------|
+| **User Home** | `/home/user` | `/var/www/vhosts/domain` | `/home/user` | `/home/user` |
+| **Document Root** | `/home/user/public_html` | `/var/www/vhosts/domain/httpdocs` | `/home/user/domain.com/html` | `/var/www/html` |
+| **Access Logs** | `/var/log/apache2/domlogs/domain` | `/var/www/vhosts/system/domain/logs` | `/home/user/var/domain/logs/access_log` | `/var/log/httpd/access_log` |
+| **Error Logs** | `/var/log/apache2/domlogs/domain-error_log` | `/var/www/vhosts/system/domain/logs/error_log` | `/home/user/var/domain/logs/error_log` | `/var/log/httpd/error_log` |
+| **PHP Error Logs** | `/home/user/public_html/error_log` | `/var/www/vhosts/domain/httpdocs/error_log` | `/home/user/domain/html/error_log` | N/A |
+| **User Config** | `/var/cpanel/users/user` | Plesk DB | listaccounts.pex or vhost configs | N/A |
+| **Domain Config** | `/var/cpanel/userdata/user/domain` | Plesk DB | `/etc/httpd/conf.d/vhost_domain.conf` | N/A |
+| **Mail Dir** | `/home/user/mail` | `/var/qmail/mailnames/domain` | `/home/user/var/domain/mail` | `/var/mail` |
+| **Cron Jobs** | `/var/spool/cron/user` | `/var/spool/cron/user` | `/var/spool/cron/user` | `/var/spool/cron/user` |
+| **SSL Certs** | `/etc/letsencrypt/live/domain` | `/etc/letsencrypt/live/domain` | `/etc/letsencrypt/live/domain` | `/etc/letsencrypt/live/domain` |
+| **Database Prefix** | `username_` | No prefix | `first8chars_` | N/A |
+
+---
+
+## Standard Patterns
+
+### Pattern 1: Log File Discovery
+
+```bash
+discover_logs() {
+    local log_files=()
+
+    if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
+        # InterWorx: Per-domain logs in user home
+        while IFS= read -r logfile; do
+            [ -f "$logfile" ] && log_files+=("$logfile")
+        done < <(find /home/*/var/*/logs -type f -name "access_log" 2>/dev/null)
+
+    elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
+        # Plesk: Centralized per-domain logs
+        while IFS= read -r logfile; do
+            [ -f "$logfile" ] && log_files+=("$logfile")
+        done < <(find /var/www/vhosts/system/*/logs -type f -name "access_log" 2>/dev/null)
+
+    elif [ "$SYS_CONTROL_PANEL" = "cpanel" ] && [ -n "$SYS_LOG_DIR" ]; then
+        # cPanel: Centralized domlogs
+        while IFS= read -r logfile; do
+            [ -f "$logfile" ] && log_files+=("$logfile")
+        done < <(find "$SYS_LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*error_log" 2>/dev/null)
+
+    else
+        # Standalone: Main access log only
+        [ -f "/var/log/httpd/access_log" ] && log_files+=("/var/log/httpd/access_log")
+        [ -f "/var/log/apache2/access.log" ] && log_files+=("/var/log/apache2/access.log")
+    fi
+
+    echo "${log_files[@]}"
+}
+```
+
+### Pattern 2: Document Root Discovery
+
+```bash
+get_docroot() {
+    local domain="$1"
+    local username="$2"  # Optional, helps with InterWorx
+
+    case "$SYS_CONTROL_PANEL" in
+        cpanel)
+            # cPanel: public_html
+            echo "/home/${username}/public_html"
+            ;;
+        plesk)
+            # Plesk: httpdocs
+            echo "/var/www/vhosts/${domain}/httpdocs"
+            ;;
+        interworx)
+            # InterWorx: domain.com/html
+            echo "/home/${username}/${domain}/html"
+            ;;
+        *)
+            # Standalone: Assume standard
+            echo "/var/www/html"
+            ;;
+    esac
+}
+```
+
+### Pattern 3: Domain→User Mapping
+
+```bash
+get_user_for_domain() {
+    local domain="$1"
+
+    case "$SYS_CONTROL_PANEL" in
+        cpanel)
+            # cPanel: /etc/userdatadomains
+            grep "^${domain}:" /etc/userdatadomains 2>/dev/null | cut -d: -f2 | awk -F'==' '{print $1}'
+            ;;
+        plesk)
+            # Plesk: Use CLI
+            plesk bin subscription --info "$domain" 2>/dev/null | grep "Owner" | awk '{print $2}'
+            ;;
+        interworx)
+            # InterWorx: Parse vhost configs
+            grep -l "ServerName ${domain}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | head -1 | \
+                xargs grep "SuexecUserGroup" 2>/dev/null | awk '{print $2}'
+            ;;
+        *)
+            echo "Unsupported"
+            return 1
+            ;;
+    esac
+}
+```
+
+### Pattern 4: Control Panel API Calls
+
+```bash
+# Always wrap API calls in control panel checks
+ban_ip_via_panel() {
+    local ip="$1"
+
+    case "$SYS_CONTROL_PANEL" in
+        cpanel)
+            if command -v whmapi1 &>/dev/null; then
+                whmapi1 cphulkd_blacklist ip="$ip"
+            else
+                echo "cPanel WHM API not available"
+                return 1
+            fi
+            ;;
+        plesk)
+            if command -v plesk &>/dev/null; then
+                plesk bin ip --ban "$ip"
+            else
+                echo "Plesk CLI not available"
+                return 1
+            fi
+            ;;
+        interworx)
+            # InterWorx has no built-in IP ban API
+            # Fall back to firewall
+            echo "InterWorx has no native IP ban, using firewall"
+            return 2
+            ;;
+        *)
+            echo "No control panel API available"
+            return 1
+            ;;
+    esac
+}
+```
+
+---
+
+## Testing Requirements
+
+### Every Module Must Be Tested On:
+1. ✅ **cPanel** - Regression testing (ensure no breakage)
+2. ✅ **Standalone** - No control panel environment
+3. ⚠️ **Plesk** - If Plesk support claimed
+4. ⚠️ **InterWorx** - If InterWorx support claimed
+
+### Test Checklist:
+- [ ] Module loads without errors on all platforms
+- [ ] Paths are correctly detected
+- [ ] User/domain functions work correctly
+- [ ] Graceful degradation when panel-specific features unavailable
+- [ ] Error messages are helpful and mention control panel
+- [ ] No hardcoded paths remain
+- [ ] API calls are wrapped in panel checks
+
+---
+
+## Code Review Checklist
+
+Before committing any module changes, verify:
+
+- [ ] No hardcoded paths (`/var/cpanel`, `/usr/local/cpanel`, `/var/log/apache2/domlogs`, `public_html`)
+- [ ] Uses `SYS_LOG_DIR` from system-detect.sh
+- [ ] Uses `get_user_info()` / `get_user_domains()` from user-manager.sh
+- [ ] API calls wrapped in `if [ "$SYS_CONTROL_PANEL" = "cpanel" ]`
+- [ ] Document root constructed dynamically
+- [ ] Error messages include control panel info for debugging
+- [ ] Tested with `bash -n script.sh` (syntax check)
+- [ ] Added to INTERWORX_COMPATIBILITY_AUDIT.md if applicable
+
+---
+
+## Module Classification
+
+### Class A: Control Panel Agnostic
+**Can work on any system**
+- hardware-health-check.sh
+- tail-secure-log.sh
+- tail-mail-log.sh
+- firewall-activity-monitor.sh
+- ssh-attack-monitor.sh
+
+**Requirements:** None special
+
+### Class B: Requires System Detection
+**Needs paths but no user/domain management**
+- network-bandwidth-analyzer.sh
+- tail-apache-access.sh
+- tail-apache-error.sh
+- web-traffic-monitor.sh
+
+**Requirements:**
+- Source system-detect.sh
+- Use `SYS_LOG_DIR`
+
+### Class C: Requires User/Domain Management
+**Needs to map users/domains**
+- bot-analyzer.sh
+- website-error-analyzer.sh
+- 500-error-tracker.sh
+- malware-scanner.sh
+- wordpress-cron-manager.sh
+
+**Requirements:**
+- Source system-detect.sh
+- Source user-manager.sh
+- Use `get_user_info()` / `get_user_domains()`
+
+### Class D: Control Panel-Specific
+**Only works on specific panels**
+- enable-cphulk.sh (cPanel only)
+- acronis-* (cPanel specific)
+
+**Requirements:**
+- Check `SYS_CONTROL_PANEL` at startup
+- Exit gracefully if wrong panel
+- Document panel requirement in help text
+
+---
+
+## Migration Guide
+
+### Converting Existing Module to Multi-Panel:
+
+1. **Add Library Imports**
+```bash
+# At top of script, after shebang
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+source "$SCRIPT_DIR/lib/user-manager.sh"  # If Class C
+```
+
+2. **Replace Hardcoded Paths**
+```bash
+# Find all hardcoded paths
+grep -n "/var/cpanel\|/usr/local/cpanel\|public_html\|domlogs" yourscript.sh
+
+# Replace with system variables or functions
+```
+
+3. **Wrap API Calls**
+```bash
+# Find all API calls
+grep -n "whmapi\|uapi\|cpapi" yourscript.sh
+
+# Wrap in conditional checks
+```
+
+4. **Add Control Panel Cases**
+```bash
+# For panel-specific logic, use case statements
+case "$SYS_CONTROL_PANEL" in
+    cpanel) ... ;;
+    plesk) ... ;;
+    interworx) ... ;;
+    *) ... ;;
+esac
+```
+
+5. **Test Syntax**
+```bash
+bash -n yourscript.sh
+```
+
+6. **Update Documentation**
+- Add to INTERWORX_COMPATIBILITY_AUDIT.md
+- Note supported panels in script header
+- Update help text
+
+---
+
+## Common Mistakes to Avoid
+
+### ❌ Mistake #1: Using Command Existence as Panel Detection
+```bash
+# BAD - Command might exist on other panels
+if command -v whmapi1 &>/dev/null; then
+    # Assume cPanel
+fi
+```
+
+**Fix:** Always check `SYS_CONTROL_PANEL`
+```bash
+# GOOD
+if [ "$SYS_CONTROL_PANEL" = "cpanel" ] && command -v whmapi1 &>/dev/null; then
+    # Definitely cPanel and API available
+fi
+```
+
+### ❌ Mistake #2: Assuming File Locations
+```bash
+# BAD - Only works on cPanel
+domains=$(grep "^DNS" /var/cpanel/users/$user | awk '{print $2}')
+```
+
+**Fix:** Use abstraction
+```bash
+# GOOD
+domains=$(get_user_domains "$user")
+```
+
+### ❌ Mistake #3: Hardcoding Document Root Structure
+```bash
+# BAD - Assumes cPanel's public_html
+find /home/*/public_html -name "wp-config.php"
+```
+
+**Fix:** Use dynamic paths
+```bash
+# GOOD
+case "$SYS_CONTROL_PANEL" in
+    cpanel)    find /home/*/public_html -name "wp-config.php" ;;
+    interworx) find /home/*/*/html -name "wp-config.php" ;;
+    plesk)     find /var/www/vhosts/*/httpdocs -name "wp-config.php" ;;
+esac
+```
+
+### ❌ Mistake #4: Silent Failures
+```bash
+# BAD - Fails silently on non-cPanel
+whmapi1 some_command
+```
+
+**Fix:** Check and report
+```bash
+# GOOD
+if [ "$SYS_CONTROL_PANEL" = "cpanel" ]; then
+    whmapi1 some_command
+else
+    print_warning "This feature requires cPanel (current: $SYS_CONTROL_PANEL)"
+    return 1
+fi
+```
+
+---
+
+## Future Enhancements
+
+### Planned Improvements:
+1. **Panel-specific feature matrix** - Document what features work on which panels
+2. **Automated testing framework** - Docker containers for each panel
+3. **Panel capability detection** - Runtime feature detection
+4. **Plugin architecture** - Easy addition of new panel support
+
+### Control Panel Support Roadmap:
+- **Phase 1-3:** InterWorx (IN PROGRESS)
+- **Phase 4:** Plesk expansion (fill gaps)
+- **Phase 5:** DirectAdmin
+- **Phase 6:** CyberPanel
+
+---
+
+## Questions and Support
+
+**Q: What if a feature is impossible on a specific panel?**
+A: Document it, detect it, and fail gracefully with a clear message.
+
+**Q: Should I support all panels in every module?**
+A: No. Class D modules can be panel-specific. Just document it.
+
+**Q: What about backward compatibility?**
+A: Always maintain cPanel compatibility. It's the primary platform.
+
+**Q: How do I test without access to all panels?**
+A: At minimum: syntax check + cPanel regression. InterWorx/Plesk testing is nice-to-have.
+
+---
+
+## Version History
+
+- **1.0** (2025-11-19) - Initial standard established
+  - Defined core principles
+  - Created pattern library
+  - Established testing requirements
+  - Documented common mistakes
@@ -1,130 +0,0 @@
-# Server Toolkit - Project Structure
-
-## Directory Layout
-
-```
-server-toolkit/
-├── launcher.sh              # Main entry point
-├── README.md                # Project documentation
-├── TROUBLESHOOTING.md       # Troubleshooting guide
-├── AUDIT-REPORT.md          # Project audit results
-├── REFDB_FORMAT.txt         # Development notes & bug tracker
-│
-├── config/                  # Configuration files
-│   ├── settings.conf        # Main configuration
-│   ├── settings.conf.minimal # Minimal config (template)
-│   ├── whitelist-ips.txt    # IP whitelist for bot analyzer
-│   └── whitelist-user-agents.txt  # User-agent whitelist
-│
-├── lib/                     # Core libraries
-│   ├── common-functions.sh  # Shared utilities (print, colors, etc.)
-│   ├── system-detect.sh     # Auto-detect control panel, OS, etc.
-│   ├── user-manager.sh      # User/domain selection functions
-│   ├── reference-db.sh      # System reference database builder
-│   └── mysql-analyzer.sh    # MySQL analysis functions
-│
-├── modules/                 # Feature modules
-│   ├── security/
-│   │   └── bot-analyzer.sh  # ✓ Bot & botnet analysis (WORKING)
-│   ├── performance/
-│   │   └── mysql-query-analyzer.sh  # ✓ MySQL query analysis (WORKING)
-│   ├── wordpress/           # (Empty - future development)
-│   ├── backup/              # (Empty - future development)
-│   ├── monitoring/          # (Empty - future development)
-│   ├── troubleshooting/     # (Empty - future development)
-│   └── reporting/           # (Empty - future development)
-│
-└── tools/                   # Diagnostic & testing tools
-    ├── diagnostic-report.sh # System diagnostic collector
-    └── test-domain-detection.sh  # Domain detection validator
-```
-
-## File Purposes
-
-### Root Level
- **launcher.sh** - Main menu system, calls modules
- **README.md** - User-facing documentation
- **TROUBLESHOOTING.md** - Help guide for common issues
- **AUDIT-REPORT.md** - Technical audit results (for developers)
- **REFDB_FORMAT.txt** - Development log, bug tracking, enhancement notes
-
-### Config Directory
-Contains user-configurable settings:
- **settings.conf** - Main config (includes unused future settings)
- **settings.conf.minimal** - Clean template with only current settings
- **whitelist-*.txt** - Bot analyzer whitelists
-
-### Lib Directory
-Core library functions sourced by modules:
- **common-functions.sh** - Colors, print functions, formatting
- **system-detect.sh** - Auto-detect environment (cPanel/Plesk/etc)
- **user-manager.sh** - User selection, domain detection
- **reference-db.sh** - Build/manage system reference database
- **mysql-analyzer.sh** - MySQL analysis helper functions
-
-### Modules Directory
-Feature implementations:
- **security/** - Security tools (bot analyzer, etc.)
- **performance/** - Performance tools (MySQL analyzer, etc.)
- **wordpress/** through **reporting/** - Placeholder for future
-
-### Tools Directory
-Diagnostic and testing utilities:
- **diagnostic-report.sh** - Generates comprehensive system report
- **test-domain-detection.sh** - Quick validation of domain detection
-
-## Working Features
-
-### Fully Implemented (✓)
-1. **Bot & Botnet Analyzer** (`modules/security/bot-analyzer.sh`)
-   - Comprehensive log analysis
-   - Threat scoring
-   - IP blocking recommendations
-   - CSF integration
-   - Attack vector detection
-
-2. **MySQL Query Analyzer** (`modules/performance/mysql-query-analyzer.sh`)
-   - Slow query detection
-   - Query performance analysis
-
-3. **System Detection** (`lib/system-detect.sh`)
-   - Auto-detect: cPanel, Plesk, InterWorx
-   - OS, web server, database detection
-   - Resource monitoring
-
-4. **User Management** (`lib/user-manager.sh`)
-   - Interactive user selection
-   - Arrow-key navigation
-   - Search with confirmation
-   - Domain detection
-
-## In Development (Future)
-
- WordPress Management (11 planned scripts)
- Backup & Recovery (7 planned scripts)
- Monitoring & Alerts (5 planned scripts)
- Troubleshooting (9 planned scripts)
- Reporting (6 planned scripts)
-
-See AUDIT-REPORT.md for complete list.
-
-## Configuration
-
-Most settings auto-detect on first run. Manual configuration available in:
- `config/settings.conf` - All settings (includes future features)
- `config/settings.conf.minimal` - Only current features
-
-## Logs & Cache
-
-Runtime files (auto-created):
- `.sysref` - System reference database cache
- `/tmp/bot_analysis_*.txt` - Bot analysis reports
- `/tmp/mysql_analysis_*.txt` - MySQL analysis reports
- `/tmp/server-toolkit-*` - Temporary session directories
-
-## For Developers
-
-Key technical documentation:
- **AUDIT-REPORT.md** - What's implemented vs. planned
- **REFDB_FORMAT.txt** - Bug fixes, enhancements, lessons learned
- **TROUBLESHOOTING.md** - Common issues and debug procedures
@@ -10,6 +10,7 @@ server-toolkit/
 ├── README.md                            # This file
 │
 ├── modules/                             # Modular scripts organized by category
+│   │
 │   ├── security/                        # 🛡️ Security & Threat Analysis
 │   │   ├── bot-analyzer.sh             # Full bot/threat analysis
 │   │   ├── live-attack-monitor.sh      # Real-time attack monitoring dashboard
@@ -17,15 +18,40 @@ server-toolkit/
 │   │   ├── web-traffic-monitor.sh      # Web traffic monitoring
 │   │   ├── firewall-activity-monitor.sh # CSF/iptables monitoring
 │   │   ├── enable-cphulk.sh            # cPHulk enablement with CSF whitelist import
+│   │   ├── ip-reputation-manager.sh    # Centralized IP reputation tracking
 │   │   └── tail-*.sh                   # Various log monitoring scripts
 │   │
+│   ├── backup/                          # 💾 Backup & Recovery (Acronis Cyber Protect)
+│   │   ├── acronis-backup-manager.sh   # Main backup management menu
+│   │   ├── acronis-install.sh          # Install Acronis agent
+│   │   ├── acronis-update.sh           # Update Acronis agent
+│   │   ├── acronis-uninstall.sh        # Uninstall Acronis agent
+│   │   ├── acronis-register.sh         # Register agent with cloud
+│   │   ├── acronis-configure.sh        # Configure agent settings
+│   │   ├── acronis-agent-status.sh     # Comprehensive agent status check
+│   │   ├── acronis-trigger-backup.sh   # Trigger manual backups with optimizations
+│   │   ├── acronis-backup-status.sh    # Check backup job status
+│   │   ├── acronis-list-backups.sh     # List all backups
+│   │   ├── acronis-plan-manager.sh     # Manage protection plans
+│   │   ├── acronis-schedule-viewer.sh  # View backup schedules
+│   │   ├── acronis-restore.sh          # Restore from backup
+│   │   ├── acronis-logs.sh             # View Acronis logs
+│   │   └── acronis-troubleshoot.sh     # Troubleshoot common issues
+│   │
+│   ├── website/                         # 🌐 Website Diagnostics & Troubleshooting
+│   │   ├── website-error-analyzer.sh   # Comprehensive website error analysis
+│   │   └── 500-error-tracker.sh        # Track and analyze 500 errors
+│   │
 │   ├── diagnostics/                     # 🔍 System Diagnostics
 │   │   └── system-health-check.sh      # Comprehensive health analysis
 │   │
-│   └── performance/                     # 📊 Performance Analysis
-│       ├── hardware-health-check.sh    # Hardware diagnostics
-│       ├── mysql-query-analyzer.sh     # MySQL performance analysis
-│       └── network-bandwidth-analyzer.sh # Network analysis
+│   ├── performance/                     # 📊 Performance Analysis
+│   │   ├── hardware-health-check.sh    # Hardware diagnostics
+│   │   ├── mysql-query-analyzer.sh     # MySQL performance analysis
+│   │   └── network-bandwidth-analyzer.sh # Network analysis
+│   │
+│   └── maintenance/                     # 🧹 System Maintenance
+│       └── cleanup-toolkit-data.sh     # Clean temporary toolkit data
 │
 ├── lib/                                 # Shared libraries
 │   ├── common-functions.sh             # Reusable functions
@@ -46,15 +72,18 @@ server-toolkit/

 ## 🚀 Quick Start

-### Running
+### Installation & Running

+**One command - automatic cleanup:**
 ```bash
-# Direct method
-bash /root/server-toolkit/launcher.sh
+curl -sL https://git.mull.lol/cschantz/Linux-Server-Management-Toolkit/archive/main.tar.gz | tar xz && source linux-server-management-toolkit/run.sh
+```

-# Or make executable and run
-chmod +x /root/server-toolkit/launcher.sh
-/root/server-toolkit/launcher.sh
+When exiting (option 0), answer "yes" and cleanup happens automatically - no extra steps.
+
+Or if already downloaded:
+```bash
+source /root/server-toolkit/run.sh
 ```

 ## ✨ Key Features
@@ -63,8 +92,24 @@ chmod +x /root/server-toolkit/launcher.sh
 - **3-Mode Security Menu**: Analysis / Actions / Live Monitoring
 - **Live Attack Monitor**: Real-time SOC dashboard with threat classification
 - **Intelligent cPHulk Setup**: Auto-imports CSF whitelists from all sources
+- **IP Reputation Tracking**: Centralized cross-module IP intelligence
 - **Multi-Source Monitoring**: SSH, Web, Firewall, cPHulk integration

+### 💾 Backup & Recovery (Acronis Cyber Protect)
+- **Complete Agent Management**: Install, update, uninstall, register
+- **Comprehensive Status Monitoring**: Agent health, registration, cloud connectivity
+- **Manual Backup Triggering**: CLI-managed plans with performance optimizations
+- **Backup Type Selection**: Full, Incremental, Differential backups
+- **Plan Management**: View, enable/disable, delete protection plans
+- **Restore Operations**: Full restore capabilities from backups
+- **Troubleshooting Tools**: Log viewing and automated diagnostics
+
+### 🌐 Website Diagnostics
+- **Error Analysis**: Comprehensive website error detection and troubleshooting
+- **500 Error Tracking**: Detailed analysis of application errors
+- **Log Integration**: Apache, PHP-FPM, cPanel error log analysis
+- **Smart Recommendations**: Context-aware suggestions for fixing issues
+
 ### 🔍 System Diagnostics
 - **Comprehensive Health Checks**: Hardware, services, security posture
 - **Smart Recommendations**: Context-aware suggestions based on findings
@@ -96,6 +141,25 @@ bash launcher.sh
 # Select: Enable cPHulk Protection
 ```

+### Acronis Backup Management
+
+```bash
+bash launcher.sh
+# Select: Backup & Recovery
+# Select: Check Agent Status (view health, registration, connectivity)
+# Select: Trigger Manual Backup (with type selection and optimizations)
+# Select: Manage Protection Plans
+```
+
+### Website Error Analysis
+
+```bash
+bash launcher.sh
+# Select: Website Diagnostics & Troubleshooting
+# Select: Website Error Analyzer
+# Choose a cPanel user account to analyze
+```
+
 ### System Health Check

 ```bash
@@ -118,14 +182,33 @@ nano /root/server-toolkit/config/settings.conf
 - **No sensitive data in repo**: .gitignore excludes keys, tokens, credentials
 - **Test first**: Try on non-production environments first

-## 📊 Recent Updates (v2.0)
+## 📊 Recent Updates (v2.1)

+### Backup & Recovery
+- ✅ Complete Acronis Cyber Protect integration (16 management scripts)
+- ✅ Agent installation, registration, and update automation
+- ✅ Comprehensive status monitoring (health, registration, connectivity)
+- ✅ Manual backup triggering with performance optimizations
+- ✅ Backup type selection (Full/Incremental/Differential)
+- ✅ Protection plan management and scheduling
+
+### Website Diagnostics
+- ✅ Comprehensive website error analyzer
+- ✅ 500 error tracking and troubleshooting
+- ✅ Multi-log integration (Apache, PHP-FPM, cPanel)
+- ✅ Smart error detection and recommendations
+
+### Security Enhancements
+- ✅ Centralized IP reputation tracking across modules
 - ✅ Complete security menu restructure (3-mode hierarchy)
 - ✅ Live network security monitoring dashboard
 - ✅ Intelligent cPHulk enablement with multi-source CSF whitelist discovery
 - ✅ Real-time threat detection and classification
+
+### Core Infrastructure
 - ✅ Reference database for cross-module intelligence
- ✅ Git repository integration
+- ✅ Git repository integration with auto-commit workflows
+- ✅ Modular architecture with organized category structure

 ## 🙏 Credits

@@ -133,5 +216,5 @@ Built for comprehensive cPanel/Linux server management with a focus on security

 ---

-**Version**: 2.0.0
+**Version**: 2.1.0
 **Repository**: https://git.mull.lol/cschantz/Linux-Server-Management-Toolkit
@@ -1,283 +0,0 @@
-# SESSION INTELLIGENCE - Cross-Module Data Sharing
-
-## Overview
-
-The Server Toolkit now implements **Session Intelligence** - allowing modules to reference data collected by other modules during the current troubleshooting session. This is optimized for the **download → diagnose → troubleshoot → delete** workflow.
-
-## Use Case
-
-Since the toolkit is meant to be temporary (not permanently installed), we don't track historical trends. Instead, we enable **cross-module intelligence** so modules can make smarter recommendations based on what's happening RIGHT NOW.
-
-## Example Scenarios
-
-### Scenario 1: Bot Attack During System Load
-```bash
-# User runs System Health Check first
-# Discovers: CPU at 95%, Memory at 92%, HIGH LOAD
-
-# User then runs Bot Analyzer
-# Bot analyzer checks: db_is_system_under_load
-# Result: "High bot traffic detected, but system is already under load.
-#          Performance issues may be partially due to system resources,
-#          not just bots. Recommend addressing system load first."
-```
-
-### Scenario 2: Slow MySQL During Network Issues
-```bash
-# User runs System Health Check
-# Discovers: TCP retransmission at 15%, HIGH network issues
-
-# User then runs MySQL Query Analyzer
-# MySQL analyzer checks: db_has_network_issues
-# Result: "Slow queries detected, but network is experiencing high
-#          retransmission rates. Some query timeouts may be network-
-#          related rather than database performance."
-```
-
-### Scenario 3: Bot Attack + SSH Brute Force
-```bash
-# User runs System Health Check
-# Discovers: 5,000 failed SSH attempts today
-
-# User then runs Bot Analyzer
-# Bot analyzer checks: db_is_under_attack
-# Result: "Bot traffic detected AND system is under active SSH attack.
-#          Recommend immediate firewall hardening and cPHulk enablement."
-```
-
-## Architecture
-
-### Data Storage: Reference Database (`.sysref`)
-
-The health check saves current session metrics to `[HEALTH_BASELINE]` section:
-
-**System Resources:**
- MEMORY_TOTAL_MB, MEMORY_USED_PERCENT
- CPU_LOAD_1MIN, CPU_CORES
- DISK_USED_PERCENT, IOWAIT_PERCENT
-
-**Services:**
- HTTPD_STATUS, MYSQL_STATUS
- FIREWALL_STATUS, EMAIL_QUEUE_SIZE
- ZOMBIE_PROCESSES
-
-**Network Status:**
- NETWORK_INTERFACE, NETWORK_MTU
- NETWORK_RX_ERRORS, NETWORK_TX_ERRORS
- NETWORK_RX_DROPPED, NETWORK_TX_DROPPED
- TCP_RETRANS_PERCENT
-
-**Hardware Status:**
- DISK_SMART_STATUS
- HARDWARE_ERRORS
-
-**Security Status:**
- SSH_FAILED_ATTEMPTS_TOTAL
- SSH_ATTACKS_TODAY
- CPHULK_STATUS
-
-**Issue Counts:**
- CRITICAL_ISSUES, HIGH_ISSUES
- MEDIUM_ISSUES, LOW_ISSUES
-
-### Helper Functions (`lib/reference-db.sh`)
-
-#### Query Individual Metrics
-```bash
-value=$(db_get_health_metric "MEMORY_USED_PERCENT")
-echo "Memory: $value%"
-```
-
-#### Intelligence Functions
-
-**Check System Load:**
-```bash
-if db_is_system_under_load; then
-    echo "System under heavy load (CPU > 80% or Memory > 90%)"
-    # Adjust recommendations
-fi
-```
-
-**Check Network Issues:**
-```bash
-if db_has_network_issues; then
-    echo "Network problems detected (retrans > 5% or errors > 100)"
-    # Consider network factors in analysis
-fi
-```
-
-**Check Security Status:**
-```bash
-if db_is_under_attack; then
-    echo "Active attacks detected (> 100 SSH failures today)"
-    # Correlate with security findings
-fi
-```
-
-#### Get All Metrics
-```bash
-db_get_all_health  # Returns all HEALTH| lines
-```
-
-## Implementation in Modules
-
-### Pattern 1: Contextual Recommendations
-
-```bash
-# In any module, after sourcing reference-db.sh
-
-# Check system context
-if db_is_system_under_load; then
-    echo "NOTE: System is currently under heavy load."
-    echo "      Some issues may be resource-related."
-fi
-
-if db_has_network_issues; then
-    echo "NOTE: Network experiencing high retransmission rates."
-    echo "      Connection issues may be network-related."
-fi
-
-if db_is_under_attack; then
-    echo "WARNING: System under active SSH attack."
-    echo "         Security hardening recommended."
-fi
-```
-
-### Pattern 2: Adjusted Thresholds
-
-```bash
-# MySQL slow query analyzer
-
-# Normal threshold: 5 seconds
-SLOW_THRESHOLD=5
-
-# But if system is under load, adjust threshold
-if db_is_system_under_load; then
-    SLOW_THRESHOLD=10
-    echo "System under load - using relaxed slow query threshold"
-fi
-```
-
-### Pattern 3: Root Cause Analysis
-
-```bash
-# Website performance analyzer
-
-if db_has_network_issues; then
-    echo "Website slow, AND network has issues."
-    echo "Root cause may be network, not website code."
-    echo "Recommendation: Fix network first, then re-test."
-fi
-```
-
-## Testing
-
-Run the test script to verify cross-module intelligence:
-
-```bash
-# First, generate session data
-./launcher.sh
-# Choose option 1: System Health Check
-
-# Then test intelligence
-./tools/test-cross-module-intelligence.sh
-```
-
-Expected output shows:
- All health metrics populated
- Intelligence functions working
- System status correctly identified
-
-## Best Practices
-
-### DO:
-✅ Run System Health Check **FIRST** in troubleshooting session
-✅ Use intelligence functions to provide context-aware recommendations
-✅ Correlate findings across modules
-✅ Adjust thresholds based on system state
-
-### DON'T:
-❌ Rely on this data for historical trend analysis (it's session-only)
-❌ Assume data exists (always check if metric is populated)
-❌ Make critical decisions solely on this data
-❌ Store this long-term (it gets cleaned up)
-
-## Example: Enhanced Bot Analyzer (Future)
-
-```bash
-# modules/security/bot-analyzer.sh
-
-source "$SCRIPT_DIR/lib/reference-db.sh"
-
-# After analysis, provide context
-
-if db_has_network_issues; then
-    echo ""
-    print_warning "Network Issues Detected"
-    echo "System experiencing:"
-    echo "  • TCP Retransmission: $(db_get_health_metric 'TCP_RETRANS_PERCENT')%"
-    echo "  • Network errors: $(db_get_health_metric 'NETWORK_RX_ERRORS')"
-    echo ""
-    echo "Bot traffic may be compounded by network problems."
-    echo "Recommendation: Address network issues first (see System Health Check)"
-fi
-
-if db_is_system_under_load; then
-    echo ""
-    print_warning "System Under Heavy Load"
-    echo "Current state:"
-    echo "  • CPU Load: $(db_get_health_metric 'CPU_LOAD_1MIN')"
-    echo "  • Memory: $(db_get_health_metric 'MEMORY_USED_PERCENT')%"
-    echo ""
-    echo "High bot traffic + system load = performance degradation."
-    echo "Recommendation: Block bots AND investigate resource usage."
-fi
-```
-
-## Files Modified
-
-1. **modules/diagnostics/system-health-check.sh**
-   - Enhanced `save_health_baseline()` function
-   - Now saves network, hardware, and security metrics
-   - Lines: 1660-1758
-
-2. **lib/reference-db.sh**
-   - Added `db_get_health_metric()` - query individual metrics
-   - Added `db_is_system_under_load()` - check if CPU/memory high
-   - Added `db_has_network_issues()` - check for network problems
-   - Added `db_is_under_attack()` - check for active attacks
-   - Added `db_get_all_health()` - get all health data
-   - Lines: 446-497
-
-3. **tools/test-cross-module-intelligence.sh** (NEW)
-   - Test script demonstrating cross-module queries
-   - Shows how to use intelligence functions
-
-## Data Lifetime
-
- **Created:** When System Health Check runs
- **Stored:** In `.sysref` file (memory + disk)
- **Expires:** After 1 hour OR when cleanup/reset runs
- **Removed:** When toolkit is deleted
-
-## Future Enhancements
-
-Potential modules that could benefit:
-
-1. **WordPress Health Check**
-   - Check if slow WP sites correlate with network/load issues
-
-2. **Backup Analyzer**
-   - Check if backup failures correlate with disk/load issues
-
-3. **Email Troubleshooter**
-   - Check if email issues correlate with network/disk problems
-
-4. **Resource Monitor**
-   - Compare current metrics vs health check baseline
-
-## Summary
-
-Session Intelligence transforms the toolkit from **isolated modules** into an **integrated diagnostic platform**. Each module can now make smarter, context-aware recommendations based on the complete picture of what's happening on the server RIGHT NOW.
-
-No historical data needed. No complex trending. Just smart, session-aware troubleshooting.
@@ -1,379 +0,0 @@
-# 🚀 Server Management Toolkit - Setup Guide
-
-## ✅ What You Have Now
-
-A **modular, scalable server management system** with:
-
-✨ **Professional Menu System**
- Clean, organized category-based menus
- Color-coded interface
- Easy navigation
-
-📦 **Modular Architecture**
- 7 main categories (80+ potential modules)
- Easy to add new modules
- Organized by function
-
-☁️ **Nextcloud Integration**
- Download modules on-demand
- Easy updates
- Share across multiple servers
-
-🎯 **First Module Ready**
- `bot-analyzer.sh` - Enhanced v3.0
- All improvements we made today
- Ready to use immediately
-
---
-
-## 📋 Directory Structure
-
-```
-/root/server-toolkit/
-├── launcher.sh              ← Main menu (run this!)
-├── install.sh               ← Quick installer
-├── README.md                ← Full documentation
-├── manifest.txt.example     ← Template for Nextcloud
-│
-├── modules/
-│   ├── security/
-│   │   └── bot-analyzer.sh  ✅ READY (v3.0 Enhanced)
-│   ├── wordpress/           (empty - add modules here)
-│   ├── performance/         (empty - add modules here)
-│   ├── backup/              (empty - add modules here)
-│   ├── monitoring/          (empty - add modules here)
-│   ├── troubleshooting/     (empty - add modules here)
-│   └── reporting/           (empty - add modules here)
-│
-├── lib/                     (common functions - future)
-├── config/                  (created on first run)
-└── logs/                    (created on first run)
-```
-
---
-
-## 🎯 Quick Start (3 Steps)
-
-### Step 1: Run the Installer
-
-```bash
-cd /root/server-toolkit
-chmod +x install.sh
-./install.sh
-```
-
-**What it does:**
- Creates directory structure
- Sets permissions
- Offers to create `/usr/local/bin/server-toolkit` symlink
-
-### Step 2: Launch & Configure
-
-```bash
-# Option A: Direct
-/root/server-toolkit/launcher.sh
-
-# Option B: If symlink created
-server-toolkit
-```
-
-**First time:**
-1. Select `9` (Configuration)
-2. Set your Nextcloud URL (optional, for module downloads)
-3. Review other settings
-4. Save and exit
-
-### Step 3: Test the Bot Analyzer
-
-From the launcher:
-1. Select `1` (Security & Threat Analysis)
-2. Select `1` (Full Bot Analysis)
-3. Watch it run!
-
---
-
-## ☁️ Nextcloud Setup (Optional but Recommended)
-
-### Why Use Nextcloud?
-
-✅ Store all modules in one place
-✅ Easy updates across multiple servers
-✅ No need to manually copy files
-✅ Version control your modules
-
-### Setup Process
-
-**1. Upload to Nextcloud**
-
-```
-your-nextcloud/
-└── server-toolkit/
-    ├── manifest.txt           ← Copy from manifest.txt.example
-    └── modules/
-        ├── security/
-        │   ├── bot-analyzer.sh
-        │   ├── live-monitor.sh
-        │   └── ...
-        ├── wordpress/
-        │   ├── wp-cron-status.sh
-        │   └── ...
-        └── ...
-```
-
-**2. Share the Folder**
- Right-click folder → Share
- Create public link
- Enable "Allow download"
- Copy the share link
-
-**3. Convert Link to Download URL**
-
-Original link:
-```
-https://nextcloud.example.com/s/AbC123DeF
-```
-
-Convert to:
-```
-https://nextcloud.example.com/s/AbC123DeF/download?path=/
-```
-
-**4. Configure**
-
-```bash
-nano /root/server-toolkit/config/settings.conf
-```
-
-Set:
-```bash
-NEXTCLOUD_BASE_URL="https://nextcloud.example.com/s/AbC123DeF/download?path=/"
-```
-
-**5. Update Modules**
-
-From launcher: Select `8` (Update All Modules)
-
---
-
-## 🔧 Adding New Modules
-
-### Method 1: Create Locally
-
-```bash
-# Create new module
-nano /root/server-toolkit/modules/wordpress/wp-cron-status.sh
-
-# Make executable
-chmod +x /root/server-toolkit/modules/wordpress/wp-cron-status.sh
-
-# Test it
-/root/server-toolkit/modules/wordpress/wp-cron-status.sh
-
-# It's now available in the launcher menu!
-```
-
-### Method 2: Download from Nextcloud
-
-1. Upload to Nextcloud: `modules/wordpress/wp-cron-status.sh`
-2. Add to `manifest.txt`: `wordpress:wp-cron-status.sh`
-3. From launcher: Select `8` (Update All Modules)
-
---
-
-## 📊 Current Features
-
-### ✅ Working Now
-
-| Feature | Status |
-|---------|--------|
-| Modular architecture | ✅ Complete |
-| Category-based menus | ✅ Complete |
-| Bot analyzer v3.0 | ✅ Working |
-| Server IP detection | ✅ Working |
-| Threat scoring | ✅ Working |
-| Nextcloud integration | ✅ Working |
-| Configuration system | ✅ Working |
-| Auto-updates | ✅ Working |
-
-### 🔜 Coming Soon (As You Build Them)
-
-| Module | Priority | Category |
-|--------|----------|----------|
-| wp-cron-status.sh | High | WordPress |
-| wp-cron-mass-fix.sh | High | WordPress |
-| oom-killer-plotter.sh | Medium | Troubleshooting |
-| resource-monitor.sh | Medium | Performance |
-| disk-usage-report.sh | Medium | Performance |
-
---
-
-## 🎓 Example Workflows
-
-### Daily Security Check
-
-```bash
-server-toolkit
-→ 1 (Security)
-→ 2 (Quick Scan - 1 hour)
-→ Review threats
-→ 5 (Auto-Block if needed)
-```
-
-### WordPress Maintenance
-
-```bash
-server-toolkit
-→ 2 (WordPress)
-→ 2 (Check WP-Cron status)
-→ 3 (Fix if broken)
-→ 7 (Optimize databases)
-```
-
-### Performance Investigation
-
-```bash
-server-toolkit
-→ 3 (Performance)
-→ 1 (Resource Monitor)
-→ 2 (Top Processes)
-→ Identify issues
-```
-
-### Troubleshoot Out-of-Memory
-
-```bash
-server-toolkit
-→ 6 (Troubleshooting)
-→ 1 (OOM Killer Plotter)
-→ Review memory spikes
-```
-
---
-
-## 🔐 Security Best Practices
-
-### Before Running
-
-✅ Always backup first
-✅ Test on staging if possible
-✅ Review whitelist before blocking
-✅ Check false positives
-
-### Regular Maintenance
-
-📅 **Daily**: Quick security scan
-📅 **Weekly**: Full bot analysis
-📅 **Monthly**: Update all modules
-📅 **Quarterly**: Review all whitelists
-
---
-
-## 🆘 Troubleshooting
-
-### Launcher Won't Start
-
-```bash
-chmod +x /root/server-toolkit/launcher.sh
-bash /root/server-toolkit/launcher.sh
-```
-
-### Module Not Found
-
-```bash
-# Check if it exists
-ls -la /root/server-toolkit/modules/security/bot-analyzer.sh
-
-# Redownload from Nextcloud
-server-toolkit → 8 (Update)
-```
-
-### Config Issues
-
-```bash
-# Recreate config
-rm /root/server-toolkit/config/settings.conf
-server-toolkit → 9 (Configuration)
-```
-
-### Nextcloud Download Fails
-
-1. Check NEXTCLOUD_BASE_URL format
-2. Ensure Nextcloud folder is shared publicly
-3. Test URL in browser first
-4. Check manifest.txt format
-
---
-
-## 📞 Next Steps
-
-### Immediate
-
-1. ✅ Run installer
-2. ✅ Test bot analyzer
-3. ✅ Configure settings
-
-### Short Term
-
-1. 📝 Create wp-cron-status.sh module
-2. 📝 Create wp-cron-mass-fix.sh module
-3. ☁️ Setup Nextcloud distribution
-
-### Long Term
-
-1. 📦 Build remaining modules
-2. 🔄 Setup automated updates
-3. 📧 Configure email alerts
-4. 📊 Create custom dashboards
-
---
-
-## 💡 Pro Tips
-
-### Performance
-
- Bot analyzer runs in < 1 second for small logs
- Use `-H 1` for quick scans
- Schedule daily cron for security checks
-
-### Organization
-
- Keep modules organized by category
- Use descriptive names
- Add comments in scripts
- Update manifest when adding modules
-
-### Distribution
-
- Use Nextcloud for easy sharing
- Keep manifest.txt updated
- Version your modules
- Test before distributing
-
---
-
-## 📚 Documentation
-
- `README.md` - Full documentation
- `launcher.sh` - Built-in help menus
- Each module - Individual usage info
-
---
-
-## ✅ Installation Checklist
-
- [ ] Ran `/root/server-toolkit/install.sh`
- [ ] Launcher runs successfully
- [ ] Created symlink (optional)
- [ ] Configured settings
- [ ] Tested bot analyzer
- [ ] Setup Nextcloud (optional)
- [ ] Updated modules (if using Nextcloud)
-
---
-
-**You now have a professional, scalable server management system!** 🎉
-
-Add modules as you need them, share via Nextcloud, and manage your entire infrastructure from one clean interface.
-
-**Version**: 2.0.0
-**Date**: 2025-10-30
@@ -1,273 +0,0 @@
-# Server Toolkit - Troubleshooting Guide
-
-## Quick Diagnostics
-
-### Test Domain Detection
-```bash
-bash /root/server-toolkit/tools/test-domain-detection.sh
-```
-This will tell you immediately if domain detection is working.
-
-### Check System Detection Variables
-```bash
-bash -c '
-source /root/server-toolkit/lib/system-detect.sh
-echo "SYS_CONTROL_PANEL: [$SYS_CONTROL_PANEL]"
-echo "SYS_DETECTION_COMPLETE: [$SYS_DETECTION_COMPLETE]"
-'
-```
-Both should have values. If empty, system detection failed.
-
-### Test User Domain Lookup
-```bash
-bash -c '
-source /root/server-toolkit/lib/system-detect.sh
-source /root/server-toolkit/lib/user-manager.sh
-get_user_domains "USERNAME"
-'
-```
-Replace USERNAME with actual username. Should return domain(s).
-
---
-
-## Common Issues
-
-### Issue: User shows "(no domains) (0 domains)"
-
-**Symptoms:**
- User selection menu shows 0 domains
- Bot analyzer says "No domains found for user"
- Domain exists in cPanel
-
-**Diagnosis:**
-1. Run: `echo $SYS_CONTROL_PANEL` in your shell
-2. If empty, environment is corrupted
-
-**Fix:**
- Option 1: Exit launcher completely and restart
- Option 2: Select option 8 (Cleanup/Reset) in launcher
- Option 3: Close entire SSH session and reconnect
-
-**Why it happens:**
-Launcher inherited broken environment variables from a previous session where
-libraries had bugs. Child processes (like bot-analyzer) inherit these.
-
---
-
-### Issue: Functions not found / command not found
-
-**Symptoms:**
- `bash: select_user_interactive: command not found`
- `bash: get_user_domains: command not found`
-
-**Diagnosis:**
-Libraries weren't sourced correctly.
-
-**Fix:**
-1. Check that files exist:
-```bash
-ls -la /root/server-toolkit/lib/*.sh
-```
-
-2. Test sourcing manually:
-```bash
-source /root/server-toolkit/lib/system-detect.sh
-source /root/server-toolkit/lib/user-manager.sh
-```
-
-3. Check for syntax errors:
-```bash
-bash -n /root/server-toolkit/lib/system-detect.sh
-bash -n /root/server-toolkit/lib/user-manager.sh
-```
-
---
-
-### Issue: Menus displaying twice or garbled output
-
-**Symptoms:**
- Same menu appears multiple times
- Detection messages appear before menus
- ANSI codes visible like `[H[J`
-
-**Diagnosis:**
-Terminal doesn't support ANSI codes or clear screen.
-
-**Fix:**
-Set high contrast mode:
-```bash
-export TOOLKIT_HIGH_CONTRAST=1
-bash /root/server-toolkit/launcher.sh
-```
-
-Or disable colors completely:
-```bash
-export TOOLKIT_NO_COLOR=1
-bash /root/server-toolkit/launcher.sh
-```
-
---
-
-### Issue: CSF commands not working
-
-**Symptoms:**
- "csf: command not found"
- CSF blocking options don't work
-
-**Diagnosis:**
-CSF not installed or not in PATH.
-
-**Check:**
-```bash
-which csf
-csf -v
-```
-
-**Fix:**
-Install CSF or use alternative security methods (Apache .htaccess, etc.)
-
---
-
-### Issue: cPanel users not detected
-
-**Symptoms:**
- "No users found"
- list_all_users returns nothing
-
-**Diagnosis:**
-Check if cPanel user files exist:
-```bash
-ls -la /var/cpanel/users/
-cat /etc/trueuserdomains | head
-```
-
-**Fix:**
-If files missing, not a cPanel system. System will fall back to standard
-user detection from /etc/passwd.
-
---
-
-## Debug Mode
-
-### Enable Verbose Initialization
-```bash
-export TOOLKIT_VERBOSE_INIT=1
-bash /root/server-toolkit/launcher.sh
-```
-Shows all system detection messages.
-
-### Trace Execution
-```bash
-bash -x /root/server-toolkit/modules/security/bot-analyzer.sh 2>&1 | less
-```
-Shows every command executed (very verbose).
-
-### Check Environment Variables
-```bash
-# Show all SYS_* variables
-env | grep "^SYS_"
-
-# Show all toolkit-related variables
-env | grep -i toolkit
-```
-
---
-
-## File Locations
-
-### Logs
- Bot analysis reports: `/tmp/bot_analysis_report_*.txt`
- MySQL analysis: `/tmp/mysql_analysis_*.txt`
- Temp sessions: `/tmp/server-toolkit-*`
-
-### Cache Files
- System reference database: `/root/server-toolkit/.sysref`
- Timestamp file: `/root/server-toolkit/.sysref.timestamp`
-
-### Configuration
- Settings: `/root/server-toolkit/config/settings.conf`
- Custom slash commands: `/root/server-toolkit/.claude/commands/`
-
---
-
-## Performance Issues
-
-### Issue: Slow user selection with 200+ users
-
-**Fix:**
- Use search: `s <partial-name>`
- Searches only, doesn't list all users
- Much faster than 'L' (list all)
-
-### Issue: Bot analyzer takes too long
-
-**Optimization:**
-1. Use time filters: Last 1 hour instead of "All logs"
-2. Use user filter: Analyze specific user instead of all
-3. Check log size: `du -sh /var/log/apache2/domlogs/*`
-
---
-
-## Recovery Commands
-
-### Complete Reset
-```bash
-# In launcher, select option 8 (Cleanup/Reset)
-# Or manually:
-rm -f /root/server-toolkit/.sysref*
-rm -rf /tmp/server-toolkit-*
-rm -f /tmp/bot_analysis_* /tmp/mysql_analysis_*
-```
-
-### Force Library Reload
-```bash
-# In bash session:
-for var in $(compgen -e | grep "^SYS_"); do unset "$var"; done
-unset -f initialize_system_detection get_user_domains select_user_interactive
-source /root/server-toolkit/lib/system-detect.sh
-source /root/server-toolkit/lib/user-manager.sh
-```
-
-### Kill Stuck Processes
-```bash
-# Find launcher processes
-ps aux | grep launcher
-
-# Kill specific PID
-kill -9 <PID>
-
-# Kill all launcher instances
-pkill -9 -f launcher.sh
-```
-
---
-
-## Getting Help
-
-### Self-Diagnostic
-1. Run test script: `bash /root/server-toolkit/tools/test-domain-detection.sh`
-2. Check REFDB_FORMAT.txt for known bugs and fixes
-3. Review this troubleshooting guide
-
-### Report Issues
-When reporting problems, include:
-1. Output of test-domain-detection.sh
-2. Output of: `env | grep "^SYS_"`
-3. Control panel type: `cat /usr/local/cpanel/version` or equivalent
-4. Error messages (exact text)
-5. Steps to reproduce
-
-### Quick Fixes to Try First
-1. Exit and restart launcher
-2. Run Cleanup/Reset (option 8)
-3. Close SSH and reconnect
-4. Run test-domain-detection.sh to verify files are correct
-
---
-
-## Version Information
-
-**Created:** 2025-10-31
-**Last Updated:** 2025-10-31
-**Toolkit Version:** 2.0.0
-**Compatible With:** cPanel, Plesk, InterWorx, Standalone Linux servers
@@ -1,441 +0,0 @@
-# 🎉 What We Built Today - Complete Summary
-
-## 📦 Deliverables
-
-### 1. **Enhanced Bot Analyzer v3.0**
-Location: `/root/server-toolkit/modules/security/bot-analyzer.sh`
-
-**Major Improvements:**
- ✅ Enhanced attack vector detection (6 types)
- ✅ Threat scoring system (0-100 risk scores)
- ✅ Time-series analysis with hourly breakdown
- ✅ Response code intelligence
- ✅ False positive detection
- ✅ Server IP auto-detection
- ✅ Bandwidth cost estimation
- ✅ **60-120x performance improvement**
- ✅ Private IP filtering
- ✅ Prioritized blocklists
-
-### 2. **Professional Server Management Toolkit**
-Location: `/root/server-toolkit/`
-
-**Complete Modular System:**
- ✅ Clean launcher with 7 category menus
- ✅ 80+ module slots organized by function
- ✅ Nextcloud integration for remote updates
- ✅ Configuration management
- ✅ Professional directory structure
-
---
-
-## 🚀 Bot Analyzer Enhancements (v3.0)
-
-### Attack Vector Detection
-
-**OLD**: Only detected SQL injection and generic scanners
-
-**NEW**: Detects 6 attack types:
-```
-💉 SQL Injection       - UNION, SELECT, hex encoding
-🌐 XSS Attacks         - JavaScript injection, event handlers
-📁 Path Traversal      - Directory traversal, LFI
-📤 RCE/Shell Upload    - PHP shells, backdoors
-🔍 Info Disclosure     - .git, .env, config files
-🔓 Login Bruteforce    - wp-login, xmlrpc attacks
-```
-
-### Threat Scoring System
-
-**NEW Feature**: Each IP gets 0-100 risk score
-
-**Example Output:**
-```
-[1] 143.244.57.123 - RISK: 98/100 🔴 CRITICAL
-    648 requests - Action: BLOCK IMMEDIATELY + INVESTIGATE
-    Attack vectors: SQL-Injection RCE/Upload Login-Bruteforce DDoS-Pattern
-```
-
-**Score Components:**
- Request volume: up to 10 points
- Attack patterns: up to 70 points
- Behavioral signals: up to 20 points
-
-### Time-Series Analysis
-
-**NEW**: Hourly traffic visualization
-
-```
-Bot Traffic Timeline (hourly):
-  14:00-15:00: ████████░░ 8,240 bot requests
-  15:00-16:00: ███░░░░░░░ 3,120 bot requests
-  16:00-17:00: ██████████ 12,450 bot requests ⚠️ SPIKE
-```
-
-### Response Code Intelligence
-
-**NEW**: Shows what bots are finding
-
-```
-200 (Success):     18,432 (62%) ✓ Bots are getting data
-404 (Not Found):    7,891 (27%) ⚠️ Scanning for vulnerabilities
-403 (Forbidden):    2,103 (7%)  ✓ Blocked by existing rules
-500 (Server Error):    12 (0%)  🚨 Check if exploit triggered
-```
-
-### False Positive Detection
-
-**NEW**: Auto-identifies legitimate services
-
-```
-⚠️ Whitelist Recommendations:
-  65.181.111.155 - 11,515 requests - Identified as: Pingdom Monitoring
-    → Action: VERIFY OWNERSHIP then whitelist
-```
-
-**Detects:**
- Pingdom, UptimeRobot, StatusCake
- WordPress cache preload (WP Rocket, Hummingbird)
- Backup services (Jetpack, VaultPress)
-
-### Server IP Detection
-
-**NEW**: Auto-detects and excludes server's own IPs
-
-**5 Detection Methods:**
-1. hostname -I (network interfaces)
-2. ip addr show (Linux IP command)
-3. ifconfig (legacy fallback)
-4. External services (public IP)
-5. cPanel mainip file
-
-**Output:**
-```
-✓ Detected 2 server IP(s) - excluded from threat analysis
-
-🖥️  Server IPs Detected:
-  • 127.0.0.1
-  • 67.227.199.95
-```
-
-### Bandwidth Cost Estimation
-
-**NEW**: Shows financial impact
-
-```
-💰 Bandwidth Impact:
-   Total bot bandwidth: 847 MB (0.85 GB) - 14.2% of total
-   Estimated cost: $0.08 (at $0.09/GB CDN pricing)
-```
-
-### Prioritized Blocklists
-
-**OLD**: Random order, no context
-
-**NEW**: Sorted by threat score with annotations
-
-```
-# IPs sorted by risk score (highest first)
-Deny from 91.92.243.107  # Risk score: 98/100
-Deny from 34.192.124.246  # Risk score: 85/100
-Deny from 4.245.190.15    # Risk score: 72/100
-```
-
-### Performance Optimization
-
-**MASSIVE Speed Improvement:**
-
-| Dataset | Old Method | New Method | Speedup |
-|---------|------------|------------|---------|
-| 1,000 IPs / 50K entries | ~2 minutes | ~2 seconds | **60x** |
-| 10,000 IPs / 250K entries | ~10 minutes | ~10 seconds | **60x** |
-| 25,000 IPs / 500K entries | ~30 minutes | ~30 seconds | **60x** |
-| 50,000 IPs / 1M entries | ~2 hours | ~60 seconds | **120x** |
-
-**How?**
- Eliminated 275,000 grep operations
- Pre-count requests (single pass)
- Hash table lookups (O(1) vs O(n))
- Smart caching
-
---
-
-## 📊 Server Management Toolkit
-
-### Architecture
-
-```
-7 Categories × ~12 modules each = 80+ total module slots
-
-🛡️  Security & Threat Analysis     (10 modules)
-🔧 WordPress Management            (14 modules)
-📊 Performance & Diagnostics       (11 modules)
-💾 Backup & Recovery               (8 modules)
-🔍 Monitoring & Alerts             (8 modules)
-🚨 Troubleshooting & Diagnostics   (11 modules)
-📈 Reporting & Analytics           (7 modules)
-```
-
-### Key Features
-
-**✨ Clean Interface**
- Color-coded menus
- Intuitive navigation
- Consistent UX
-
-**📦 Modular Design**
- Easy to add modules
- Independent components
- Shared libraries
-
-**☁️ Nextcloud Integration**
- Download modules on-demand
- Easy updates
- Share across servers
-
-**⚙️ Configuration System**
- Centralized settings
- Per-module customization
- Whitelist management
-
-**🔄 Auto-Updates**
- One-click module updates
- Version tracking
- Manifest-based
-
-### Future Modules (Examples)
-
-**WordPress:**
- `wp-cron-status.sh` - Check cron health
- `wp-cron-mass-fix.sh` - Fix broken crons
- `wp-cron-mass-create.sh` - Setup system crons
- `wp-malware-scanner.sh` - Detect infections
-
-**Troubleshooting:**
- `oom-killer-plotter.sh` - Memory event analysis
- `hard-drive-error-tracker.sh` - SMART monitoring
- `kernel-log-analyzer.sh` - System event parser
-
-**Performance:**
- `resource-monitor.sh` - Real-time dashboard
- `disk-io-analyzer.sh` - I/O bottlenecks
- `inode-usage-checker.sh` - Find inode hogs
-
---
-
-## 📈 Comparison: Before vs After
-
-### Bot Analyzer
-
-| Feature | Before (v2.0) | After (v3.0) |
-|---------|---------------|--------------|
-| Attack types | 1 (SQL only) | 6 comprehensive |
-| Threat scoring | No | Yes (0-100 scale) |
-| Time analysis | No | Hourly breakdown |
-| Response analysis | No | Yes with insights |
-| False positives | Manual review | Auto-detection |
-| Server IP handling | Not excluded | Auto-detected & excluded |
-| Bandwidth cost | Not shown | Estimated with cost |
-| Blocklist quality | Basic | Prioritized by risk |
-| Performance (25K IPs) | 30 minutes | 30 seconds |
-
-### Overall System
-
-| Aspect | Before | After |
-|--------|--------|-------|
-| Organization | Single script | Modular system |
-| Maintainability | Hard | Easy |
-| Scalability | Limited | Unlimited |
-| Distribution | Manual copy | Nextcloud sync |
-| Updates | Manual | One-click |
-| Categories | N/A | 7 organized |
-| Future growth | Difficult | Simple |
-
---
-
-## 🎯 What You Can Do Now
-
-### Immediate
-
-✅ Run full security analysis
-✅ Get detailed threat reports
-✅ Auto-block high-risk IPs
-✅ Identify false positives
-✅ Track bandwidth costs
-
-### Short Term
-
-📝 Add WordPress cron modules
-📝 Create custom monitors
-📝 Build troubleshooting tools
-☁️ Setup Nextcloud distribution
-
-### Long Term
-
-🔄 Automated daily security scans
-📊 Historical trending dashboards
-📧 Alert automation
-🎯 Custom report generation
-
---
-
-## 📁 File Locations
-
-### Main Files
-```
-/root/server-toolkit/launcher.sh          # Run this!
-/root/server-toolkit/install.sh           # One-time setup
-/root/server-toolkit/README.md            # Full docs
-/root/server-toolkit/SETUP_GUIDE.md       # Quick start
-/root/server-toolkit/WHATS_NEW.md         # This file
-```
-
-### Bot Analyzer
-```
-/root/server-toolkit/modules/security/bot-analyzer.sh  # Enhanced v3.0
-/root/bot_analyzer.sh                                  # Original (backup)
-```
-
-### Configuration
-```
-/root/server-toolkit/config/settings.conf              # Main config
-/root/server-toolkit/config/whitelist-ips.txt          # IP whitelist
-```
-
---
-
-## 🚀 Getting Started
-
-### Step 1: Run Installer
-```bash
-cd /root/server-toolkit
-./install.sh
-```
-
-### Step 2: Launch
-```bash
-/root/server-toolkit/launcher.sh
-# or if symlink created:
-server-toolkit
-```
-
-### Step 3: Test Bot Analyzer
-```
-Main Menu → 1 (Security) → 1 (Full Bot Analysis)
-```
-
-### Step 4: Configure (Optional)
-```
-Main Menu → 9 (Configuration)
-```
-
---
-
-## 💡 Key Improvements by Category
-
-### Security Analysis
- 6x more attack types detected
- 98% accurate threat scoring
- False positive rate < 0.01%
- Server IPs never blocked
-
-### Performance
- 60-120x faster processing
- Handles millions of log entries
- < 1 second for small datasets
- Minimal memory usage (~2-4 MB)
-
-### Usability
- Professional menu system
- Clear action recommendations
- Copy-paste ready blocklists
- Detailed progress indicators
-
-### Maintainability
- Modular architecture
- Easy to extend
- Centralized configuration
- Version control ready
-
---
-
-## 📊 Statistics
-
-### Code Written Today
- Lines of code: ~2,500
- Functions created: 20+
- Detection patterns: 50+
- Menu items: 80+
-
-### Features Added
- Attack vector detection: 6 types
- Threat scoring: 8 factors
- False positive detection: 5 services
- Server IP detection: 5 methods
- Performance optimization: 10x - 120x
-
-### Documentation Created
- README.md: Complete system docs
- SETUP_GUIDE.md: Quick start guide
- WHATS_NEW.md: This summary
- Comments: Inline throughout
-
---
-
-## 🎓 What We Learned
-
-### Best Practices Implemented
-✅ Modular architecture
-✅ Separation of concerns
-✅ Hash tables for performance
-✅ Input validation
-✅ Error handling
-✅ Progress indicators
-✅ Configuration management
-✅ Comprehensive logging
-
-### Security Principles
-✅ Never block server IPs
-✅ Auto-detect false positives
-✅ Multi-factor threat scoring
-✅ Configurable thresholds
-✅ Whitelist management
-✅ Attack pattern validation
-
-### Performance Techniques
-✅ Single-pass file reading
-✅ O(1) hash table lookups
-✅ Batch processing
-✅ Avoid redundant greps
-✅ Memory-efficient data structures
-
---
-
-## 🏆 Achievement Unlocked!
-
-You now have:
-
-✅ **Enterprise-grade bot detection** (better than commercial tools)
-✅ **Modular management system** (infinitely extensible)
-✅ **60-120x performance** (handles massive datasets)
-✅ **Professional UX** (clean, intuitive, organized)
-✅ **Nextcloud integration** (easy distribution)
-✅ **Future-proof architecture** (ready for 80+ modules)
-
---
-
-## 📞 Next Steps
-
-1. ✅ **Test everything** - Run through all features
-2. 📝 **Create first custom module** - Try wp-cron-status.sh
-3. ☁️ **Setup Nextcloud** - Distribute to other servers
-4. 📧 **Configure alerts** - Email/Slack notifications
-5. 🔄 **Schedule automation** - Daily security scans
-
---
-
-**Version**: 3.0.0
-**Date**: 2025-10-30
-**Status**: ✅ Production Ready
-
-**This is a professional, enterprise-grade system that rivals commercial solutions!** 🎉
@@ -150,25 +150,29 @@ show_live_monitoring_menu() {
    show_banner
    echo -e "${MAGENTA}${BOLD}📡 Live Monitoring & Alerts${NC}"
    echo ""
-    echo -e "${BOLD}Real-Time Dashboards:${NC}"
+    echo -e "${BOLD}🛡️  Intelligent Monitoring:${NC}"
    echo ""
-    echo -e "  ${MAGENTA}1)${NC} Live Attack Monitor          - Real-time threat feed (all sources)"
-    echo -e "  ${MAGENTA}2)${NC} SSH Attack Monitor           - Live SSH brute force attempts"
-    echo -e "  ${MAGENTA}3)${NC} Web Traffic Monitor          - Live HTTP/HTTPS requests"
-    echo -e "  ${MAGENTA}4)${NC} Firewall Activity Monitor    - Live CSF/iptables events"
-    echo -e "  ${MAGENTA}5)${NC} cPHulk Live Monitor          - Real-time brute force blocks"
+    echo -e "  ${MAGENTA}1)${NC} ${BOLD}Live Attack Monitor${NC}          - Unified threat intelligence"
+    echo -e "     ${DIM}├─ Monitors: Web, SSH, Firewall, cPHulk, Network (SYN floods)${NC}"
+    echo -e "     ${DIM}├─ Features: Threat scoring, bot detection, attack classification${NC}"
+    echo -e "     ${DIM}└─ Quick Actions: IP blocking, ban management${NC}"
+    echo ""
+    echo -e "${BOLD}📋 Simple Log Viewers (No Intelligence):${NC}"
+    echo ""
+    echo -e "  ${MAGENTA}2)${NC} SSH Log Tail                 - Raw SSH auth attempts (/var/log/secure)"
+    echo -e "  ${MAGENTA}3)${NC} Web Traffic Tail             - Raw Apache access logs"
+    echo -e "  ${MAGENTA}4)${NC} Firewall Log Tail            - Raw firewall events"
    echo ""
    echo -e "${BOLD}Log Tailing:${NC}"
    echo ""
-    echo -e "  ${MAGENTA}6)${NC} Tail Apache Access Log       - Live web access (all domains)"
-    echo -e "  ${MAGENTA}7)${NC} Tail Apache Error Log        - Live web errors"
-    echo -e "  ${MAGENTA}8)${NC} Tail Mail Log                - Live email activity"
-    echo -e "  ${MAGENTA}9)${NC} Tail Security Log            - Live auth attempts (/var/log/secure)"
+    echo -e "  ${MAGENTA}5)${NC} Tail Apache Access Log       - Live web access (all domains)"
+    echo -e "  ${MAGENTA}6)${NC} Tail Apache Error Log        - Live web errors"
+    echo -e "  ${MAGENTA}7)${NC} Tail Mail Log                - Live email activity"
+    echo -e "  ${MAGENTA}8)${NC} Tail Security Log            - Live auth attempts (/var/log/secure)"
    echo ""
-    echo -e "${BOLD}Advanced Monitoring:${NC}"
+    echo -e "${BOLD}Advanced:${NC}"
    echo ""
-    echo -e "  ${MAGENTA}10)${NC} Multi-Source Dashboard      - Combined view (attacks + logs + metrics)"
-    echo -e "  ${MAGENTA}11)${NC} Custom Log Monitor          - Tail custom log file"
+    echo -e "  ${MAGENTA}9)${NC} Custom Log Monitor           - Tail custom log file"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Security Menu"
    echo ""
@@ -183,10 +187,11 @@ show_security_analysis_menu() {
    echo ""
    echo -e "${BOLD}Analysis Categories:${NC}"
    echo ""
-    echo -e "  ${CYAN}1)${NC} 🤖 Bot & Traffic Analysis     → Analyze attack patterns, bots, DDoS"
-    echo -e "  ${CYAN}2)${NC} 🔐 Authentication Analysis    → SSH, cPanel, FTP, Email login attempts"
-    echo -e "  ${CYAN}3)${NC} 🌐 Web Application Analysis   → Website security, malware, vulnerabilities"
-    echo -e "  ${CYAN}4)${NC} 🔥 Firewall & Network Review  → CSF, ports, connections"
+    echo -e "  ${CYAN}1)${NC} 🦠 Malware Scanner            → Full malware detection (ImunifyAV, ClamAV, Maldet)"
+    echo -e "  ${CYAN}2)${NC} 🤖 Bot & Traffic Analysis     → Analyze attack patterns, bots, DDoS"
+    echo -e "  ${CYAN}3)${NC} 🔐 Authentication Analysis    → SSH, cPanel, FTP, Email login attempts"
+    echo -e "  ${CYAN}4)${NC} 🌐 Web Application Analysis   → Website security, vulnerabilities"
+    echo -e "  ${CYAN}5)${NC} 🔥 Firewall & Network Review  → CSF, ports, connections"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Security Menu"
    echo ""
@@ -222,10 +227,11 @@ show_bot_analysis_menu() {
    echo -e "  ${CYAN}1)${NC} Full Bot Analysis            - Complete scan (all logs)"
    echo -e "  ${CYAN}2)${NC} Quick Scan (1 hour)          - Recent activity only"
    echo -e "  ${CYAN}3)${NC} Live Monitor                 - Real-time threat tracking"
-    echo -e "  ${CYAN}4)${NC} IP Lookup & Investigation    - Deep-dive on specific IP"
-    echo -e "  ${CYAN}5)${NC} DDoS Pattern Detector        - Identify DDoS attacks"
-    echo -e "  ${CYAN}6)${NC} Traffic Pattern Analysis     - Bandwidth & connection patterns"
-    echo -e "  ${CYAN}7)${NC} User-Agent Analysis          - Bot fingerprinting"
+    echo -e "  ${CYAN}4)${NC} IP Reputation Manager        - Query/manage IP database (NEW!)"
+    echo -e "  ${CYAN}5)${NC} IP Lookup & Investigation    - Deep-dive on specific IP"
+    echo -e "  ${CYAN}6)${NC} DDoS Pattern Detector        - Identify DDoS attacks"
+    echo -e "  ${CYAN}7)${NC} Traffic Pattern Analysis     - Bandwidth & connection patterns"
+    echo -e "  ${CYAN}8)${NC} User-Agent Analysis          - Bot fingerprinting"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Analysis Menu"
    echo ""
@@ -269,17 +275,16 @@ show_webapp_analysis_menu() {
    echo ""
    echo -e "${BOLD}Security Scanning:${NC}"
    echo ""
-    echo -e "  ${CYAN}1)${NC} Malware Scanner              - Scan for infected files"
-    echo -e "  ${CYAN}2)${NC} WordPress Security Scan      - WP-specific vulnerabilities"
-    echo -e "  ${CYAN}3)${NC} SQL Injection Detector       - Analyze for SQLi attempts"
-    echo -e "  ${CYAN}4)${NC} XSS Attack Detector          - Cross-site scripting analysis"
-    echo -e "  ${CYAN}5)${NC} File Permission Audit        - Insecure permissions scan"
+    echo -e "  ${CYAN}1)${NC} WordPress Security Scan      - WP-specific vulnerabilities"
+    echo -e "  ${CYAN}2)${NC} SQL Injection Detector       - Analyze for SQLi attempts"
+    echo -e "  ${CYAN}3)${NC} XSS Attack Detector          - Cross-site scripting analysis"
+    echo -e "  ${CYAN}4)${NC} File Permission Audit        - Insecure permissions scan"
    echo ""
    echo -e "${BOLD}Configuration Review:${NC}"
    echo ""
-    echo -e "  ${CYAN}6)${NC} SSL/TLS Security Audit       - Certificate & config review"
-    echo -e "  ${CYAN}7)${NC} ModSecurity Status           - WAF configuration review"
-    echo -e "  ${CYAN}8)${NC} Apache Security Audit        - Web server security review"
+    echo -e "  ${CYAN}5)${NC} SSL/TLS Security Audit       - Certificate & config review"
+    echo -e "  ${CYAN}6)${NC} ModSecurity Status           - WAF configuration review"
+    echo -e "  ${CYAN}7)${NC} Apache Security Audit        - Web server security review"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Analysis Menu"
    echo ""
@@ -435,23 +440,13 @@ show_wordpress_menu() {
    echo -e "${BOLD}General Website Tools:${NC}"
    echo ""
    echo -e "  ${BLUE}1)${NC} 🔍 Website Error Analyzer    - Find 500/config errors (filters bots)"
+    echo -e "  ${RED}2)${NC} 🔥 Fast 500 Error Tracker    - ONLY 500s + root cause diagnosis"
    echo ""
-    echo -e "${BOLD}WordPress Tools:${NC}"
+    echo -e "${BOLD}CMS-Specific Management:${NC}"
    echo ""
-    echo -e "  ${BLUE}2)${NC} Health Check (All Sites)    - Scan all WP installations"
-    echo -e "  ${BLUE}3)${NC} WP-Cron Status              - Check cron job status"
-    echo -e "  ${BLUE}4)${NC} WP-Cron Mass Fix            - Fix/enable cron on all sites"
-    echo -e "  ${BLUE}5)${NC} WP-Cron Mass Create         - Setup proper system crons"
-    echo -e "  ${BLUE}6)${NC} Plugin Audit                - Security scan of plugins"
-    echo -e "  ${BLUE}7)${NC} Theme Audit                 - Security scan of themes"
-    echo -e "  ${BLUE}8)${NC} Database Optimizer          - Clean/optimize WP databases"
-    echo -e "  ${BLUE}9)${NC} Cache Clear (All Sites)     - Clear all WP caches"
-    echo -e "  ${BLUE}10)${NC} Mass Update Core            - Update WordPress core (all)"
-    echo -e "  ${BLUE}11)${NC} Mass Update Plugins        - Update plugins (all sites)"
-    echo -e "  ${BLUE}12)${NC} Login Security Audit       - Check for weak passwords"
-    echo -e "  ${BLUE}13)${NC} Malware Scanner            - Scan for infected files"
-    echo -e "  ${BLUE}14)${NC} Permission Fixer           - Fix file permissions"
-    echo -e "  ${BLUE}15)${NC} Debug Log Analyzer         - Parse WP debug logs"
+    echo -e "  ${BLUE}3)${NC} 📦 WordPress Management      → Cron, updates, security, health"
+    echo -e "  ${DIM}4)${NC} ${DIM}📦 Joomla Management (Coming Soon)${NC}"
+    echo -e "  ${DIM}5)${NC} ${DIM}📦 Drupal Management (Coming Soon)${NC}"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Main Menu"
    echo ""
@@ -459,6 +454,68 @@ show_wordpress_menu() {
    echo -n "Select option: "
 }

+# WordPress Health & Maintenance submenu
+show_wp_health_menu() {
+    show_banner
+    echo -e "${BLUE}${BOLD}🏥 WordPress Health & Maintenance${NC}"
+    echo ""
+    echo -e "  ${BLUE}1)${NC} Health Check (All Sites)    - Scan all WP installations"
+    echo -e "  ${BLUE}2)${NC} Database Optimizer          - Clean/optimize WP databases"
+    echo -e "  ${BLUE}3)${NC} Cache Clear (All Sites)     - Clear all WP caches"
+    echo -e "  ${BLUE}4)${NC} Plugin Audit                - Security scan of plugins"
+    echo -e "  ${BLUE}5)${NC} Theme Audit                 - Security scan of themes"
+    echo ""
+    echo -e "  ${RED}0)${NC} Back to Website Management"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo -n "Select option: "
+}
+
+# WP-Cron Management submenu
+show_wp_cron_menu() {
+    show_banner
+    echo -e "${BLUE}${BOLD}⚙️  WP-Cron Management${NC}"
+    echo ""
+    echo -e "  ${BLUE}1)${NC} WP-Cron Status              - Check cron job status"
+    echo -e "  ${BLUE}2)${NC} WP-Cron Mass Fix            - Fix/enable cron on all sites"
+    echo -e "  ${BLUE}3)${NC} WP-Cron Mass Create         - Setup proper system crons"
+    echo ""
+    echo -e "  ${RED}0)${NC} Back to Website Management"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo -n "Select option: "
+}
+
+# Mass Updates submenu
+show_wp_updates_menu() {
+    show_banner
+    echo -e "${BLUE}${BOLD}🔄 WordPress Mass Updates${NC}"
+    echo ""
+    echo -e "  ${BLUE}1)${NC} Mass Update Core            - Update WordPress core (all)"
+    echo -e "  ${BLUE}2)${NC} Mass Update Plugins         - Update plugins (all sites)"
+    echo -e "  ${BLUE}3)${NC} Mass Update Themes          - Update themes (all sites)"
+    echo ""
+    echo -e "  ${RED}0)${NC} Back to Website Management"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo -n "Select option: "
+}
+
+# Security & Compliance submenu
+show_wp_security_menu() {
+    show_banner
+    echo -e "${BLUE}${BOLD}🔒 WordPress Security & Compliance${NC}"
+    echo ""
+    echo -e "  ${BLUE}1)${NC} Malware Scanner             - Scan for infected files"
+    echo -e "  ${BLUE}2)${NC} Permission Fixer            - Fix file permissions"
+    echo -e "  ${BLUE}3)${NC} Login Security Audit        - Check for weak passwords"
+    echo ""
+    echo -e "  ${RED}0)${NC} Back to Website Management"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo -n "Select option: "
+}
+
 # Performance & Diagnostics menu
 show_performance_menu() {
    show_banner
@@ -495,6 +552,8 @@ show_backup_menu() {
    show_banner
    echo -e "${YELLOW}${BOLD}💾 Backup & Recovery${NC}"
    echo ""
+    echo -e "${BOLD}cPanel Backups:${NC}"
+    echo ""
    echo -e "  ${YELLOW}1)${NC} Auto Backup (All Sites)     - Create full backups"
    echo -e "  ${YELLOW}2)${NC} Selective Backup            - Backup specific accounts"
    echo -e "  ${YELLOW}3)${NC} Restore Helper              - Interactive restore tool"
@@ -504,12 +563,72 @@ show_backup_menu() {
    echo -e "  ${YELLOW}7)${NC} Backup Verification         - Test backup integrity"
    echo -e "  ${YELLOW}8)${NC} Off-site Sync               - Sync to remote storage"
    echo ""
+    echo -e "${BOLD}Acronis Cyber Protect:${NC}"
+    echo ""
+    echo -e "  ${YELLOW}9)${NC} 🔷 Acronis Management        → Install, configure, manage backups"
+    echo ""
+    echo -e "${BOLD}Data Management:${NC}"
+    echo ""
+    echo -e "  ${RED}10)${NC} 🗑️  Cleanup Toolkit Data      - Remove IP reputation & temp files"
+    echo ""
    echo -e "  ${RED}0)${NC} Back to Main Menu"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }

+# Acronis Management submenu
+show_acronis_menu() {
+    show_banner
+    echo -e "${YELLOW}${BOLD}🔷 Acronis Cyber Protect${NC}"
+    echo ""
+    echo -e "${BOLD}Installation & Setup:${NC}"
+    echo ""
+    echo -e "  ${YELLOW}1)${NC} Install Acronis Agent       - Download and install Acronis"
+    echo -e "  ${YELLOW}2)${NC} Register with Cloud         - Connect to Acronis Cloud"
+    echo ""
+    echo -e "${BOLD}Backup Management:${NC}"
+    echo ""
+    echo -e "  ${GREEN}3)${NC} 📊 Manage Backups            - Complete backup management interface"
+    echo ""
+    echo -e "${BOLD}Quick Actions:${NC}"
+    echo ""
+    echo -e "  ${YELLOW}4)${NC} Check Agent Status          - Verify Acronis is running"
+    echo -e "  ${YELLOW}5)${NC} Update Agent                - Upgrade to latest version"
+    echo -e "  ${YELLOW}6)${NC} View Logs                   - Check Acronis logs"
+    echo -e "  ${YELLOW}7)${NC} Uninstall Acronis           - Remove Acronis agent"
+    echo ""
+    echo -e "${BOLD}Troubleshooting:${NC}"
+    echo ""
+    echo -e "  ${RED}8)${NC} 🔧 Troubleshoot Backups      - Diagnose backup failures"
+    echo ""
+    echo -e "  ${RED}0)${NC} Back to Backup & Recovery"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo -n "Select option: "
+}
+
+# Acronis submenu handler
+handle_acronis_menu() {
+    while true; do
+        show_acronis_menu
+        read -r choice
+
+        case $choice in
+            1) run_module "backup" "acronis-install.sh" ;;
+            2) run_module "backup" "acronis-register.sh" ;;
+            3) run_module "backup" "acronis-backup-manager.sh" ;;
+            4) run_module "backup" "acronis-agent-status.sh" ;;
+            5) run_module "backup" "acronis-update.sh" ;;
+            6) run_module "backup" "acronis-logs.sh" ;;
+            7) run_module "backup" "acronis-uninstall.sh" ;;
+            8) run_module "backup" "acronis-troubleshoot.sh" ;;
+            0) return ;;
+            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
+        esac
+    done
+}
+
 # Monitoring menu
 show_monitoring_menu() {
    show_banner
@@ -863,10 +982,11 @@ handle_security_analysis_menu() {
        read -r choice

        case $choice in
-            1) handle_bot_analysis_menu ;;
-            2) handle_auth_analysis_menu ;;
-            3) handle_webapp_analysis_menu ;;
-            4) handle_firewall_analysis_menu ;;
+            1) run_module "security" "malware-scanner.sh" ;;
+            2) handle_bot_analysis_menu ;;
+            3) handle_auth_analysis_menu ;;
+            4) handle_webapp_analysis_menu ;;
+            5) handle_firewall_analysis_menu ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -901,13 +1021,11 @@ handle_live_monitoring_menu() {
            2) run_module "security" "ssh-attack-monitor.sh" ;;
            3) run_module "security" "web-traffic-monitor.sh" ;;
            4) run_module "security" "firewall-activity-monitor.sh" ;;
-            5) run_module "security" "cphulk-live-monitor.sh" ;;
-            6) run_module "security" "tail-apache-access.sh" ;;
-            7) run_module "security" "tail-apache-error.sh" ;;
-            8) run_module "security" "tail-mail-log.sh" ;;
-            9) run_module "security" "tail-secure-log.sh" ;;
-            10) run_module "security" "multi-source-dashboard.sh" ;;
-            11)
+            5) run_module "security" "tail-apache-access.sh" ;;
+            6) run_module "security" "tail-apache-error.sh" ;;
+            7) run_module "security" "tail-mail-log.sh" ;;
+            8) run_module "security" "tail-secure-log.sh" ;;
+            9)
                show_banner
                echo -e "${BOLD}Custom Log Monitor${NC}"
                read -p "Enter log file path: " logpath
@@ -929,15 +1047,16 @@ handle_bot_analysis_menu() {
            1) run_module "security" "bot-analyzer.sh" ;;
            2) run_module "security" "bot-analyzer.sh" -H "${QUICK_SCAN_HOURS:-1}" ;;
            3) run_module "security" "live-monitor.sh" ;;
-            4)
+            4) run_module "security" "ip-reputation-manager.sh" ;;
+            5)
                show_banner
                echo -e "${BOLD}IP Lookup & Investigation${NC}"
                read -p "Enter IP address: " ip
                [ -n "$ip" ] && run_module "security" "ip-lookup.sh" "$ip"
                ;;
-            5) run_module "security" "ddos-detector.sh" ;;
-            6) run_module "security" "traffic-pattern-analysis.sh" ;;
-            7) run_module "security" "user-agent-analysis.sh" ;;
+            6) run_module "security" "ddos-detector.sh" ;;
+            7) run_module "security" "traffic-pattern-analysis.sh" ;;
+            8) run_module "security" "user-agent-analysis.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -973,14 +1092,13 @@ handle_webapp_analysis_menu() {
        read -r choice

        case $choice in
-            1) run_module "security" "malware-scanner.sh" ;;
-            2) run_module "security" "wp-security-scan.sh" ;;
-            3) run_module "security" "sqli-detector.sh" ;;
-            4) run_module "security" "xss-detector.sh" ;;
-            5) run_module "security" "permission-audit.sh" ;;
-            6) run_module "security" "ssl-security-audit.sh" ;;
-            7) run_module "security" "modsecurity-status.sh" ;;
-            8) run_module "security" "apache-security-audit.sh" ;;
+            1) run_module "security" "wp-security-scan.sh" ;;
+            2) run_module "security" "sqli-detector.sh" ;;
+            3) run_module "security" "xss-detector.sh" ;;
+            4) run_module "security" "permission-audit.sh" ;;
+            5) run_module "security" "ssl-security-audit.sh" ;;
+            6) run_module "security" "modsecurity-status.sh" ;;
+            7) run_module "security" "apache-security-audit.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -1148,20 +1266,80 @@ handle_wordpress_menu() {

        case $choice in
            1) run_module "website" "website-error-analyzer.sh" ;;
-            2) run_module "wordpress" "wp-health-check.sh" ;;
-            3) run_module "wordpress" "wp-cron-status.sh" ;;
-            4) run_module "wordpress" "wp-cron-mass-fix.sh" ;;
-            5) run_module "wordpress" "wp-cron-mass-create.sh" ;;
-            6) run_module "wordpress" "wp-plugin-audit.sh" ;;
-            7) run_module "wordpress" "wp-theme-audit.sh" ;;
-            8) run_module "wordpress" "wp-db-optimizer.sh" ;;
-            9) run_module "wordpress" "wp-cache-clear.sh" ;;
-            10) run_module "wordpress" "wp-mass-update-core.sh" ;;
-            11) run_module "wordpress" "wp-mass-update-plugins.sh" ;;
-            12) run_module "wordpress" "wp-login-security.sh" ;;
-            13) run_module "wordpress" "wp-malware-scanner.sh" ;;
-            14) run_module "wordpress" "wp-permission-fixer.sh" ;;
-            15) run_module "wordpress" "wp-debug-log-analyzer.sh" ;;
+            2) run_module "website" "500-error-tracker.sh" ;;
+            3) bash "$MODULES_DIR/website/wordpress-menu.sh" ;;
+            4|5)
+                echo ""
+                print_warning "This CMS management feature is coming soon!"
+                echo ""
+                read -p "Press Enter to continue..."
+                ;;
+            0) return ;;
+            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
+        esac
+    done
+}
+
+# WP Health & Maintenance submenu handler
+handle_wp_health_menu() {
+    while true; do
+        show_wp_health_menu
+        read -r choice
+
+        case $choice in
+            1) run_module "wordpress" "wp-health-check.sh" ;;
+            2) run_module "wordpress" "wp-db-optimizer.sh" ;;
+            3) run_module "wordpress" "wp-cache-clear.sh" ;;
+            4) run_module "wordpress" "wp-plugin-audit.sh" ;;
+            5) run_module "wordpress" "wp-theme-audit.sh" ;;
+            0) return ;;
+            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
+        esac
+    done
+}
+
+# WP-Cron Management submenu handler
+handle_wp_cron_menu() {
+    while true; do
+        show_wp_cron_menu
+        read -r choice
+
+        case $choice in
+            1) run_module "wordpress" "wp-cron-status.sh" ;;
+            2) run_module "wordpress" "wp-cron-mass-fix.sh" ;;
+            3) run_module "wordpress" "wp-cron-mass-create.sh" ;;
+            0) return ;;
+            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
+        esac
+    done
+}
+
+# Mass Updates submenu handler
+handle_wp_updates_menu() {
+    while true; do
+        show_wp_updates_menu
+        read -r choice
+
+        case $choice in
+            1) run_module "wordpress" "wp-mass-update-core.sh" ;;
+            2) run_module "wordpress" "wp-mass-update-plugins.sh" ;;
+            3) run_module "wordpress" "wp-mass-update-themes.sh" ;;
+            0) return ;;
+            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
+        esac
+    done
+}
+
+# Security & Compliance submenu handler
+handle_wp_security_menu() {
+    while true; do
+        show_wp_security_menu
+        read -r choice
+
+        case $choice in
+            1) run_module "wordpress" "wp-malware-scanner.sh" ;;
+            2) run_module "wordpress" "wp-permission-fixer.sh" ;;
+            3) run_module "wordpress" "wp-login-security.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -1206,6 +1384,8 @@ handle_backup_menu() {
            6) run_module "backup" "log-archive.sh" ;;
            7) run_module "backup" "backup-verification.sh" ;;
            8) run_module "backup" "offsite-sync.sh" ;;
+            9) handle_acronis_menu ;;
+            10) run_module "maintenance" "cleanup-toolkit-data.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -1326,8 +1506,19 @@ main() {
            10) bash "$BASE_DIR/tools/erase-toolkit-traces.sh" ;;
            0)
                echo ""
-                echo -e "${GREEN}Thanks for using Server Management Toolkit!${NC}"
-                echo ""
+                read -p "Clean history and remove traces? (yes/no): " clean_hist
+
+                if [ "$clean_hist" = "yes" ]; then
+                    # Signal wrapper script to do cleanup
+                    touch /tmp/.cleanup_requested
+                    echo ""
+                    echo "Cleanup will happen automatically..."
+                    echo ""
+                else
+                    echo ""
+                    echo -e "${GREEN}Thanks for using Server Management Toolkit!${NC}"
+                    echo ""
+                fi
                exit 0
                ;;
            *)
@@ -0,0 +1,211 @@
+#!/bin/bash
+
+################################################################################
+# Attack Pattern Detection Library
+################################################################################
+# Purpose: Shared attack vector detection for bot-analyzer and live-monitor
+# Features: SQL injection, XSS, Path traversal, RCE, Info disclosure, Bruteforce
+################################################################################
+
+# SQL Injection Detection
+# Returns: 0 (true) if SQL injection detected, 1 (false) if not
+detect_sql_injection() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # Enhanced SQL injection patterns
+    if [[ "$url_lower" =~ (union.*select|concat\(|benchmark\(|sleep\(|waitfor|cast\(|exec\() ]] ||
+       [[ "$url_lower" =~ (information_schema|drop table|insert into|update.*set|delete from) ]] ||
+       [[ "$url_lower" =~ (%27|0x[0-9a-f]+|hex\(|unhex\(|load_file\() ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# XSS (Cross-Site Scripting) Detection
+detect_xss() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    if [[ "$url_lower" =~ (<script|javascript:|onerror=|onload=|<iframe|eval\(|alert\() ]] ||
+       [[ "$url_lower" =~ (document\.cookie|document\.write|\.innerhtml) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Path Traversal / LFI Detection
+detect_path_traversal() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    if [[ "$url_lower" =~ (\.\.\/|\.\.\\|etc\/passwd|etc\/shadow|boot\.ini|win\.ini) ]] ||
+       [[ "$url_lower" =~ (proc\/self|\/etc\/|c:\\|windows\/system32) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# RCE (Remote Code Execution) / Shell Upload Detection
+detect_rce() {
+    local url="$1"
+    local method="${2:-GET}"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # Command execution patterns
+    if [[ "$url_lower" =~ (cmd\.exe|\/bin\/bash|\/bin\/sh|phpinfo\(|system\(|exec\(|passthru\(|shell_exec\(|popen\() ]] ||
+       [[ "$url_lower" =~ (proc_open|pcntl_exec|eval\(|assert\(|base64_decode\(|gzinflate\() ]]; then
+        return 0
+    fi
+
+    # Shell/backdoor files (common webshell names)
+    if [[ "$url_lower" =~ (shell\.php|c99\.php|r57\.php|backdoor|webshell|wso\.php|b374k) ]] ||
+       [[ "$url_lower" =~ (shell_exec|1337|defac|index\.php\?|cmd|evil) ]]; then
+        return 0
+    fi
+
+    # Suspicious POST to script files
+    if [[ "$url_lower" =~ \.(php|jsp|asp|aspx)$ ]] && [[ "$method" == "POST" ]]; then
+        return 0
+    fi
+
+    # PHP shell probing - random .php files (common scanner behavior)
+    # Detect short/random PHP filenames that are typical webshell probes
+    if [[ "$url_lower" =~ ^/[a-z0-9]{1,15}\.php$ ]] && [[ "$method" == "GET" ]]; then
+        # Whitelist common legitimate PHP files
+        if [[ ! "$url_lower" =~ (index\.php|wp-login\.php|xmlrpc\.php|admin\.php|contact\.php|search\.php) ]]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
+# Info Disclosure Detection
+detect_info_disclosure() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    if [[ "$url_lower" =~ (phpinfo|server-status|server-info|\.git\/|\.env|\.htaccess) ]] ||
+       [[ "$url_lower" =~ (\.sql|\.dump|backup\.zip|database\.sql|wp-config\.php\.bak) ]] ||
+       [[ "$url_lower" =~ (\.log$|error_log|debug\.log|access\.log) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Login Bruteforce Detection (URL-based)
+detect_login_bruteforce_url() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    if [[ "$url_lower" =~ (wp-login\.php|wp-admin|xmlrpc\.php) ]] ||
+       [[ "$url_lower" =~ (\/admin|\/login|\/signin|\/auth) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Admin Path Probing Detection
+detect_admin_probe() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    if [[ "$url_lower" =~ (\/admin|\/administrator|\/wp-admin|\/phpmyadmin) ]] ||
+       [[ "$url_lower" =~ (\/manager|\/controlpanel|\/cpanel|\/webmin) ]] ||
+       [[ "$url_lower" =~ (wp-content\/uploads.*\.php|wp-includes.*\.php|wp-admin\/includes) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Detect all attack vectors for a URL
+# Returns: attack_type1,attack_type2,... or empty if none
+detect_all_attacks() {
+    local url="$1"
+    local method="${2:-GET}"
+    local attacks=()
+
+    detect_sql_injection "$url" && attacks+=("SQL_INJECTION")
+    detect_xss "$url" && attacks+=("XSS")
+    detect_path_traversal "$url" && attacks+=("PATH_TRAVERSAL")
+    detect_rce "$url" "$method" && attacks+=("RCE")
+    detect_info_disclosure "$url" && attacks+=("INFO_DISCLOSURE")
+    detect_login_bruteforce_url "$url" && attacks+=("BRUTEFORCE")
+    detect_admin_probe "$url" && attacks+=("ADMIN_PROBE")
+
+    if [ ${#attacks[@]} -gt 0 ]; then
+        IFS=','; echo "${attacks[*]}"
+    else
+        echo ""
+    fi
+}
+
+# Calculate threat score based on attack types
+# Returns: score (0-100)
+calculate_attack_score() {
+    local attacks="$1"
+
+    local score=0
+
+    # Use word boundaries to avoid false matches (e.g., RCE in BRUTEFORCE)
+    [[ "$attacks" =~ (^|,)SQL_INJECTION(,|$) ]] && score=$((score + 15))
+    [[ "$attacks" =~ (^|,)XSS(,|$) ]] && score=$((score + 12))
+    [[ "$attacks" =~ (^|,)PATH_TRAVERSAL(,|$) ]] && score=$((score + 15))
+    [[ "$attacks" =~ (^|,)RCE(,|$) ]] && score=$((score + 20))
+    [[ "$attacks" =~ (^|,)INFO_DISCLOSURE(,|$) ]] && score=$((score + 8))
+    [[ "$attacks" =~ (^|,)BRUTEFORCE(,|$) ]] && score=$((score + 10))
+    [[ "$attacks" =~ (^|,)ADMIN_PROBE(,|$) ]] && score=$((score + 5))
+    [[ "$attacks" =~ (^|,)DDOS(,|$) ]] && score=$((score + 25))
+
+    echo "$score"
+}
+
+# Get attack icon for display
+get_attack_icon() {
+    local attack_type="$1"
+
+    case "$attack_type" in
+        SQL_INJECTION) echo "💉" ;;
+        XSS) echo "⚠️ " ;;
+        PATH_TRAVERSAL) echo "📁" ;;
+        RCE) echo "☠️ " ;;
+        INFO_DISCLOSURE) echo "🔓" ;;
+        BRUTEFORCE) echo "🔐" ;;
+        ADMIN_PROBE) echo "🔍" ;;
+        DDOS) echo "💥" ;;
+        BOT) echo "🤖" ;;
+        SCANNER) echo "🔎" ;;
+        *) echo "❓" ;;
+    esac
+}
+
+# Get attack color for display
+get_attack_color() {
+    local attack_type="$1"
+
+    case "$attack_type" in
+        SQL_INJECTION|RCE) echo '\033[1;41;97m' ;;  # White on Red (CRITICAL)
+        XSS|PATH_TRAVERSAL|BRUTEFORCE) echo '\033[1;31m' ;;  # Bold Red (HIGH)
+        INFO_DISCLOSURE|ADMIN_PROBE) echo '\033[1;33m' ;;  # Bold Yellow (MEDIUM)
+        *) echo '\033[0;36m' ;;  # Cyan (LOW)
+    esac
+}
+
+export -f detect_sql_injection
+export -f detect_xss
+export -f detect_path_traversal
+export -f detect_rce
+export -f detect_info_disclosure
+export -f detect_login_bruteforce_url
+export -f detect_admin_probe
+export -f detect_all_attacks
+export -f calculate_attack_score
+export -f get_attack_icon
+export -f get_attack_color
@@ -0,0 +1,231 @@
+#!/bin/bash
+
+################################################################################
+# Bot Signature Database Library
+################################################################################
+# Purpose: Shared bot classification signatures for bot-analyzer and live-monitor
+# Features: Legitimate bots, AI bots, monitoring bots, suspicious bots
+################################################################################
+
+# Legitimate bots (search engines)
+declare -gA LEGIT_BOTS=(
+    ["Googlebot"]="Google Search"
+    ["Googlebot-Image"]="Google Images"
+    ["Googlebot-Video"]="Google Video"
+    ["Googlebot-News"]="Google News"
+    ["Google-InspectionTool"]="Google Search Console"
+    ["Storebot-Google"]="Google Merchant"
+    ["APIs-Google"]="Google APIs"
+    ["AdsBot-Google"]="Google Ads"
+    ["Mediapartners-Google"]="Google AdSense"
+    ["bingbot"]="Bing Search"
+    ["msnbot"]="MSN Search"
+    ["Slurp"]="Yahoo Search"
+    ["DuckDuckBot"]="DuckDuckGo"
+    ["Baiduspider"]="Baidu Search"
+    ["YandexBot"]="Yandex Search"
+)
+
+# AI Bots
+declare -gA AI_BOTS=(
+    ["GPTBot"]="OpenAI"
+    ["ChatGPT-User"]="OpenAI ChatGPT"
+    ["ClaudeBot"]="Anthropic Claude"
+    ["Claude-Web"]="Anthropic Web"
+    ["Bytespider"]="ByteDance (TikTok)"
+    ["PetalBot"]="Huawei"
+    ["CCBot"]="Common Crawl"
+    ["anthropic-ai"]="Anthropic"
+    ["Applebot"]="Apple Intelligence"
+    ["facebookexternalhit"]="Facebook/Meta"
+    ["Meta-ExternalAgent"]="Meta AI"
+    ["cohere-ai"]="Cohere AI"
+    ["PerplexityBot"]="Perplexity AI"
+    ["YouBot"]="You.com AI"
+    ["Diffbot"]="Diffbot AI"
+    ["ImagesiftBot"]="ImageSift AI"
+    ["Omgilibot"]="Omgili AI"
+)
+
+# Monitoring/SEO bots
+declare -gA MONITOR_BOTS=(
+    ["AhrefsBot"]="Ahrefs SEO"
+    ["SemrushBot"]="SEMrush SEO"
+    ["MJ12bot"]="Majestic SEO"
+    ["DotBot"]="Moz/OpenSite"
+    ["BLEXBot"]="BLEXBot SEO"
+    ["PingdomBot"]="Pingdom Monitoring"
+    ["UptimeRobot"]="Uptime Monitoring"
+    ["StatusCake"]="StatusCake Monitoring"
+    ["SiteImprove"]="SiteImprove Analytics"
+)
+
+# Suspicious/Aggressive bots (malicious or security scanners)
+declare -gA SUSPICIOUS_BOTS=(
+    ["MauiBot"]="Malicious crawler"
+    ["DataForSeoBot"]="Data scraper"
+    ["ZoominfoBot"]="Data harvester"
+    ["MegaIndex"]="Aggressive crawler"
+    ["SeznamBot"]="Aggressive crawler"
+    ["Yeti"]="Naver crawler"
+    ["serpstatbot"]="SEO crawler"
+    ["LinkpadBot"]="Link checker"
+    ["Nessus"]="Vulnerability scanner"
+    ["Nikto"]="Security scanner"
+    ["sqlmap"]="SQL injection tool"
+    ["ZmEu"]="Scanner/exploit"
+    ["masscan"]="Port scanner"
+    ["nmap"]="Port scanner"
+    ["wget"]="Command-line tool"
+    ["curl"]="Command-line tool"
+    ["python-requests"]="Script/automation"
+    ["Go-http-client"]="Go automation"
+    ["Java/"]="Java client"
+    ["http.rb"]="Ruby automation"
+    ["python-urllib"]="Python scraper"
+    ["libwww-perl"]="Perl automation"
+    ["Apache-HttpClient"]="HttpClient automation"
+    ["Scrapy"]="Python scraper"
+    ["node-fetch"]="Node.js automation"
+    ["axios"]="JavaScript automation"
+)
+
+# Check if user-agent is a legitimate bot
+# Returns: 0 (true) if legit, 1 (false) if not
+is_legit_bot() {
+    local ua="$1"
+    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
+
+    for bot in "${!LEGIT_BOTS[@]}"; do
+        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ua_lower" =~ $bot_lower ]]; then
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+# Check if user-agent is an AI bot
+is_ai_bot() {
+    local ua="$1"
+    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
+
+    for bot in "${!AI_BOTS[@]}"; do
+        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ua_lower" =~ $bot_lower ]]; then
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+# Check if user-agent is a monitoring/SEO bot
+is_monitor_bot() {
+    local ua="$1"
+    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
+
+    for bot in "${!MONITOR_BOTS[@]}"; do
+        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ua_lower" =~ $bot_lower ]]; then
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+# Check if user-agent is a suspicious bot
+is_suspicious_bot() {
+    local ua="$1"
+    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
+
+    for bot in "${!SUSPICIOUS_BOTS[@]}"; do
+        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ua_lower" =~ $bot_lower ]]; then
+            return 0
+        fi
+    done
+
+    return 1
+}
+
+# Classify bot type
+# Returns: legit|ai|monitor|suspicious|unidentified_bot|human|unknown
+classify_bot_type() {
+    local ua="$1"
+    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
+
+    # Check each category in priority order
+    if is_legit_bot "$ua"; then
+        echo "legit"
+    elif is_ai_bot "$ua"; then
+        echo "ai"
+    elif is_monitor_bot "$ua"; then
+        echo "monitor"
+    elif is_suspicious_bot "$ua"; then
+        echo "suspicious"
+    elif [[ "$ua_lower" =~ (bot|crawler|spider|scraper) ]]; then
+        # Filter out legitimate browsers that might contain "bot" in version strings
+        if [[ "$ua_lower" =~ (chrome/|firefox/|safari/|edg/|edge/|opr/|opera/) ]] ||
+           [[ "$ua_lower" =~ (samsungbrowser|ucbrowser|yabrowser|vivaldi) ]] ||
+           [[ "$ua_lower" =~ (android.*mobile|iphone|ipad|windows nt|macintosh|linux x86) ]] &&
+           [[ ! "$ua_lower" =~ (bot|crawler|spider) ]]; then
+            echo "human"
+        else
+            echo "unidentified_bot"
+        fi
+    else
+        echo "human"
+    fi
+}
+
+# Get bot name from user-agent
+get_bot_name() {
+    local ua="$1"
+    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
+
+    # Check each category
+    for bot in "${!LEGIT_BOTS[@]}"; do
+        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ua_lower" =~ $bot_lower ]]; then
+            echo "${LEGIT_BOTS[$bot]}"
+            return 0
+        fi
+    done
+
+    for bot in "${!AI_BOTS[@]}"; do
+        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ua_lower" =~ $bot_lower ]]; then
+            echo "${AI_BOTS[$bot]}"
+            return 0
+        fi
+    done
+
+    for bot in "${!MONITOR_BOTS[@]}"; do
+        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ua_lower" =~ $bot_lower ]]; then
+            echo "${MONITOR_BOTS[$bot]}"
+            return 0
+        fi
+    done
+
+    for bot in "${!SUSPICIOUS_BOTS[@]}"; do
+        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ua_lower" =~ $bot_lower ]]; then
+            echo "${SUSPICIOUS_BOTS[$bot]}"
+            return 0
+        fi
+    done
+
+    # Extract first word as bot name if unidentified
+    echo "$ua" | awk '{print substr($1, 1, 30)}'
+}
+
+export -f is_legit_bot
+export -f is_ai_bot
+export -f is_monitor_bot
+export -f is_suspicious_bot
+export -f classify_bot_type
+export -f get_bot_name
@@ -117,6 +117,13 @@ show_progress() {
    local current=$1
    local total=$2
    local message="$3"
+
+    # Avoid division by zero
+    if [ "$total" -eq 0 ]; then
+        printf "\r[INFO] Progress: [####################] 100%% - %s" "$message"
+        return
+    fi
+
    local percent=$((current * 100 / total))
    local bars=$((percent / 5))  # 20 chars wide

@@ -0,0 +1,794 @@
+#!/bin/bash
+
+################################################################################
+# IP Reputation Management Library
+################################################################################
+# Purpose: Centralized IP reputation tracking across all toolkit scripts
+# Features:
+# - Fast lookups using indexed file structure
+# - Tracks: hits, country, last seen, reputation score, attack types
+# - Optimized for high-volume traffic (attacks with thousands of IPs)
+# - Automatic cleanup of old entries
+# - GeoIP integration
+# - Shared across all monitoring/analysis scripts
+################################################################################
+
+# Database location
+IP_REP_DB_DIR="${IP_REP_DB_DIR:-/var/lib/server-toolkit/ip-reputation}"
+IP_REP_DB="$IP_REP_DB_DIR/ip_database.db"
+IP_REP_INDEX="$IP_REP_DB_DIR/ip_index.idx"
+IP_REP_LOCK="$IP_REP_DB_DIR/.db.lock"
+
+# Reputation score thresholds
+REP_SCORE_CRITICAL=80    # Definitely malicious
+REP_SCORE_HIGH=60        # Likely malicious
+REP_SCORE_MEDIUM=40      # Suspicious
+REP_SCORE_LOW=20         # Borderline
+REP_SCORE_SAFE=0         # Safe/legitimate
+
+# Attack type flags (bitmask for efficient storage)
+ATTACK_FLAG_SQL_INJECTION=1
+ATTACK_FLAG_XSS=2
+ATTACK_FLAG_PATH_TRAVERSAL=4
+ATTACK_FLAG_RCE=8
+ATTACK_FLAG_BRUTEFORCE=16
+ATTACK_FLAG_DDOS=32
+ATTACK_FLAG_BOT=64
+ATTACK_FLAG_SCANNER=128
+ATTACK_FLAG_EXPLOIT=256
+
+# Initialize the IP reputation database
+init_ip_reputation_db() {
+    mkdir -p "$IP_REP_DB_DIR" 2>/dev/null
+
+    # Create empty database if it doesn't exist
+    if [ ! -f "$IP_REP_DB" ]; then
+        touch "$IP_REP_DB"
+        chmod 600 "$IP_REP_DB"
+    fi
+
+    if [ ! -f "$IP_REP_INDEX" ]; then
+        touch "$IP_REP_INDEX"
+        chmod 600 "$IP_REP_INDEX"
+    fi
+
+    return 0
+}
+
+# Database format (pipe-delimited for fast parsing):
+# IP|HIT_COUNT|REPUTATION_SCORE|COUNTRY|ATTACK_FLAGS|FIRST_SEEN|LAST_SEEN|LAST_ACTIVITY|NOTES|BAN_COUNT|LAST_BAN
+# Example:
+# 192.168.1.100|523|75|US|193|1730000000|1730800000|SQL injection on /admin|Auto-flagged|3|1730900000
+
+# Lock management for concurrent access
+acquire_lock() {
+    local timeout=10
+    local elapsed=0
+
+    while [ -f "$IP_REP_LOCK" ] && [ $elapsed -lt $timeout ]; do
+        sleep 0.1
+        elapsed=$((elapsed + 1))
+    done
+
+    if [ $elapsed -ge $timeout ]; then
+        # Stale lock, remove it
+        rm -f "$IP_REP_LOCK" 2>/dev/null
+    fi
+
+    touch "$IP_REP_LOCK"
+}
+
+release_lock() {
+    rm -f "$IP_REP_LOCK" 2>/dev/null
+}
+
+# Fast IP lookup using hash-based index for O(1) lookups
+# Returns: IP data if found, empty if not found
+lookup_ip() {
+    local ip="$1"
+
+    [ -z "$ip" ] && return 1
+    [ ! -f "$IP_REP_DB" ] && return 1
+
+    # Calculate hash bucket (first octet for IPv4 distributes IPs across 256 buckets)
+    local hash_bucket="${ip%%.*}"
+    local hash_file="${IP_REP_DB_DIR}/hash_${hash_bucket}.idx"
+
+    # Fast path: Check hash bucket first (much smaller file to grep)
+    if [ -f "$hash_file" ]; then
+        # Hash bucket contains line numbers for IPs in this bucket
+        local line_num=$(grep -m 1 "^${ip}|" "$hash_file" 2>/dev/null | cut -d'|' -f2)
+        if [ -n "$line_num" ]; then
+            # Direct line access - O(1) lookup!
+            sed -n "${line_num}p" "$IP_REP_DB" 2>/dev/null
+            return 0
+        fi
+    fi
+
+    # Fallback: Linear search (for IPs not yet indexed)
+    # Use tac to read file backwards, then grep for first match
+    # This ensures we get the LATEST entry for IPs with duplicates
+    tac "$IP_REP_DB" 2>/dev/null | grep -m 1 "^${ip}|" 2>/dev/null
+}
+
+# Add or update IP in database
+# Usage: update_ip_reputation IP [HIT_INCREMENT] [SCORE_DELTA] [ATTACK_FLAGS] [ACTIVITY_NOTE]
+update_ip_reputation() {
+    local ip="$1"
+    local hit_increment="${2:-1}"
+    local score_delta="${3:-0}"
+    local new_attack_flags="${4:-0}"
+    local activity_note="${5:-}"
+
+    [ -z "$ip" ] && return 1
+
+    init_ip_reputation_db
+    acquire_lock
+
+    local existing
+    existing=$(lookup_ip "$ip")
+
+    local current_time=$(date +%s)
+
+    if [ -n "$existing" ]; then
+        # Parse existing entry
+        IFS='|' read -r old_ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes <<< "$existing"
+
+        # Update values
+        hit_count=$((hit_count + hit_increment))
+        rep_score=$((rep_score + score_delta))
+
+        # Cap reputation score at 0-100
+        [ $rep_score -lt 0 ] && rep_score=0
+        [ $rep_score -gt 100 ] && rep_score=100
+
+        # Merge attack flags (bitwise OR)
+        attack_flags=$((attack_flags | new_attack_flags))
+
+        last_seen="$current_time"
+
+        # Update activity note if provided
+        if [ -n "$activity_note" ]; then
+            last_activity="$activity_note"
+        fi
+
+        # OPTIMIZATION: Append-only writes (much faster than sed -i delete)
+        # Append updated entry to end of file
+        echo "$ip|$hit_count|$rep_score|$country|$attack_flags|$first_seen|$last_seen|$last_activity|$notes" >> "$IP_REP_DB"
+
+        # Mark for compaction (file will have duplicates until compact_database runs)
+        touch "${IP_REP_DB}.needs_compact" 2>/dev/null
+    else
+        # New entry
+        local country=$(get_ip_country "$ip")
+        echo "$ip|$hit_increment|$score_delta|$country|$new_attack_flags|$current_time|$current_time|$activity_note|" >> "$IP_REP_DB"
+    fi
+
+    release_lock
+
+    # Auto-compact if file has lots of duplicates (from append-only writes)
+    # Check if compaction is needed (marked file exists)
+    if [ -f "${IP_REP_DB}.needs_compact" ]; then
+        local db_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
+
+        # Compact if database >50k lines (likely has significant duplicates)
+        # Use random check to avoid all processes compacting simultaneously
+        if [ "$db_size" -gt 50000 ] && [ $((RANDOM % 200)) -eq 0 ]; then
+            compact_database &  # Background process (includes rebuild_index)
+            return 0
+        fi
+    fi
+
+    # Rebuild index automatically when database grows significantly
+    # Check if hash index exists and is fresh
+    local db_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
+    local hash_count=$(ls -1 "${IP_REP_DB_DIR}"/hash_*.idx 2>/dev/null | wc -l)
+
+    # Rebuild if:
+    # 1. Database has >10k IPs but no hash index exists
+    # 2. Database has >100k IPs and 1% chance (frequent enough during attacks)
+    if [ "$hash_count" -eq 0 ] && [ "$db_size" -gt 10000 ]; then
+        rebuild_index &  # Background process
+    elif [ "$db_size" -gt 100000 ] && [ $((RANDOM % 100)) -eq 0 ]; then
+        rebuild_index &  # Background process
+    fi
+
+    return 0
+}
+
+# Get IP country using multiple methods
+get_ip_country() {
+    local ip="$1"
+    local country="??"
+
+    # Method 1: Check if geoiplookup is available
+    if command -v geoiplookup >/dev/null 2>&1; then
+        country=$(geoiplookup "$ip" 2>/dev/null | grep -oP 'Country Edition: \K[A-Z]{2}' | head -1)
+    fi
+
+    # Method 2: Check if geoiplookup6 for IPv6
+    if [ -z "$country" ] || [ "$country" = "??" ]; then
+        if command -v geoiplookup6 >/dev/null 2>&1 && [[ "$ip" =~ : ]]; then
+            country=$(geoiplookup6 "$ip" 2>/dev/null | grep -oP 'Country Edition: \K[A-Z]{2}' | head -1)
+        fi
+    fi
+
+    # Method 3: Check /usr/share/GeoIP databases directly
+    if [ -z "$country" ] || [ "$country" = "??" ]; then
+        if [ -f "/usr/share/GeoIP/GeoIP.dat" ] && command -v geoiplookup >/dev/null 2>&1; then
+            country=$(geoiplookup "$ip" 2>/dev/null | awk -F': ' '{print $2}' | cut -d',' -f1 | head -1)
+        fi
+    fi
+
+    # Method 4: Fallback - use whois (slower, only if critically needed)
+    # Disabled by default for performance
+    # if [ -z "$country" ] || [ "$country" = "??" ]; then
+    #     country=$(whois "$ip" 2>/dev/null | grep -iE "^country:" | head -1 | awk '{print $2}')
+    # fi
+
+    # Default if all methods fail
+    [ -z "$country" ] && country="??"
+
+    echo "$country"
+}
+
+# Increment IP hit count (fast path for common case)
+increment_ip_hits() {
+    local ip="$1"
+    local increment="${2:-1}"
+
+    update_ip_reputation "$ip" "$increment" 0 0 ""
+}
+
+# Flag IP for specific attack type
+flag_ip_attack() {
+    local ip="$1"
+    local attack_type="$2"
+    local score_increase="${3:-5}"
+    local note="${4:-$attack_type}"
+
+    local attack_flag=0
+
+    case "$attack_type" in
+        SQL_INJECTION|sql) attack_flag=$ATTACK_FLAG_SQL_INJECTION; score_increase=15 ;;
+        XSS|xss) attack_flag=$ATTACK_FLAG_XSS; score_increase=10 ;;
+        PATH_TRAVERSAL|path) attack_flag=$ATTACK_FLAG_PATH_TRAVERSAL; score_increase=12 ;;
+        RCE|rce|shell) attack_flag=$ATTACK_FLAG_RCE; score_increase=20 ;;
+        BRUTEFORCE|brute) attack_flag=$ATTACK_FLAG_BRUTEFORCE; score_increase=8 ;;
+        DDOS|ddos) attack_flag=$ATTACK_FLAG_DDOS; score_increase=10 ;;
+        BOT|bot) attack_flag=$ATTACK_FLAG_BOT; score_increase=3 ;;
+        SCANNER|scan) attack_flag=$ATTACK_FLAG_SCANNER; score_increase=5 ;;
+        EXPLOIT|exploit) attack_flag=$ATTACK_FLAG_EXPLOIT; score_increase=15 ;;
+        *) attack_flag=0; score_increase=5 ;;
+    esac
+
+    update_ip_reputation "$ip" 1 "$score_increase" "$attack_flag" "$note"
+}
+
+# Mark IP as legitimate (reduces reputation score)
+mark_ip_legitimate() {
+    local ip="$1"
+    local note="${2:-Marked as legitimate}"
+
+    update_ip_reputation "$ip" 0 -20 0 "$note"
+}
+
+# Get IP reputation category
+get_ip_reputation_category() {
+    local score="$1"
+
+    if [ $score -ge $REP_SCORE_CRITICAL ]; then
+        echo "CRITICAL"
+    elif [ $score -ge $REP_SCORE_HIGH ]; then
+        echo "HIGH"
+    elif [ $score -ge $REP_SCORE_MEDIUM ]; then
+        echo "MEDIUM"
+    elif [ $score -ge $REP_SCORE_LOW ]; then
+        echo "LOW"
+    else
+        echo "SAFE"
+    fi
+}
+
+# Get attack types from flags
+decode_attack_flags() {
+    local flags="$1"
+    local attacks=""
+
+    [ $((flags & ATTACK_FLAG_SQL_INJECTION)) -ne 0 ] && attacks="${attacks}SQL,"
+    [ $((flags & ATTACK_FLAG_XSS)) -ne 0 ] && attacks="${attacks}XSS,"
+    [ $((flags & ATTACK_FLAG_PATH_TRAVERSAL)) -ne 0 ] && attacks="${attacks}PATH,"
+    [ $((flags & ATTACK_FLAG_RCE)) -ne 0 ] && attacks="${attacks}RCE,"
+    [ $((flags & ATTACK_FLAG_BRUTEFORCE)) -ne 0 ] && attacks="${attacks}BRUTE,"
+    [ $((flags & ATTACK_FLAG_DDOS)) -ne 0 ] && attacks="${attacks}DDOS,"
+    [ $((flags & ATTACK_FLAG_BOT)) -ne 0 ] && attacks="${attacks}BOT,"
+    [ $((flags & ATTACK_FLAG_SCANNER)) -ne 0 ] && attacks="${attacks}SCAN,"
+    [ $((flags & ATTACK_FLAG_EXPLOIT)) -ne 0 ] && attacks="${attacks}EXPLOIT,"
+
+    # Remove trailing comma
+    attacks="${attacks%,}"
+
+    [ -z "$attacks" ] && attacks="NONE"
+
+    echo "$attacks"
+}
+
+# Query and display IP information
+query_ip_reputation() {
+    local ip="$1"
+
+    init_ip_reputation_db
+
+    local data
+    data=$(lookup_ip "$ip")
+
+    if [ -z "$data" ]; then
+        echo "IP $ip not found in reputation database"
+        return 1
+    fi
+
+    IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes <<< "$data"
+
+    local category=$(get_ip_reputation_category "$rep_score")
+    local attacks=$(decode_attack_flags "$attack_flags")
+    local first_seen_date=$(date -d "@$first_seen" '+%Y-%m-%d %H:%M:%S' 2>/dev/null || echo "$first_seen")
+    local last_seen_date=$(date -d "@$last_seen" '+%Y-%m-%d %H:%M:%S' 2>/dev/null || echo "$last_seen")
+
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "IP Address:       $ip"
+    echo "Country:          $country"
+    echo "Reputation:       $rep_score/100 [$category]"
+    echo "Total Hits:       $hit_count"
+    echo "Attack Types:     $attacks"
+    echo "First Seen:       $first_seen_date"
+    echo "Last Seen:        $last_seen_date"
+    echo "Last Activity:    ${last_activity:-None recorded}"
+    echo "Notes:            ${notes:-None}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+    return 0
+}
+
+# Get top IPs by reputation score
+get_top_malicious_ips() {
+    local limit="${1:-20}"
+
+    init_ip_reputation_db
+
+    [ ! -f "$IP_REP_DB" ] && return 1
+
+    # OPTIMIZATION: For large files, use partial sort (much faster)
+    # Only sort enough to find top N instead of sorting entire file
+    local db_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
+
+    if [ "$db_size" -gt 100000 ]; then
+        # For very large databases, use awk to find high-scoring IPs first
+        # then sort only those (much faster than sorting 500k lines)
+        awk -F'|' '$3 >= 50' "$IP_REP_DB" | sort -t'|' -k3 -rn | head -n "$limit"
+    else
+        # For smaller databases, regular sort is fine
+        sort -t'|' -k3 -rn "$IP_REP_DB" | head -n "$limit"
+    fi
+}
+
+# Get top IPs by hit count
+get_top_active_ips() {
+    local limit="${1:-20}"
+
+    init_ip_reputation_db
+
+    [ ! -f "$IP_REP_DB" ] && return 1
+
+    # OPTIMIZATION: For large files, filter first then sort
+    local db_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
+
+    if [ "$db_size" -gt 100000 ]; then
+        # Filter to IPs with >100 hits, then sort (much faster)
+        awk -F'|' '$2 >= 100' "$IP_REP_DB" | sort -t'|' -k2 -rn | head -n "$limit"
+    else
+        # For smaller databases, regular sort is fine
+        sort -t'|' -k2 -rn "$IP_REP_DB" | head -n "$limit"
+    fi
+}
+
+# Clean up old entries (not seen in X days)
+cleanup_old_ips() {
+    local days_old="${1:-90}"
+
+    init_ip_reputation_db
+    acquire_lock
+
+    local cutoff_time=$(($(date +%s) - (days_old * 86400)))
+    local temp_file="${IP_REP_DB}.tmp"
+
+    # Keep only IPs seen within the cutoff time
+    awk -F'|' -v cutoff="$cutoff_time" '$7 >= cutoff' "$IP_REP_DB" > "$temp_file"
+
+    mv "$temp_file" "$IP_REP_DB"
+
+    release_lock
+
+    echo "Cleaned up IPs not seen in $days_old days"
+}
+
+# Compact database to remove duplicate IP entries (from append-only writes)
+compact_database() {
+    init_ip_reputation_db
+    acquire_lock
+
+    echo "Compacting database (removing duplicate IP entries)..."
+
+    local temp_db="${IP_REP_DB}.compact_tmp"
+    local original_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
+
+    # Use awk to keep only the LAST occurrence of each IP (most recent data)
+    # Read file backwards, keep first occurrence of each IP, then reverse again
+    tac "$IP_REP_DB" | awk -F'|' '!seen[$1]++' | tac > "$temp_db"
+
+    # Replace original with compacted version
+    mv "$temp_db" "$IP_REP_DB"
+
+    local new_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
+    local removed=$((original_size - new_size))
+
+    # Remove compaction marker
+    rm -f "${IP_REP_DB}.needs_compact" 2>/dev/null
+
+    release_lock
+
+    echo "Compaction complete: Removed $removed duplicate entries ($original_size → $new_size IPs)"
+
+    # Rebuild index after compaction
+    rebuild_index
+}
+
+# Rebuild index for faster lookups (for very large databases)
+rebuild_index() {
+    init_ip_reputation_db
+    acquire_lock
+
+    echo "Rebuilding hash-based index for fast lookups..."
+
+    # Remove old hash files
+    rm -f "${IP_REP_DB_DIR}"/hash_*.idx 2>/dev/null
+
+    # Build hash buckets (256 buckets based on first octet)
+    # This distributes 500k IPs into ~2k IPs per bucket = MUCH faster
+    local line_num=0
+    while IFS='|' read -r ip rest; do
+        ((line_num++))
+
+        # Calculate hash bucket from first octet
+        local hash_bucket="${ip%%.*}"
+        local hash_file="${IP_REP_DB_DIR}/hash_${hash_bucket}.idx"
+
+        # Store IP and its line number in the hash bucket file
+        echo "${ip}|${line_num}" >> "$hash_file"
+    done < "$IP_REP_DB"
+
+    # Sort each hash bucket file for faster grep
+    for hash_file in "${IP_REP_DB_DIR}"/hash_*.idx; do
+        [ -f "$hash_file" ] && sort -t'|' -k1 -o "$hash_file" "$hash_file"
+    done
+
+    # Also create main sorted index for compatibility
+    sort -t'|' -k1 "$IP_REP_DB" > "$IP_REP_INDEX"
+
+    release_lock
+
+    echo "Index rebuilt: $(ls -1 "${IP_REP_DB_DIR}"/hash_*.idx 2>/dev/null | wc -l) hash buckets created"
+}
+
+# Export reputation database to readable format
+export_ip_reputation() {
+    local output_file="${1:-/tmp/ip_reputation_export_$(date +%Y%m%d_%H%M%S).txt}"
+
+    init_ip_reputation_db
+
+    {
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo "SERVER TOOLKIT - IP REPUTATION DATABASE EXPORT"
+        echo "Generated: $(date '+%Y-%m-%d %H:%M:%S')"
+        echo "Total IPs: $(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+
+        printf "%-15s | %-7s | %-4s | %-8s | %-6s | %-30s | %-19s\n" \
+            "IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACKS" "LAST SEEN"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+        # Sort by reputation score, descending
+        sort -t'|' -k3 -rn "$IP_REP_DB" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
+            local category=$(get_ip_reputation_category "$rep_score")
+            local attacks=$(decode_attack_flags "$attack_flags")
+            local last_seen_date=$(date -d "@$last_seen" '+%Y-%m-%d %H:%M' 2>/dev/null || echo "$last_seen")
+
+            printf "%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s | %-19s\n" \
+                "$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}" "$last_seen_date"
+        done
+
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    } > "$output_file"
+
+    echo "IP reputation database exported to: $output_file"
+}
+
+# Check if IP should be blocked (based on reputation)
+should_block_ip() {
+    local ip="$1"
+    local threshold="${2:-$REP_SCORE_HIGH}"  # Default: block if reputation >= 60
+
+    local data
+    data=$(lookup_ip "$ip")
+
+    [ -z "$data" ] && return 1  # Unknown IP, don't block
+
+    IFS='|' read -r _ _ rep_score _ _ _ _ _ _ <<< "$data"
+
+    [ $rep_score -ge $threshold ] && return 0  # Should block
+    return 1  # Should not block
+}
+
+# Batch import IPs from various sources
+import_ips_from_log() {
+    local log_file="$1"
+    local attack_type="${2:-SUSPICIOUS}"
+    local score_per_hit="${3:-5}"
+
+    [ ! -f "$log_file" ] && return 1
+
+    # Extract IPs and count occurrences
+    grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$log_file" | \
+    sort | uniq -c | while read count ip; do
+        update_ip_reputation "$ip" "$count" "$score_per_hit" 0 "Imported from $log_file"
+    done
+
+    echo "Imported IPs from $log_file"
+}
+
+# Statistics summary
+show_ip_statistics() {
+    init_ip_reputation_db
+
+    local total_ips=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
+    local critical=$(awk -F'|' -v thresh=$REP_SCORE_CRITICAL '$3 >= thresh' "$IP_REP_DB" 2>/dev/null | wc -l)
+    local high=$(awk -F'|' -v low=$REP_SCORE_HIGH -v hi=$REP_SCORE_CRITICAL '$3 >= low && $3 < hi' "$IP_REP_DB" 2>/dev/null | wc -l)
+    local medium=$(awk -F'|' -v low=$REP_SCORE_MEDIUM -v hi=$REP_SCORE_HIGH '$3 >= low && $3 < hi' "$IP_REP_DB" 2>/dev/null | wc -l)
+    local low=$(awk -F'|' -v low=$REP_SCORE_LOW -v hi=$REP_SCORE_MEDIUM '$3 >= low && $3 < hi' "$IP_REP_DB" 2>/dev/null | wc -l)
+    local safe=$(awk -F'|' -v thresh=$REP_SCORE_LOW '$3 < thresh' "$IP_REP_DB" 2>/dev/null | wc -l)
+
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "IP REPUTATION DATABASE STATISTICS"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "Total Tracked IPs:    $total_ips"
+    echo ""
+    echo "By Reputation Level:"
+    echo "  CRITICAL (≥80):     $critical"
+    echo "  HIGH (60-79):       $high"
+    echo "  MEDIUM (40-59):     $medium"
+    echo "  LOW (20-39):        $low"
+    echo "  SAFE (<20):         $safe"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+}
+
+################################################################################
+# BAN MANAGEMENT & TRACKING
+################################################################################
+
+# Record that an IP was banned
+# Usage: record_ip_ban IP DURATION_HOURS [REASON]
+record_ip_ban() {
+    local ip="$1"
+    local duration="${2:-1}"
+    local reason="${3:-Manual ban from live monitor}"
+
+    [ -z "$ip" ] && return 1
+
+    init_ip_reputation_db
+    acquire_lock
+
+    local existing
+    existing=$(lookup_ip "$ip")
+
+    local current_time=$(date +%s)
+
+    if [ -n "$existing" ]; then
+        # Parse existing entry (with new ban fields)
+        IFS='|' read -r old_ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes ban_count last_ban <<< "$existing"
+
+        # Increment ban count
+        ban_count=$((${ban_count:-0} + 1))
+        last_ban="$current_time"
+
+        # Increase reputation score for being banned
+        rep_score=$((rep_score + 10))
+        [ $rep_score -gt 100 ] && rep_score=100
+
+        # Update notes
+        notes="Banned ${ban_count}x (${duration}h): $reason"
+
+        # Write updated entry (remove old, add new)
+        local temp_file="${IP_REP_DB}.tmp.$$"
+        grep -v "^${ip}|" "$IP_REP_DB" > "$temp_file" 2>/dev/null || touch "$temp_file"
+        echo "$ip|$hit_count|$rep_score|$country|$attack_flags|$first_seen|$last_seen|$last_activity|$notes|$ban_count|$last_ban" >> "$temp_file"
+        mv "$temp_file" "$IP_REP_DB"
+    else
+        # New IP - create entry with ban
+        echo "$ip|0|70|unknown|0|$current_time|$current_time|Banned|Banned: $reason|1|$current_time" >> "$IP_REP_DB"
+    fi
+
+    release_lock
+    return 0
+}
+
+# Get ban count for an IP
+get_ip_ban_count() {
+    local ip="$1"
+
+    local data
+    data=$(lookup_ip "$ip")
+
+    [ -z "$data" ] && echo "0" && return 0
+
+    # Extract ban_count (field 10)
+    echo "$data" | awk -F'|' '{print $10}'
+}
+
+# Get last ban timestamp for an IP
+get_ip_last_ban() {
+    local ip="$1"
+
+    local data
+    data=$(lookup_ip "$ip")
+
+    [ -z "$data" ] && echo "0" && return 0
+
+    # Extract last_ban (field 11)
+    echo "$data" | awk -F'|' '{print $11}'
+}
+
+# Block IP using CSF (if available) or iptables
+# Usage: block_ip_temporary IP DURATION_HOURS [REASON]
+block_ip_temporary() {
+    local ip="$1"
+    local duration="${2:-1}"  # Default: 1 hour
+    local reason="${3:-High threat activity detected}"
+
+    [ -z "$ip" ] && return 1
+
+    # Validate IP format
+    if ! [[ "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+        echo "ERROR: Invalid IP format: $ip"
+        return 1
+    fi
+
+    # Check if CSF is available
+    if command -v csf &>/dev/null; then
+        # Use CSF temporary deny
+        local duration_seconds=$((duration * 3600))
+        csf -td "$ip" "$duration_seconds" "$reason" &>/dev/null
+
+        if [ $? -eq 0 ]; then
+            echo "✓ Blocked $ip using CSF for ${duration}h: $reason"
+            record_ip_ban "$ip" "$duration" "$reason"
+            return 0
+        else
+            echo "⚠ CSF block failed for $ip, trying iptables..."
+        fi
+    fi
+
+    # Fallback to iptables
+    if command -v iptables &>/dev/null; then
+        # Check if already blocked
+        if iptables -L INPUT -n | grep -q "$ip"; then
+            echo "⚠ $ip already blocked in iptables"
+            return 0
+        fi
+
+        # Add iptables rule
+        iptables -I INPUT -s "$ip" -j DROP
+
+        if [ $? -eq 0 ]; then
+            echo "✓ Blocked $ip using iptables for ${duration}h: $reason"
+            record_ip_ban "$ip" "$duration" "$reason"
+
+            # Schedule removal using at (if available)
+            if command -v at &>/dev/null; then
+                echo "iptables -D INPUT -s $ip -j DROP 2>/dev/null" | at now + $duration hours 2>/dev/null
+                echo "  (Scheduled auto-unblock in ${duration}h)"
+            else
+                echo "  (WARNING: Manual unblock required - 'at' command not available)"
+            fi
+
+            return 0
+        else
+            echo "✗ Failed to block $ip with iptables"
+            return 1
+        fi
+    fi
+
+    echo "✗ No firewall available (CSF or iptables required)"
+    return 1
+}
+
+# Unblock IP
+unblock_ip() {
+    local ip="$1"
+
+    [ -z "$ip" ] && return 1
+
+    # Try CSF first
+    if command -v csf &>/dev/null; then
+        csf -tr "$ip" &>/dev/null
+        if [ $? -eq 0 ]; then
+            echo "✓ Unblocked $ip from CSF"
+            return 0
+        fi
+    fi
+
+    # Try iptables
+    if command -v iptables &>/dev/null; then
+        iptables -D INPUT -s "$ip" -j DROP 2>/dev/null
+        if [ $? -eq 0 ]; then
+            echo "✓ Unblocked $ip from iptables"
+            return 0
+        fi
+    fi
+
+    echo "⚠ $ip not found in firewall rules"
+    return 1
+}
+
+# Check if IP is currently blocked
+is_ip_blocked() {
+    local ip="$1"
+
+    [ -z "$ip" ] && return 1
+
+    # Check CSF
+    if command -v csf &>/dev/null; then
+        if csf -g "$ip" 2>/dev/null | grep -q "DENY"; then
+            return 0
+        fi
+    fi
+
+    # Check iptables (use word boundaries to avoid partial matches)
+    if command -v iptables &>/dev/null; then
+        if iptables -L INPUT -n 2>/dev/null | grep -w "$ip" | grep -q "DROP\|REJECT"; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
+# Get list of IPs that should be blocked based on reputation
+# Usage: get_blockable_ips [MIN_SCORE]
+get_blockable_ips() {
+    local min_score="${1:-60}"  # Default: score >= 60
+
+    [ ! -f "$IP_REP_DB" ] && return 1
+
+    # Get IPs with score >= min_score, not already blocked
+    while IFS='|' read -r ip hit_count rep_score rest; do
+        # Skip if score too low
+        [ "$rep_score" -lt "$min_score" ] 2>/dev/null && continue
+
+        # Skip if already blocked
+        is_ip_blocked "$ip" && continue
+
+        # Output: IP|SCORE|HITS
+        echo "$ip|$rep_score|$hit_count"
+    done < "$IP_REP_DB" | sort -t'|' -k2 -rn
+}
+
+export -f record_ip_ban
+export -f get_ip_ban_count
+export -f get_ip_last_ban
+export -f block_ip_temporary
+export -f unblock_ip
+export -f is_ip_blocked
+export -f get_blockable_ips
+
+# Initialize on library load
+init_ip_reputation_db
@@ -183,6 +183,64 @@ build_databases_section() {
    echo "" >> "$SYSREF_DB"
 }

+# Check domain HTTP/HTTPS status codes
+# Returns: http_code|https_code|status_summary
+check_domain_status() {
+    local domain="$1"
+    local http_code="000"
+    local https_code="000"
+    local status_summary="unchecked"
+
+    # Skip if curl not available
+    if ! command -v curl &>/dev/null; then
+        echo "000|000|no_curl"
+        return 0
+    fi
+
+    # Skip obviously invalid domains
+    if [ -z "$domain" ] || [[ ! "$domain" =~ \. ]]; then
+        echo "000|000|invalid_domain"
+        return 0
+    fi
+
+    # Try HTTP (timeout 3 seconds, max 2 redirects, check for valid response)
+    http_code=$(timeout 3 curl -s -o /dev/null -w "%{http_code}" --max-redirs 2 -m 3 "http://$domain" 2>/dev/null)
+    if [ $? -ne 0 ] || [ -z "$http_code" ]; then
+        http_code="timeout"
+    fi
+
+    # Try HTTPS (timeout 3 seconds, max 2 redirects, ignore cert errors)
+    https_code=$(timeout 3 curl -s -o /dev/null -w "%{http_code}" --max-redirs 2 -m 3 -k "https://$domain" 2>/dev/null)
+    if [ $? -ne 0 ] || [ -z "$https_code" ]; then
+        https_code="timeout"
+    fi
+
+    # Determine overall status
+    if [ "$http_code" = "200" ] || [ "$https_code" = "200" ]; then
+        status_summary="200_OK"
+    elif [ "$http_code" = "403" ] || [ "$https_code" = "403" ]; then
+        status_summary="403_FORBIDDEN"
+    elif [ "$http_code" = "404" ] || [ "$https_code" = "404" ]; then
+        status_summary="404_NOT_FOUND"
+    elif [ "$http_code" = "500" ] || [ "$https_code" = "500" ]; then
+        status_summary="500_ERROR"
+    elif [ "$http_code" = "502" ] || [ "$https_code" = "502" ]; then
+        status_summary="502_BAD_GATEWAY"
+    elif [ "$http_code" = "503" ] || [ "$https_code" = "503" ]; then
+        status_summary="503_UNAVAILABLE"
+    elif [[ "$http_code" =~ ^30[0-9]$ ]] || [[ "$https_code" =~ ^30[0-9]$ ]]; then
+        status_summary="REDIRECT"
+    elif [ "$http_code" = "timeout" ] && [ "$https_code" = "timeout" ]; then
+        status_summary="TIMEOUT"
+    elif [ "$http_code" = "000" ] && [ "$https_code" = "000" ]; then
+        status_summary="UNREACHABLE"
+    else
+        status_summary="OTHER"
+    fi
+
+    echo "${http_code}|${https_code}|${status_summary}"
+}
+
 build_domains_section() {
    echo "[DOMAINS]" >> "$SYSREF_DB"

@@ -191,6 +249,17 @@ build_domains_section() {

    local users=($(list_all_users))

+    # Count total domains for progress
+    local total_domains=0
+    for user in "${users[@]}"; do
+        local userdata_dir="/var/cpanel/userdata/${user}"
+        if [ -d "$userdata_dir" ]; then
+            total_domains=$((total_domains + $(find "$userdata_dir" -type f ! -name "*.cache" ! -name "*.yaml" ! -name "*.json" ! -name "main*" ! -name "cache" ! -name "*_SSL" 2>/dev/null | wc -l)))
+        fi
+    done
+
+    local current_domain=0
+
    # Get detailed domain information from cPanel userdata (if available)
    for user in "${users[@]}"; do
        local userdata_dir="/var/cpanel/userdata/${user}"
@@ -233,8 +302,20 @@ build_domains_section() {
                    fi
                fi

-                # Format: DOMAIN|domain|owner|doc_root|log_path|php_version|is_primary|type|aliases
-                echo "DOMAIN|$domain|$user|$doc_root|$log_path|$php_version|$is_primary|$domain_type|$server_alias" >> "$SYSREF_DB"
+                # Check HTTP/HTTPS status codes (only for primary and addon domains, skip aliases/subdomains)
+                current_domain=$((current_domain + 1))
+                local http_code="000"
+                local https_code="000"
+                local status_summary="skipped"
+
+                if [ "$domain_type" = "primary" ] || [ "$domain_type" = "addon" ]; then
+                    show_progress $current_domain $total_domains "Checking domain status codes..."
+                    local status_result=$(check_domain_status "$domain")
+                    IFS='|' read -r http_code https_code status_summary <<< "$status_result"
+                fi
+
+                # Format: DOMAIN|domain|owner|doc_root|log_path|php_version|is_primary|type|aliases|http_code|https_code|status_summary
+                echo "DOMAIN|$domain|$user|$doc_root|$log_path|$php_version|$is_primary|$domain_type|$server_alias|$http_code|$https_code|$status_summary" >> "$SYSREF_DB"
                seen_domains["$domain"]=1

                # Also add aliases as separate entries
@@ -243,8 +324,8 @@ build_domains_section() {
                        [ -z "$alias" ] && continue
                        [ -n "${seen_domains[$alias]:-}" ] && continue

-                        # Alias points to same document root and logs
-                        echo "DOMAIN|$alias|$user|$doc_root|$log_path|$php_version|no|alias|$domain" >> "$SYSREF_DB"
+                        # Alias points to same document root and logs (inherit status from parent)
+                        echo "DOMAIN|$alias|$user|$doc_root|$log_path|$php_version|no|alias|$domain|$http_code|$https_code|alias_of_$status_summary" >> "$SYSREF_DB"
                        seen_domains["$alias"]=1
                    done
                fi
@@ -265,13 +346,21 @@ build_domains_section() {
                local log_path="${SYS_LOG_DIR}/${domain}"
                [ ! -f "$log_path" ] && log_path="${SYS_LOG_DIR}/${domain}.log"

-                # Simple format for non-cPanel
-                echo "DOMAIN|$domain|$user||$log_path||$is_primary|local|" >> "$SYSREF_DB"
+                # Check status for non-cPanel domains
+                current_domain=$((current_domain + 1))
+                show_progress $current_domain $total_domains "Checking domain status codes..."
+                local status_result=$(check_domain_status "$domain")
+                IFS='|' read -r http_code https_code status_summary <<< "$status_result"
+
+                # Simple format for non-cPanel (with status codes)
+                echo "DOMAIN|$domain|$user||$log_path||$is_primary|local||$http_code|$https_code|$status_summary" >> "$SYSREF_DB"
                seen_domains["$domain"]=1
            done
        fi
    done

+    finish_progress
+
    # Check /etc/localdomains (cPanel local domains not yet added)
    if [ -f "/etc/localdomains" ]; then
        while read -r domain; do
@@ -282,12 +371,17 @@ build_domains_section() {
            [ -z "$owner" ] && owner="unknown"

            local log_path="${SYS_LOG_DIR}/${domain}"
-            echo "DOMAIN|$domain|$owner||$log_path||unknown|local|" >> "$SYSREF_DB"
+
+            # Check status
+            local status_result=$(check_domain_status "$domain")
+            IFS='|' read -r http_code https_code status_summary <<< "$status_result"
+
+            echo "DOMAIN|$domain|$owner||$log_path||unknown|local||$http_code|$https_code|$status_summary" >> "$SYSREF_DB"
            seen_domains["$domain"]=1
        done < /etc/localdomains
    fi

-    # Check /etc/remotedomains (cPanel remote MX domains)
+    # Check /etc/remotedomains (cPanel remote MX domains - no status check for remote MX)
    if [ -f "/etc/remotedomains" ]; then
        while read -r domain; do
            [ -z "$domain" ] && continue
@@ -296,7 +390,7 @@ build_domains_section() {
            local owner=$(grep "^${domain}:" /etc/trueuserdomains 2>/dev/null | cut -d: -f2 | xargs || true)
            [ -z "$owner" ] && owner="unknown"

-            echo "DOMAIN|$domain|$owner||||unknown|remote|" >> "$SYSREF_DB"
+            echo "DOMAIN|$domain|$owner||||unknown|remote||000|000|remote_mx" >> "$SYSREF_DB"
            seen_domains["$domain"]=1
        done < /etc/remotedomains
    fi
@@ -557,6 +651,87 @@ export -f db_get_all_users
 export -f db_get_user_databases
 export -f db_get_user_domains
 export -f db_get_database_owner
+#############################################################################
+# SIMPLE KEY-VALUE STORE (for cross-module session data)
+#############################################################################
+
+# Store a key-value pair in the reference database
+store_reference() {
+    local key="$1"
+    local value="$2"
+
+    if [ -z "$key" ] || [ -z "$value" ]; then
+        return 1
+    fi
+
+    # Use REF prefix for simple key-value pairs
+    echo "REF|$key|$value" >> "$SYSREF_DB"
+}
+
+# Retrieve the most recent value for a key
+get_reference() {
+    local key="$1"
+
+    if [ -z "$key" ] || [ ! -f "$SYSREF_DB" ]; then
+        return 1
+    fi
+
+    # Get the most recent value (last occurrence)
+    grep "^REF|$key|" "$SYSREF_DB" 2>/dev/null | tail -1 | cut -d'|' -f3
+}
+
+# Get domain status from reference database
+# Usage: get_domain_status "domain.com"
+# Returns: http_code|https_code|status_summary or empty if not found
+get_domain_status() {
+    local domain="$1"
+
+    if [ -z "$domain" ] || [ ! -f "$SYSREF_DB" ]; then
+        return 1
+    fi
+
+    # Get domain record (DOMAIN|domain|owner|doc_root|log_path|php|primary|type|alias|http|https|status)
+    local record=$(grep "^DOMAIN|${domain}|" "$SYSREF_DB" 2>/dev/null | head -1)
+
+    if [ -z "$record" ]; then
+        return 1
+    fi
+
+    # Extract fields 10, 11, 12 (http_code, https_code, status_summary)
+    echo "$record" | awk -F'|' '{print $10"|"$11"|"$12}'
+}
+
+# Get all domains with their status codes
+# Returns: domain|http_code|https_code|status_summary (one per line)
+get_all_domain_statuses() {
+    if [ ! -f "$SYSREF_DB" ]; then
+        return 1
+    fi
+
+    grep "^DOMAIN|" "$SYSREF_DB" 2>/dev/null | awk -F'|' '{print $2"|"$10"|"$11"|"$12}'
+}
+
+# Check if domain is healthy (200 OK on either HTTP or HTTPS)
+# Usage: is_domain_healthy "domain.com" && echo "healthy"
+is_domain_healthy() {
+    local domain="$1"
+    local status=$(get_domain_status "$domain")
+
+    [ -z "$status" ] && return 1
+
+    # Parse status
+    IFS='|' read -r http_code https_code status_summary <<< "$status"
+
+    # Healthy if either HTTP or HTTPS returns 200
+    if [ "$http_code" = "200" ] || [ "$https_code" = "200" ]; then
+        return 0
+    fi
+
+    return 1
+}
+
+export -f store_reference
+export -f get_reference
 export -f db_get_all_wordpress
 export -f db_get_system_info
 export -f db_get_health_metric
@@ -567,3 +742,6 @@ export -f db_get_all_health
 export -f db_is_fresh
 export -f db_ensure_fresh
 export -f db_rebuild
+export -f get_domain_status
+export -f get_all_domain_statuses
+export -f is_domain_healthy
@@ -25,6 +25,9 @@ export SYS_LOG_DIR=""
 export SYS_USER_HOME_BASE=""
 export SYS_PHP_VERSIONS=()
 export SYS_CLOUDFLARE_ACTIVE=""
+export SYS_FIREWALL=""
+export SYS_FIREWALL_VERSION=""
+export SYS_FIREWALL_ACTIVE=""

 #############################################################################
 # CONTROL PANEL DETECTION
@@ -64,7 +67,9 @@ detect_control_panel() {
        if [ -f "/usr/local/interworx/iworx/version.php" ]; then
            SYS_CONTROL_PANEL_VERSION=$(grep -oP "VERSION = '\K[^']+" /usr/local/interworx/iworx/version.php 2>/dev/null || echo "Unknown")
        fi
-        SYS_LOG_DIR="/home"
+        # InterWorx stores logs in /home/user/var/domain.com/logs/
+        # We set a marker path that tools will recognize needs special handling
+        SYS_LOG_DIR="/home/*/var/*/logs"
        SYS_USER_HOME_BASE="/home"

        print_success "Detected InterWorx v${SYS_CONTROL_PANEL_VERSION}"
@@ -260,6 +265,77 @@ detect_cloudflare() {
    fi
 }

+#############################################################################
+# FIREWALL DETECTION
+#############################################################################
+
+detect_firewall() {
+    print_info "Detecting firewall..."
+
+    # CSF/LFD
+    if [ -f "/etc/csf/csf.conf" ]; then
+        SYS_FIREWALL="csf"
+        SYS_FIREWALL_VERSION=$(csf -v 2>/dev/null | grep -oP 'v\K[\d.]+' | head -1 || echo "unknown")
+        if systemctl is-active --quiet lfd 2>/dev/null || service lfd status 2>/dev/null | grep -q running; then
+            SYS_FIREWALL_ACTIVE="yes"
+            print_success "Detected CSF ${SYS_FIREWALL_VERSION} (active)"
+        else
+            SYS_FIREWALL_ACTIVE="no"
+            print_warning "Detected CSF ${SYS_FIREWALL_VERSION} (inactive)"
+        fi
+        export SYS_CSF_ACTIVE="${SYS_FIREWALL_ACTIVE}"
+        return 0
+    fi
+
+    # firewalld
+    if command_exists firewall-cmd; then
+        SYS_FIREWALL="firewalld"
+        SYS_FIREWALL_VERSION=$(firewall-cmd --version 2>/dev/null || echo "unknown")
+        if systemctl is-active --quiet firewalld 2>/dev/null; then
+            SYS_FIREWALL_ACTIVE="yes"
+            print_success "Detected firewalld ${SYS_FIREWALL_VERSION} (active)"
+        else
+            SYS_FIREWALL_ACTIVE="no"
+            print_warning "Detected firewalld ${SYS_FIREWALL_VERSION} (inactive)"
+        fi
+        return 0
+    fi
+
+    # iptables
+    if command_exists iptables; then
+        SYS_FIREWALL="iptables"
+        SYS_FIREWALL_VERSION=$(iptables --version 2>/dev/null | grep -oP 'v\K[\d.]+' | head -1 || echo "unknown")
+        # Check if iptables has any rules
+        if [ "$(iptables -L -n 2>/dev/null | wc -l)" -gt 8 ]; then
+            SYS_FIREWALL_ACTIVE="yes"
+            print_success "Detected iptables ${SYS_FIREWALL_VERSION} (active)"
+        else
+            SYS_FIREWALL_ACTIVE="no"
+            print_warning "Detected iptables ${SYS_FIREWALL_VERSION} (no rules)"
+        fi
+        return 0
+    fi
+
+    # UFW
+    if command_exists ufw; then
+        SYS_FIREWALL="ufw"
+        SYS_FIREWALL_VERSION=$(ufw version 2>/dev/null | grep -oP '\d+\.\d+\.\d+' | head -1 || echo "unknown")
+        if ufw status 2>/dev/null | grep -q "Status: active"; then
+            SYS_FIREWALL_ACTIVE="yes"
+            print_success "Detected UFW ${SYS_FIREWALL_VERSION} (active)"
+        else
+            SYS_FIREWALL_ACTIVE="no"
+            print_warning "Detected UFW ${SYS_FIREWALL_VERSION} (inactive)"
+        fi
+        return 0
+    fi
+
+    SYS_FIREWALL="none"
+    SYS_FIREWALL_ACTIVE="no"
+    print_warning "No firewall detected"
+    return 1
+}
+
 #############################################################################
 # SYSTEM RESOURCES (Comprehensive - like user's example)
 #############################################################################
@@ -424,6 +500,7 @@ initialize_system_detection() {
    detect_database
    detect_php_versions
    detect_cloudflare
+    detect_firewall
    get_system_resources

    # Mark as initialized
@@ -0,0 +1,466 @@
+#!/bin/bash
+
+################################################################################
+# Threat Intelligence Library
+################################################################################
+# Purpose: External threat intelligence integration using existing tools
+# Features: IP reputation lookups, geolocation, whitelist management
+# No new services - uses only existing APIs and tools
+################################################################################
+
+# Cache directory for threat intelligence
+THREAT_CACHE_DIR="/var/lib/server-toolkit/threat-cache"
+mkdir -p "$THREAT_CACHE_DIR" 2>/dev/null
+
+# Cache TTL (24 hours)
+CACHE_TTL=86400
+
+################################################################################
+# AbuseIPDB Integration (Free API - 1000 requests/day)
+################################################################################
+
+# Check if IP is in AbuseIPDB
+# Returns: confidence_score|total_reports|country|isp
+check_abuseipdb() {
+    local ip="$1"
+    local cache_file="$THREAT_CACHE_DIR/abuseipdb_${ip//\./_}"
+
+    # Check cache first
+    if [ -f "$cache_file" ]; then
+        local cache_age=$(($(date +%s) - $(stat -c %Y "$cache_file" 2>/dev/null || echo 0)))
+        if [ "$cache_age" -lt "$CACHE_TTL" ]; then
+            cat "$cache_file"
+            return 0
+        fi
+    fi
+
+    # Check if API key exists
+    local api_key_file="/root/.abuseipdb_api_key"
+    if [ ! -f "$api_key_file" ]; then
+        echo "0|0|Unknown|Unknown"
+        return 1
+    fi
+
+    local api_key=$(cat "$api_key_file")
+
+    # Query AbuseIPDB API
+    local response=$(curl -s -G https://api.abuseipdb.com/api/v2/check \
+        --data-urlencode "ipAddress=$ip" \
+        -d maxAgeInDays=90 \
+        -H "Key: $api_key" \
+        -H "Accept: application/json" 2>/dev/null)
+
+    if [ -n "$response" ]; then
+        local confidence=$(echo "$response" | grep -oP '"abuseConfidenceScore":\K[0-9]+' | head -1)
+        local reports=$(echo "$response" | grep -oP '"totalReports":\K[0-9]+' | head -1)
+        local country=$(echo "$response" | grep -oP '"countryCode":"\K[^"]+' | head -1)
+        local isp=$(echo "$response" | grep -oP '"isp":"\K[^"]+' | head -1)
+
+        local result="${confidence:-0}|${reports:-0}|${country:-Unknown}|${isp:-Unknown}"
+        echo "$result" | tee "$cache_file"
+        return 0
+    fi
+
+    echo "0|0|Unknown|Unknown"
+    return 1
+}
+
+################################################################################
+# Geolocation Detection (Using existing geoiplookup or geoip-bin)
+################################################################################
+
+# Get country code for IP
+get_country_code() {
+    local ip="$1"
+    local cache_file="$THREAT_CACHE_DIR/geo_${ip//\./_}"
+
+    # Check cache
+    if [ -f "$cache_file" ]; then
+        local cache_age=$(($(date +%s) - $(stat -c %Y "$cache_file" 2>/dev/null || echo 0)))
+        if [ "$cache_age" -lt "$CACHE_TTL" ]; then
+            cat "$cache_file"
+            return 0
+        fi
+    fi
+
+    # Try geoiplookup (if installed)
+    if command -v geoiplookup &>/dev/null; then
+        local country=$(geoiplookup "$ip" 2>/dev/null | head -1 | grep -oP 'GeoIP Country Edition: \K[A-Z]{2}')
+        if [ -n "$country" ]; then
+            echo "$country" | tee "$cache_file"
+            return 0
+        fi
+    fi
+
+    # Try geoip-bin (alternative)
+    if command -v geoiplookup6 &>/dev/null; then
+        local country=$(geoiplookup6 "$ip" 2>/dev/null | head -1 | grep -oP 'GeoIP Country Edition: \K[A-Z]{2}')
+        if [ -n "$country" ]; then
+            echo "$country" | tee "$cache_file"
+            return 0
+        fi
+    fi
+
+    # Fallback to whois (slower, not cached as aggressively)
+    if command -v whois &>/dev/null; then
+        local country=$(whois "$ip" 2>/dev/null | grep -i "^country:" | head -1 | awk '{print $2}' | tr '[:lower:]' '[:upper:]')
+        if [ -n "$country" ] && [ ${#country} -eq 2 ]; then
+            echo "$country" | tee "$cache_file"
+            return 0
+        fi
+    fi
+
+    echo "XX"
+    return 1
+}
+
+# Check if country is high-risk
+is_high_risk_country() {
+    local country="$1"
+
+    # High-risk countries (commonly seen in attacks)
+    local high_risk="CN RU UA BY KP IR VN TH ID BR"
+
+    if echo "$high_risk" | grep -qw "$country"; then
+        return 0
+    fi
+
+    return 1
+}
+
+################################################################################
+# Smart Whitelisting
+################################################################################
+
+# Check if IP should be whitelisted (legitimate services)
+is_whitelisted_service() {
+    local ip="$1"
+    local whitelist_file="/var/lib/server-toolkit/whitelist_ips.txt"
+
+    # Check static whitelist
+    if [ -f "$whitelist_file" ]; then
+        if grep -q "^$ip$" "$whitelist_file"; then
+            return 0
+        fi
+    fi
+
+    # Check if IP belongs to known legitimate networks
+    # Google IPs (8.8.0.0/16, 66.249.64.0/19, etc.)
+    if [[ "$ip" =~ ^8\.8\. ]] || [[ "$ip" =~ ^66\.249\. ]] || [[ "$ip" =~ ^66\.102\. ]]; then
+        return 0
+    fi
+
+    # Cloudflare IPs (173.245.48.0/20, 103.21.244.0/22, etc.)
+    if [[ "$ip" =~ ^173\.245\.(4[8-9]|5[0-9]|6[0-3])\. ]] || [[ "$ip" =~ ^103\.21\.24[4-7]\. ]]; then
+        return 0
+    fi
+
+    # Microsoft/Bing IPs (40.0.0.0/8, 65.52.0.0/14, etc.)
+    if [[ "$ip" =~ ^40\. ]] || [[ "$ip" =~ ^65\.5[2-5]\. ]]; then
+        return 0
+    fi
+
+    # Common CDN/monitoring services
+    # Akamai: 23.0.0.0/8
+    if [[ "$ip" =~ ^23\. ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Add IP to whitelist
+add_to_whitelist() {
+    local ip="$1"
+    local reason="$2"
+    local whitelist_file="/var/lib/server-toolkit/whitelist_ips.txt"
+
+    if ! grep -q "^$ip$" "$whitelist_file" 2>/dev/null; then
+        echo "$ip  # $reason" >> "$whitelist_file"
+    fi
+}
+
+################################################################################
+# Behavioral Analysis
+################################################################################
+
+# Analyze request timing pattern
+# Returns: human|bot|suspicious
+analyze_timing_pattern() {
+    local ip="$1"
+    local timing_file="$THREAT_CACHE_DIR/timing_${ip//\./_}"
+
+    # Record timestamp
+    echo "$(date +%s)" >> "$timing_file"
+
+    # Keep only last 100 requests
+    tail -100 "$timing_file" > "${timing_file}.tmp" 2>/dev/null
+    mv "${timing_file}.tmp" "$timing_file" 2>/dev/null
+
+    # Analyze if we have enough data
+    local request_count=$(wc -l < "$timing_file" 2>/dev/null || echo 0)
+    if [ "$request_count" -lt 10 ]; then
+        echo "unknown"
+        return
+    fi
+
+    # Calculate average time between requests
+    local timestamps=$(cat "$timing_file")
+    local total_gap=0
+    local gap_count=0
+    local prev_ts=""
+
+    while IFS= read -r ts; do
+        if [ -n "$prev_ts" ]; then
+            local gap=$((ts - prev_ts))
+            total_gap=$((total_gap + gap))
+            gap_count=$((gap_count + 1))
+        fi
+        prev_ts="$ts"
+    done <<< "$timestamps"
+
+    if [ "$gap_count" -gt 0 ]; then
+        local avg_gap=$((total_gap / gap_count))
+
+        # Bot patterns: < 2 seconds between requests consistently
+        if [ "$avg_gap" -lt 2 ]; then
+            echo "bot"
+            return
+        fi
+
+        # Human patterns: 5-30 seconds between requests with variation
+        if [ "$avg_gap" -ge 5 ] && [ "$avg_gap" -le 30 ]; then
+            echo "human"
+            return
+        fi
+
+        # Suspicious: Too fast but not consistent bot pattern
+        echo "suspicious"
+        return
+    fi
+
+    echo "unknown"
+}
+
+################################################################################
+# Attack Pattern Learning
+################################################################################
+
+# Record attack pattern for learning
+record_attack_pattern() {
+    local ip="$1"
+    local attack_type="$2"
+    local uri="$3"
+    local user_agent="$4"
+
+    local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
+    mkdir -p "$(dirname "$pattern_file")" 2>/dev/null
+
+    # Format: timestamp|ip|attack_type|uri|user_agent
+    echo "$(date +%s)|$ip|$attack_type|$uri|$user_agent" >> "$pattern_file"
+
+    # Keep only last 10000 patterns (prevent unbounded growth)
+    tail -10000 "$pattern_file" > "${pattern_file}.tmp" 2>/dev/null
+    mv "${pattern_file}.tmp" "$pattern_file" 2>/dev/null
+}
+
+# Check if attack matches known pattern
+matches_known_pattern() {
+    local attack_type="$1"
+    local uri="$2"
+
+    local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
+
+    if [ ! -f "$pattern_file" ]; then
+        return 1
+    fi
+
+    # Check if this attack type + similar URI has been seen before
+    local similar_count=$(grep "|$attack_type|" "$pattern_file" | grep -c "$uri" || echo 0)
+
+    if [ "$similar_count" -ge 3 ]; then
+        return 0  # Known pattern
+    fi
+
+    return 1  # New pattern
+}
+
+################################################################################
+# Performance Impact Monitoring
+################################################################################
+
+# Get current server load
+get_server_load() {
+    # Returns: load_1min|load_5min|load_15min|cpu_count
+    local load=$(uptime | awk -F'load average:' '{print $2}' | sed 's/,//g' | xargs)
+    local cpu_count=$(nproc)
+
+    echo "${load}|${cpu_count}"
+}
+
+# Check if server is under stress
+is_server_stressed() {
+    local load_data=$(get_server_load)
+    IFS='|' read -r load1 load5 load15 cpu_count <<< "$load_data"
+
+    # Remove any extra spaces
+    load1=$(echo "$load1" | awk '{print $1}')
+
+    # Convert to integer (multiply by 100 to handle decimals)
+    local load_int=$(echo "$load1 * 100" | bc 2>/dev/null | cut -d. -f1)
+    local threshold=$((cpu_count * 80))  # 80% of CPU count
+
+    if [ "$load_int" -gt "$threshold" ]; then
+        return 0  # Server is stressed
+    fi
+
+    return 1
+}
+
+################################################################################
+# Incident Report Generation
+################################################################################
+
+# Generate incident report for an IP
+generate_incident_report() {
+    local ip="$1"
+    local report_file="/var/lib/server-toolkit/incident-reports/report_${ip//\./_}_$(date +%Y%m%d_%H%M%S).txt"
+
+    mkdir -p "$(dirname "$report_file")" 2>/dev/null
+
+    {
+        echo "═══════════════════════════════════════════════════════════════"
+        echo "SECURITY INCIDENT REPORT"
+        echo "═══════════════════════════════════════════════════════════════"
+        echo ""
+        echo "Generated: $(date '+%Y-%m-%d %H:%M:%S %Z')"
+        echo "IP Address: $ip"
+        echo ""
+
+        echo "─────────────────────────────────────────────────────────────"
+        echo "THREAT INTELLIGENCE"
+        echo "─────────────────────────────────────────────────────────────"
+
+        # AbuseIPDB data
+        local abuse_data=$(check_abuseipdb "$ip")
+        IFS='|' read -r confidence reports country isp <<< "$abuse_data"
+        echo "AbuseIPDB Confidence: ${confidence}%"
+        echo "Total Reports: $reports"
+        echo "Country: $country"
+        echo "ISP: $isp"
+        echo ""
+
+        # Geolocation
+        local geo=$(get_country_code "$ip")
+        echo "Geolocation: $geo"
+        if is_high_risk_country "$geo"; then
+            echo "Risk Level: HIGH (Known attack source country)"
+        else
+            echo "Risk Level: MEDIUM"
+        fi
+        echo ""
+
+        echo "─────────────────────────────────────────────────────────────"
+        echo "ATTACK HISTORY"
+        echo "─────────────────────────────────────────────────────────────"
+
+        # Get attacks from pattern log
+        local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
+        if [ -f "$pattern_file" ]; then
+            echo "Recent attacks from this IP:"
+            grep "|$ip|" "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do
+                echo "  [$(date -d @$ts '+%Y-%m-%d %H:%M:%S')] $attack_type - $uri"
+            done
+            echo ""
+        fi
+
+        echo "─────────────────────────────────────────────────────────────"
+        echo "RECOMMENDED ACTIONS"
+        echo "─────────────────────────────────────────────────────────────"
+
+        if [ "$confidence" -ge 75 ]; then
+            echo "• IMMEDIATE BLOCK - High confidence malicious IP"
+            echo "  Command: csf -d $ip \"AbuseIPDB: ${confidence}% confidence\""
+        elif [ "$reports" -ge 10 ]; then
+            echo "• TEMPORARY BLOCK - Multiple abuse reports"
+            echo "  Command: csf -td $ip 86400 \"Multiple abuse reports\""
+        else
+            echo "• MONITOR - Watch for continued activity"
+        fi
+
+        echo ""
+        echo "═══════════════════════════════════════════════════════════════"
+        echo "END OF REPORT"
+        echo "═══════════════════════════════════════════════════════════════"
+
+    } > "$report_file"
+
+    echo "$report_file"
+}
+
+################################################################################
+# Multi-Server Coordination (for environments with multiple servers)
+################################################################################
+
+# Share threat data with other servers (if configured)
+share_threat_data() {
+    local ip="$1"
+    local attack_type="$2"
+    local score="$3"
+
+    local coordination_file="/var/lib/server-toolkit/shared-threats.log"
+
+    # Log for potential sharing
+    echo "$(date +%s)|$(hostname)|$ip|$attack_type|$score" >> "$coordination_file"
+
+    # Keep only last 1000 entries
+    tail -1000 "$coordination_file" > "${coordination_file}.tmp" 2>/dev/null
+    mv "${coordination_file}.tmp" "$coordination_file" 2>/dev/null
+}
+
+# Check if IP is flagged by other servers
+check_shared_threats() {
+    local ip="$1"
+    local coordination_file="/var/lib/server-toolkit/shared-threats.log"
+
+    if [ -f "$coordination_file" ]; then
+        local count=$(grep "|$ip|" "$coordination_file" | wc -l)
+        echo "$count"
+    else
+        echo "0"
+    fi
+}
+
+################################################################################
+# Threat Intelligence Summary
+################################################################################
+
+# Get comprehensive threat intelligence for an IP
+get_threat_intelligence() {
+    local ip="$1"
+
+    local abuse_data=$(check_abuseipdb "$ip" 2>/dev/null || echo "0|0|Unknown|Unknown")
+    local geo=$(get_country_code "$ip" 2>/dev/null || echo "XX")
+    local timing=$(analyze_timing_pattern "$ip" 2>/dev/null || echo "unknown")
+    local whitelisted="no"
+    is_whitelisted_service "$ip" && whitelisted="yes"
+
+    # Format: abuse_confidence|abuse_reports|country|isp|timing_pattern|whitelisted
+    echo "${abuse_data}|${geo}|${timing}|${whitelisted}"
+}
+
+# Export functions for use in other scripts
+export -f check_abuseipdb
+export -f get_country_code
+export -f is_high_risk_country
+export -f is_whitelisted_service
+export -f add_to_whitelist
+export -f analyze_timing_pattern
+export -f record_attack_pattern
+export -f matches_known_pattern
+export -f get_server_load
+export -f is_server_stressed
+export -f generate_incident_report
+export -f share_threat_data
+export -f check_shared_threats
+export -f get_threat_intelligence
@@ -12,6 +12,12 @@ if [ -z "$TOOLKIT_BASE_DIR" ]; then
    source "$SCRIPT_DIR/system-detect.sh"
 fi

+# Initialize temp session directory if not set
+if [ -z "$TEMP_SESSION_DIR" ]; then
+    TEMP_SESSION_DIR="/tmp/server-toolkit-$$"
+    mkdir -p "$TEMP_SESSION_DIR" 2>/dev/null
+fi
+
 #############################################################################
 # USER LISTING (Control Panel Specific)
 #############################################################################
@@ -58,8 +64,15 @@ list_interworx_users() {
    if [ -x "/usr/local/interworx/bin/listaccounts.pex" ]; then
        /usr/local/interworx/bin/listaccounts.pex --output user 2>/dev/null
    else
-        # Fallback: parse InterWorx config
-        find /home -maxdepth 1 -type d -name "*.conf" 2>/dev/null | xargs -I {} basename {} .conf
+        # Fallback: Parse Apache vhost configs for SuexecUserGroup directives
+        # Each InterWorx account has vhost files in /etc/httpd/conf.d/
+        if [ -d "/etc/httpd/conf.d" ]; then
+            grep -h "^[[:space:]]*SuexecUserGroup" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
+                awk '{print $2}' | sort -u
+        else
+            # Last resort: list /home directories (may include non-InterWorx users)
+            find /home -maxdepth 1 -type d ! -name "home" ! -name "interworx" -printf "%f\n" 2>/dev/null | sort
+        fi
    fi
 }

@@ -75,24 +88,21 @@ list_system_users() {

 get_user_info() {
    local username="$1"
-    local info_file="${TEMP_SESSION_DIR}/user_${username}_info.tmp"

    case "$SYS_CONTROL_PANEL" in
        cpanel)
-            get_cpanel_user_info "$username" > "$info_file"
+            get_cpanel_user_info "$username"
            ;;
        plesk)
-            get_plesk_user_info "$username" > "$info_file"
+            get_plesk_user_info "$username"
            ;;
        interworx)
-            get_interworx_user_info "$username" > "$info_file"
+            get_interworx_user_info "$username"
            ;;
        *)
-            get_system_user_info "$username" > "$info_file"
+            get_system_user_info "$username"
            ;;
    esac
-
-    cat "$info_file"
 }

 # cPanel user info
@@ -157,10 +167,40 @@ get_interworx_user_info() {
        return 1
    fi

+    # Try to get primary domain from listaccounts.pex first
+    local primary_domain=""
+    if [ -x "/usr/local/interworx/bin/listaccounts.pex" ]; then
+        primary_domain=$(/usr/local/interworx/bin/listaccounts.pex 2>/dev/null | \
+            awk -v user="$username" '$1 == user {print $2; exit}')
+    fi
+
+    # Fallback: Parse vhost configs to find primary domain
+    if [ -z "$primary_domain" ]; then
+        primary_domain=$(grep -l "SuexecUserGroup ${username}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
+            head -1 | sed 's|.*/vhost_||; s|\.conf$||')
+    fi
+
+    # Get all domains for this user from vhost configs
+    local all_domains=$(grep -l "SuexecUserGroup ${username}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
+        sed 's|.*/vhost_||; s|\.conf$||' | tr '\n' ' ' | sed 's/[[:space:]]*$//')
+
+    # Get disk usage
    local disk_used=$(du -sh "$home_dir" 2>/dev/null | awk '{print $1}')

+    # Try to get email from NodeWorx API (if available)
+    # Note: This requires nodeworx CLI which may need authentication
+    local email=""
+    if [ -x "/usr/local/interworx/bin/nodeworx.pex" ] && [ -n "$primary_domain" ]; then
+        email=$(nodeworx -u -n -c Siteworx -a listAccounts 2>/dev/null | \
+            grep -A20 "\"domain\" => \"$primary_domain\"" | \
+            grep "\"email\"" | head -1 | sed 's/.*=> "\(.*\)".*/\1/')
+    fi
+
    echo "USER_EXISTS=yes"
    echo "USERNAME=$username"
+    echo "PRIMARY_DOMAIN=$primary_domain"
+    echo "ALL_DOMAINS=$all_domains"
+    echo "EMAIL=${email:-unknown}"
    echo "HOME_DIR=$home_dir"
    echo "DISK_USED=$disk_used"
 }
@@ -230,8 +270,19 @@ get_plesk_user_domains() {
 get_interworx_user_domains() {
    local username="$1"

+    # Method 1: Use listaccounts.pex to get primary domain
    if [ -x "/usr/local/interworx/bin/listaccounts.pex" ]; then
-        /usr/local/interworx/bin/listaccounts.pex --user "$username" --output domain 2>/dev/null
+        /usr/local/interworx/bin/listaccounts.pex 2>/dev/null | \
+            awk -v user="$username" '$1 == user {print $2}'
+    fi
+
+    # Method 2: Parse vhost configs to get ALL domains (primary + secondary/addon)
+    # InterWorx creates vhost_domain.conf for each domain, with SuexecUserGroup directive
+    if [ -d "/etc/httpd/conf.d" ]; then
+        grep -l "SuexecUserGroup ${username}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
+            sed 's|.*/vhost_||; s|\.conf$||' | \
+            grep -v "^${username}\." | \
+            sort -u
    fi
 }

@@ -277,8 +328,33 @@ get_plesk_user_databases() {
 get_interworx_user_databases() {
    local username="$1"

-    # InterWorx databases typically follow pattern: username_dbname
-    mysql -e "SHOW DATABASES" 2>/dev/null | grep "^${username}_" || true
+    # InterWorx uses the first 8 characters of the PRIMARY DOMAIN as database prefix
+    # NOT the username! (e.g., domain example.com → prefix: examplec_)
+
+    # Get primary domain for this user
+    local primary_domain=""
+    if [ -x "/usr/local/interworx/bin/listaccounts.pex" ]; then
+        primary_domain=$(/usr/local/interworx/bin/listaccounts.pex 2>/dev/null | \
+            awk -v user="$username" '$1 == user {print $2; exit}')
+    fi
+
+    # Fallback: try to find from vhost configs
+    if [ -z "$primary_domain" ]; then
+        primary_domain=$(grep -l "SuexecUserGroup ${username}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
+            head -1 | sed 's|.*/vhost_||; s|\.conf$||')
+    fi
+
+    if [ -z "$primary_domain" ]; then
+        # No domain found, try username pattern as last resort
+        mysql -e "SHOW DATABASES" 2>/dev/null | grep "^${username}_" || true
+        return
+    fi
+
+    # Get first 8 characters of domain (removing dots) as database prefix
+    local db_prefix=$(echo "$primary_domain" | sed 's/\.//g' | cut -c1-8)
+
+    # Query MySQL for databases with this prefix
+    mysql -e "SHOW DATABASES" 2>/dev/null | grep "^${db_prefix}_" || true
 }

 #############################################################################
@@ -0,0 +1,268 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Agent Status Checker
+################################################################################
+# Purpose: Check status of all Acronis Cyber Protect services
+# Services monitored:
+# - aakore (Acronis Agent Core)
+# - acronis_mms (Management Service)
+# - acronis_schedule (Scheduler)
+# - active-protection.service (Ransomware Protection)
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Acronis Agent Status"
+
+echo ""
+echo -e "${BOLD}Checking Acronis Cyber Protect Services...${NC}"
+echo ""
+
+# Array of services to check
+declare -a SERVICES=(
+    "aakore:Acronis Agent Core"
+    "acronis_mms:Management Service"
+    "acronis_schedule:Backup Scheduler"
+    "active-protection:Ransomware Protection"
+)
+
+# Track overall status
+all_running=true
+any_installed=false
+
+# Function to check service status
+check_service_status() {
+    local service_name="$1"
+    local service_desc="$2"
+
+    # Check if service exists
+    if systemctl list-unit-files | grep -q "^${service_name}.service"; then
+        any_installed=true
+
+        # Get service status
+        if systemctl is-active --quiet "$service_name"; then
+            echo -e "  ${GREEN}●${NC} ${BOLD}${service_desc}${NC}"
+            echo -e "     Status: ${GREEN}RUNNING${NC}"
+
+            # Get uptime
+            local uptime=$(systemctl show "$service_name" -p ActiveEnterTimestamp --value)
+            if [ -n "$uptime" ]; then
+                echo -e "     Uptime: ${uptime}"
+            fi
+
+            # Get PID
+            local pid=$(systemctl show "$service_name" -p MainPID --value)
+            if [ "$pid" != "0" ]; then
+                echo -e "     PID:    ${pid}"
+            fi
+        else
+            all_running=false
+            echo -e "  ${RED}●${NC} ${BOLD}${service_desc}${NC}"
+            echo -e "     Status: ${RED}STOPPED${NC}"
+
+            # Check if failed
+            if systemctl is-failed --quiet "$service_name"; then
+                echo -e "     ${RED}[FAILED]${NC} - Service has errors"
+            fi
+        fi
+        echo ""
+    elif service "$service_name" status &>/dev/null; then
+        # Fallback to service command for older systems
+        any_installed=true
+        if service "$service_name" status | grep -q "running"; then
+            echo -e "  ${GREEN}●${NC} ${BOLD}${service_desc}${NC}"
+            echo -e "     Status: ${GREEN}RUNNING${NC}"
+        else
+            all_running=false
+            echo -e "  ${RED}●${NC} ${BOLD}${service_desc}${NC}"
+            echo -e "     Status: ${RED}STOPPED${NC}"
+        fi
+        echo ""
+    fi
+}
+
+# Check each service
+for service_entry in "${SERVICES[@]}"; do
+    IFS=':' read -r service_name service_desc <<< "$service_entry"
+    check_service_status "$service_name" "$service_desc"
+done
+
+# Check if Acronis is even installed
+if [ "$any_installed" = false ]; then
+    echo -e "${YELLOW}${BOLD}⚠ Acronis Agent Not Installed${NC}"
+    echo ""
+    echo "Acronis Cyber Protect is not installed on this system."
+    echo ""
+    echo "To install:"
+    echo "  1. Return to Backup & Recovery menu"
+    echo "  2. Select 'Acronis Management'"
+    echo "  3. Choose 'Install Acronis Agent'"
+    echo ""
+    press_enter
+    exit 0
+fi
+
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Overall status summary
+if [ "$all_running" = true ]; then
+    echo -e "${GREEN}${BOLD}✓ All Services Running${NC}"
+    echo ""
+    echo "Acronis Cyber Protect is operational and ready for backups."
+else
+    echo -e "${YELLOW}${BOLD}⚠ Some Services Not Running${NC}"
+    echo ""
+    echo "Some Acronis services are stopped. You may want to:"
+    echo "  • Start services: Select 'Service Management' from Acronis menu"
+    echo "  • Check logs: Select 'View Logs' for error details"
+    echo "  • Restart services: Try restarting all services"
+fi
+
+echo ""
+
+# Check agent registration status
+echo -e "${BOLD}Agent Registration:${NC}"
+if [ -f "/var/lib/Acronis/BackupAndRecovery/MMS/user.config" ]; then
+    # Check for registration info in user.config
+    if grep -q "<registration>" "/var/lib/Acronis/BackupAndRecovery/MMS/user.config" 2>/dev/null; then
+        reg_address=$(grep -oP '<address>\K[^<]+' /var/lib/Acronis/BackupAndRecovery/MMS/user.config 2>/dev/null)
+        reg_env=$(grep -oP '<environment>\K[^<]+' /var/lib/Acronis/BackupAndRecovery/MMS/user.config 2>/dev/null)
+
+        if [ -n "$reg_address" ]; then
+            echo -e "  ${GREEN}✓${NC} Agent is registered with Acronis Cloud"
+            echo -e "  URL: ${reg_address}"
+            [ -n "$reg_env" ] && echo -e "  Environment: ${reg_env}"
+        else
+            echo -e "  ${YELLOW}⚠${NC} Registration incomplete"
+        fi
+    else
+        echo -e "  ${YELLOW}⚠${NC} Agent not registered"
+    fi
+else
+    echo -e "  ${YELLOW}⚠${NC} Configuration file not found"
+fi
+
+echo ""
+
+# Check active ports
+echo -e "${BOLD}Network Connectivity:${NC}"
+
+# Check for actual Acronis listening ports (deduplicate IPv4/IPv6)
+acronis_ports=$(netstat -tlnp 2>/dev/null | grep -E "(acronis|mms|aakore)" | awk '{
+    split($4, addr, ":");
+    port = addr[length(addr)];
+    if (!seen[port]++) {
+        print $4 " " $7;
+    }
+}')
+
+if [ -n "$acronis_ports" ]; then
+    echo "Active Acronis services:"
+    echo "$acronis_ports" | while read -r addr process; do
+        port=$(echo "$addr" | grep -oP ':\K[0-9]+$')
+        if echo "$addr" | grep -q "127.0.0.1\|::1"; then
+            # Local-only port
+            if [ "$port" = "9850" ]; then
+                echo -e "  ${GREEN}✓${NC} Port $port (localhost) - MMS Service"
+            else
+                echo -e "  ${GREEN}✓${NC} Port $port (localhost) - $(basename "$process" | cut -d/ -f2)"
+            fi
+        else
+            echo -e "  ${GREEN}✓${NC} Port $port - $(basename "$process" | cut -d/ -f2)"
+        fi
+    done
+else
+    echo -e "  ${YELLOW}⚠${NC} No Acronis ports detected"
+fi
+
+echo ""
+
+# Check outbound connectivity to cloud (port 443)
+echo ""
+echo -e "${BOLD}Cloud Connectivity Test:${NC}"
+
+if command -v curl >/dev/null 2>&1; then
+    reg_url=$(grep -oP '<address>\K[^<]+' /var/lib/Acronis/BackupAndRecovery/MMS/user.config 2>/dev/null)
+    if [ -n "$reg_url" ]; then
+        echo -n "  Testing ${reg_url}... "
+
+        http_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" "$reg_url" 2>/dev/null)
+
+        if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 500 ]; then
+            echo -e "${GREEN}✓ Reachable${NC} (HTTP $http_code)"
+        else
+            echo -e "${RED}✗ Unreachable${NC}"
+            echo -e "  ${YELLOW}⚠${NC} Cannot reach Acronis cloud (firewall/network issue)"
+            echo "  • Check internet connectivity"
+            echo "  • Verify firewall allows HTTPS (port 443)"
+            echo "  • Test manually: curl -I $reg_url"
+        fi
+    else
+        echo -e "  ${YELLOW}⚠${NC} Cloud URL not found in config"
+    fi
+else
+    echo -e "  ${YELLOW}⚠${NC} curl not installed (cannot test connectivity)"
+fi
+
+echo ""
+
+# Check cloud storage quota
+echo -e "${BOLD}Cloud Backup Storage:${NC}"
+if command -v acrocmd >/dev/null 2>&1; then
+    vault_info=$(acrocmd list vaults 2>/dev/null | tail -n +3 | head -1)
+
+    if [ -n "$vault_info" ]; then
+        # Extract storage info from vault output
+        vault_name=$(echo "$vault_info" | awk '{print $1}')
+        vault_free_val=$(echo "$vault_info" | awk '{print $4}')
+        vault_free_unit=$(echo "$vault_info" | awk '{print $5}')
+        vault_occupied=$(echo "$vault_info" | awk '{print $6, $7}')
+
+        echo -e "  Vault:        ${vault_name}"
+        echo -e "  Available:    ${vault_free_val} ${vault_free_unit}"
+
+        # Show occupied if available, otherwise note it's not synced
+        if [ "$vault_occupied" != "0 GB" ]; then
+            echo -e "  Used:         ${vault_occupied}"
+        else
+            echo -e "  Used:         ${DIM}(Check web console for accurate usage)${NC}"
+        fi
+    else
+        echo -e "  ${YELLOW}⚠${NC} No vault information available"
+        echo -e "  ${DIM}(Cloud storage visible after first backup)${NC}"
+    fi
+else
+    echo -e "  ${YELLOW}⚠${NC} acrocmd not available"
+fi
+
+echo ""
+
+# Check local disk space
+echo -e "${BOLD}Local Storage Status:${NC}"
+if [ -d "/var/lib/Acronis" ]; then
+    backup_dir_size=$(du -sh /var/lib/Acronis 2>/dev/null | awk '{print $1}')
+    echo -e "  Agent data:   ${backup_dir_size} (local cache/logs/config)"
+
+    # Check free space on partition
+    free_space=$(df -h /var/lib/Acronis | tail -1 | awk '{print $4}')
+    use_percent=$(df -h /var/lib/Acronis | tail -1 | awk '{print $5}' | tr -d '%')
+
+    echo -e "  Free space:   ${free_space} (on root partition)"
+
+    if [ -n "$use_percent" ] && [ "$use_percent" -gt 90 ] 2>/dev/null; then
+        echo -e "  ${RED}⚠ Warning: Disk usage at ${use_percent}%${NC}"
+    fi
+fi
+
+echo ""
+press_enter
@@ -0,0 +1,103 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Backup Manager
+################################################################################
+# Purpose: Main interface for Acronis backup operations
+# Features:
+# - List backups and archives
+# - Trigger manual backups
+# - View backup schedules
+# - Monitor backup/recovery status
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+# Check if Acronis is installed
+if ! systemctl list-unit-files | grep -q "acronis_mms.service"; then
+    print_error "Acronis is not installed"
+    echo ""
+    echo "Install Acronis first from the Acronis menu."
+    echo ""
+    press_enter
+    exit 1
+fi
+
+# Check if acrocmd is available
+if [ ! -f "/usr/sbin/acrocmd" ]; then
+    print_error "acrocmd command-line tool not found"
+    echo ""
+    echo "This may indicate an incomplete Acronis installation."
+    echo ""
+    press_enter
+    exit 1
+fi
+
+while true; do
+    clear
+    print_banner "Backup Management"
+
+    echo ""
+    echo -e "${BOLD}Agent Management${NC}"
+    echo -e "  ${YELLOW}1)${NC} Check Agent Status"
+    echo -e "  ${YELLOW}2)${NC} View Agent Logs"
+    echo ""
+    echo -e "${BOLD}Backup Operations${NC}"
+    echo -e "  ${YELLOW}3)${NC} List Backups & Archives"
+    echo -e "  ${YELLOW}4)${NC} Trigger Manual Backup"
+    echo -e "  ${YELLOW}5)${NC} Check Backup Status"
+    echo ""
+    echo -e "${BOLD}Plan Management${NC}"
+    echo -e "  ${YELLOW}6)${NC} View Backup Plans/Schedules"
+    echo -e "  ${YELLOW}7)${NC} Manage Protection Plans"
+    echo ""
+    echo -e "${BOLD}Restore Operations${NC}"
+    echo -e "  ${YELLOW}8)${NC} Restore from Backup (Future)"
+    echo ""
+    echo -e "  ${YELLOW}0)${NC} Return to Acronis Menu"
+    echo ""
+    echo -n "Select option: "
+    read -r choice
+
+    case "$choice" in
+        1)
+            bash "$SCRIPT_DIR/modules/backup/acronis-agent-status.sh"
+            ;;
+        2)
+            bash "$SCRIPT_DIR/modules/backup/acronis-logs.sh"
+            ;;
+        3)
+            bash "$SCRIPT_DIR/modules/backup/acronis-list-backups.sh"
+            ;;
+        4)
+            bash "$SCRIPT_DIR/modules/backup/acronis-trigger-backup.sh"
+            ;;
+        5)
+            bash "$SCRIPT_DIR/modules/backup/acronis-backup-status.sh"
+            ;;
+        6)
+            bash "$SCRIPT_DIR/modules/backup/acronis-schedule-viewer.sh"
+            ;;
+        7)
+            bash "$SCRIPT_DIR/modules/backup/acronis-plan-manager.sh"
+            ;;
+        8)
+            bash "$SCRIPT_DIR/modules/backup/acronis-restore.sh"
+            ;;
+        0)
+            exit 0
+            ;;
+        *)
+            echo ""
+            print_error "Invalid option"
+            sleep 1
+            ;;
+    esac
+done
@@ -0,0 +1,118 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Backup Status
+################################################################################
+# Purpose: Check status of backup operations using acrocmd
+# Features:
+# - Show active/running backups
+# - Display recent backup history
+# - Show backup task status
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+clear
+print_banner "Backup Status"
+
+echo ""
+
+# Check if acrocmd is available
+if [ ! -f "/usr/sbin/acrocmd" ]; then
+    print_error "acrocmd command-line tool not found"
+    echo ""
+    press_enter
+    exit 1
+fi
+
+# Show active/running tasks
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo -e "${BOLD}Active Backup Tasks${NC}"
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+
+task_output=$(/usr/sbin/acrocmd list tasks 2>&1)
+
+if echo "$task_output" | grep -qi "no.*tasks\|error"; then
+    echo -e "${GREEN}✓${NC} No active backup tasks running"
+else
+    echo "$task_output"
+fi
+
+echo ""
+
+# Show recent activities
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo -e "${BOLD}Recent Backup Activities${NC}"
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+
+activity_output=$(/usr/sbin/acrocmd list activities 2>&1)
+
+if echo "$activity_output" | grep -qi "no.*activities\|error"; then
+    echo -e "${YELLOW}No recent backup activities found${NC}"
+    echo ""
+    echo "This may indicate:"
+    echo "  • No backups have been run yet"
+    echo "  • Agent needs registration"
+    echo "  • No backup plans configured"
+else
+    echo "$activity_output" | tail -20
+fi
+
+echo ""
+
+# Parse logs for backup status
+if [ -f "/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log" ]; then
+    echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+    echo -e "${BOLD}Log Summary${NC}"
+    echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+    echo ""
+
+    # Count recent backup events
+    log_file="/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
+
+    completed=$(grep -ic "backup.*completed\|backup.*success" "$log_file" 2>/dev/null || echo "0")
+    failed=$(grep -ic "backup.*failed\|backup.*error" "$log_file" 2>/dev/null || echo "0")
+    started=$(grep -ic "backup.*started\|backup.*begin" "$log_file" 2>/dev/null || echo "0")
+
+    echo "Backup Statistics (from current log):"
+    echo "  • Started:   $started"
+    echo "  • Completed: $completed"
+    echo "  • Failed:    $failed"
+
+    echo ""
+
+    # Show last 5 backup-related events
+    echo "Recent Events:"
+    echo ""
+    grep -i "backup" "$log_file" 2>/dev/null | tail -5 | while read -r line; do
+        # Highlight status
+        if echo "$line" | grep -qi "success\|completed"; then
+            echo -e "  ${GREEN}✓${NC} $line"
+        elif echo "$line" | grep -qi "fail\|error"; then
+            echo -e "  ${RED}✗${NC} $line"
+        else
+            echo "  → $line"
+        fi
+    done
+fi
+
+echo ""
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+echo -e "${BOLD}Options:${NC}"
+echo ""
+echo "  • View full logs: Select 'View Agent Logs' from menu"
+echo "  • Trigger backup: Select 'Trigger Manual Backup'"
+echo "  • Troubleshoot: Use 'Troubleshoot Backups' for diagnostics"
+echo ""
+
+press_enter
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Configure Backup Plans"
+
+echo ""
+echo -e "${BOLD}Acronis Backup Plan Configuration${NC}"
+echo ""
+echo "Backup plans are configured through the Acronis web console."
+echo ""
+echo -e "${CYAN}Steps to configure backup plans:${NC}"
+echo ""
+echo "1. Log in to your Acronis web console"
+echo "   → https://us5-cloud.acronis.com (or your region)"
+echo ""
+echo "2. Navigate to: Devices → All devices"
+echo ""
+echo "3. Find this server in the device list"
+echo ""
+echo "4. Click on the device and select 'Protection'"
+echo ""
+echo "5. Click 'Add plan' and configure:"
+echo "   • Backup source (files, folders, system)"
+echo "   • Backup schedule (hourly, daily, weekly)"
+echo "   • Retention policy (how long to keep backups)"
+echo "   • Backup location (cloud or local)"
+echo ""
+echo "6. Apply the plan to this device"
+echo ""
+echo -e "${BOLD}Common Backup Plans:${NC}"
+echo ""
+echo "  • Full Server Backup"
+echo "    → Entire system image for disaster recovery"
+echo ""
+echo "  • cPanel Accounts"
+echo "    → /home/* directories for user data"
+echo ""
+echo "  • Databases"
+echo "    → MySQL/MariaDB databases with consistent snapshots"
+echo ""
+echo "  • Configuration Files"
+echo "    → /etc and other critical configs"
+echo ""
+echo "  • Web Files"
+echo "    → /home/*/public_html websites"
+echo ""
+press_enter
@@ -0,0 +1,361 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Agent Installer
+################################################################################
+# Purpose: Download and install Acronis Cyber Protect agent
+# Supports:
+# - Interactive installation with prompts
+# - Unattended installation (-a flag)
+# - Skip registration (--skip-registration)
+# - Install with token (--token=xxx)
+# - Custom service URL (--rain=xxx)
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Acronis Agent Installation"
+
+# Check if already installed
+if systemctl list-unit-files | grep -q "acronis_mms.service"; then
+    echo ""
+    echo -e "${YELLOW}${BOLD}⚠ Acronis Already Installed${NC}"
+    echo ""
+    echo "Acronis Cyber Protect agent is already installed on this system."
+    echo ""
+    echo -n "Do you want to reinstall/upgrade? (yes/no): "
+    read -r reinstall
+    if [ "$reinstall" != "yes" ]; then
+        echo "Installation cancelled"
+        press_enter
+        exit 0
+    fi
+fi
+
+echo ""
+echo -e "${BOLD}Acronis Cyber Protect Agent Installation${NC}"
+echo ""
+echo "This will download and install the latest Acronis agent for Linux (x86_64)."
+echo ""
+echo -e "${CYAN}Installation Options:${NC}"
+echo ""
+echo "  1) Interactive installation (default)"
+echo "  2) Unattended installation (auto-accept)"
+echo "  3) Install and register with token"
+echo "  4) Install without registration"
+echo "  5) Advanced/Custom installation (specify all flags)"
+echo ""
+echo -n "Select installation mode [1]: "
+read -r install_mode
+install_mode="${install_mode:-1}"
+
+# Build installation flags
+INSTALL_FLAGS=""
+SERVICE_URL="us5-cloud.acronis.com"
+REGISTRATION_TOKEN=""
+
+case "$install_mode" in
+    2)
+        INSTALL_FLAGS="-a"
+        echo ""
+        echo "Mode: Unattended installation"
+        ;;
+    3)
+        INSTALL_FLAGS="-a"
+        echo ""
+        echo -e "${BOLD}Register During Installation${NC}"
+        echo ""
+        echo "Paste your Acronis registration token below."
+        echo "To get a token:"
+        echo "  1. Log in to Acronis web console"
+        echo "  2. Go to: Settings → Registration tokens"
+        echo "  3. Create token or copy existing one"
+        echo ""
+        echo -n "Registration token: "
+        read -r REGISTRATION_TOKEN
+
+        # Allow pasting multi-line or trimming whitespace
+        REGISTRATION_TOKEN=$(echo "$REGISTRATION_TOKEN" | tr -d '[:space:]')
+
+        if [ -z "$REGISTRATION_TOKEN" ]; then
+            print_error "Token is required for this mode"
+            press_enter
+            exit 1
+        fi
+        INSTALL_FLAGS="$INSTALL_FLAGS --token=$REGISTRATION_TOKEN"
+        echo ""
+        echo "Mode: Install with registration token"
+        ;;
+    4)
+        INSTALL_FLAGS="-a --skip-registration"
+        echo ""
+        echo "Mode: Install without registration"
+        ;;
+    5)
+        # Advanced/Custom mode
+        echo ""
+        echo -e "${BOLD}Advanced Installation${NC}"
+        echo ""
+        echo "Build custom installation flags by selecting options."
+        echo ""
+
+        # Unattended mode
+        echo -n "Unattended install (auto-accept)? (y/n) [y]: "
+        read -r use_unattended
+        use_unattended="${use_unattended:-y}"
+        if [ "$use_unattended" = "y" ]; then
+            INSTALL_FLAGS="$INSTALL_FLAGS -a"
+        fi
+
+        # Registration options
+        echo ""
+        echo "Registration:"
+        echo "  1) Register with token during install"
+        echo "  2) Skip registration (register later)"
+        echo "  3) Interactive (installer will prompt)"
+        echo -n "Select [3]: "
+        read -r reg_choice
+        reg_choice="${reg_choice:-3}"
+
+        if [ "$reg_choice" = "1" ]; then
+            echo ""
+            echo "Paste your Acronis registration token:"
+            echo "(Spaces and line breaks will be automatically removed)"
+            echo ""
+            read -r REGISTRATION_TOKEN
+            REGISTRATION_TOKEN=$(echo "$REGISTRATION_TOKEN" | tr -d '[:space:]')
+
+            if [ -n "$REGISTRATION_TOKEN" ]; then
+                INSTALL_FLAGS="$INSTALL_FLAGS --token=$REGISTRATION_TOKEN"
+            else
+                print_error "Token cannot be empty"
+                press_enter
+                exit 1
+            fi
+        elif [ "$reg_choice" = "2" ]; then
+            INSTALL_FLAGS="$INSTALL_FLAGS --skip-registration"
+        fi
+
+        # Additional flags
+        echo ""
+        echo -e "${BOLD}Additional Options:${NC}"
+        echo ""
+
+        # Verbose logging
+        echo -n "Enable verbose logging? (y/n) [n]: "
+        read -r use_verbose
+        if [ "$use_verbose" = "y" ]; then
+            INSTALL_FLAGS="$INSTALL_FLAGS --verbose"
+        fi
+
+        # Custom flags
+        echo ""
+        echo "Enter any additional custom flags (or press Enter to skip):"
+        echo "Examples: --proxy=http://proxy:8080, --language=en, etc."
+        echo ""
+        echo -n "Custom flags: "
+        read -r custom_flags
+        if [ -n "$custom_flags" ]; then
+            INSTALL_FLAGS="$INSTALL_FLAGS $custom_flags"
+        fi
+
+        echo ""
+        echo "Mode: Advanced/Custom installation"
+        ;;
+    *)
+        echo ""
+        echo "Mode: Interactive installation"
+        ;;
+esac
+
+# Ask for service URL (for all modes except skip-registration)
+if [[ "$INSTALL_FLAGS" != *"--skip-registration"* ]]; then
+    echo ""
+    echo -e "${BOLD}Acronis Cloud Region${NC}"
+    echo ""
+    echo "Common regions:"
+    echo "  • us5-cloud.acronis.com (US - Default)"
+    echo "  • eu2-cloud.acronis.com (Europe)"
+    echo "  • ap1-cloud.acronis.com (Asia Pacific)"
+    echo "  • ca1-cloud.acronis.com (Canada)"
+    echo ""
+    echo -n "Enter service URL [us5-cloud.acronis.com]: "
+    read -r input_url
+    if [ -n "$input_url" ]; then
+        SERVICE_URL="$input_url"
+    fi
+
+    # Add --rain flag if token is being used
+    if [[ "$INSTALL_FLAGS" == *"--token"* ]]; then
+        INSTALL_FLAGS="$INSTALL_FLAGS --rain=$SERVICE_URL"
+    fi
+fi
+
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -e "${BOLD}Installation Summary:${NC}"
+echo ""
+echo "  Download URL:    https://${SERVICE_URL}/bc/api/ams/links/agents/redirect"
+echo "  Architecture:    x86_64 (64-bit)"
+echo "  Install flags:   ${INSTALL_FLAGS:-none}"
+echo "  Service URL:     ${SERVICE_URL}"
+[ -n "$REGISTRATION_TOKEN" ] && echo "  Token:           ********"
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -n "Proceed with installation? (yes/no): "
+read -r confirm
+
+if [[ ! "$confirm" =~ ^[Yy]([Ee][Ss])?$ ]]; then
+    echo ""
+    print_error "Installation cancelled"
+    press_enter
+    exit 0
+fi
+
+echo ""
+echo -e "${BOLD}Starting Installation...${NC}"
+echo ""
+
+# Create download directory in toolkit folder
+DOWNLOAD_DIR="$SCRIPT_DIR/downloads"
+mkdir -p "$DOWNLOAD_DIR"
+cd "$DOWNLOAD_DIR" || exit 1
+
+# Use timestamped subdirectory for this installation
+INSTALL_DIR="$DOWNLOAD_DIR/acronis-install-$(date +%Y%m%d-%H%M%S)"
+mkdir -p "$INSTALL_DIR"
+cd "$INSTALL_DIR" || exit 1
+
+# Download installer
+echo "→ Downloading Acronis agent installer..."
+DOWNLOAD_URL="https://${SERVICE_URL}/bc/api/ams/links/agents/redirect?language=multi&system=linux&architecture=64&productType=enterprise"
+
+if wget -q --show-progress "$DOWNLOAD_URL" -O "Cyber_Protection_Agent_for_Linux_x86_64.bin"; then
+    print_success "Download complete"
+else
+    print_error "Download failed"
+    echo ""
+    echo "Possible causes:"
+    echo "  • No internet connection"
+    echo "  • Invalid service URL: ${SERVICE_URL}"
+    echo "  • Firewall blocking connection"
+    echo ""
+    press_enter
+    cd /
+    rm -rf "$TEMP_DIR"
+    exit 1
+fi
+
+echo ""
+
+# Make executable
+chmod +x "Cyber_Protection_Agent_for_Linux_x86_64.bin" 2>/dev/null
+
+# Verify file exists and has size
+if [ ! -f "Cyber_Protection_Agent_for_Linux_x86_64.bin" ]; then
+    print_error "Installer file not found"
+    cd /
+    rm -rf "$TEMP_DIR"
+    press_enter
+    exit 1
+fi
+
+file_size=$(stat -c%s "Cyber_Protection_Agent_for_Linux_x86_64.bin" 2>/dev/null || echo "0")
+if [ "$file_size" -lt 1000000 ]; then
+    print_error "Installer file is too small (possibly corrupted)"
+    cd /
+    rm -rf "$TEMP_DIR"
+    press_enter
+    exit 1
+fi
+
+# Run installer
+echo "→ Running Acronis installer..."
+echo ""
+echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
+
+if [ -z "$INSTALL_FLAGS" ]; then
+    # Interactive mode - run directly
+    ./Cyber_Protection_Agent_for_Linux_x86_64.bin
+else
+    # Unattended mode - need to pass flags properly
+    ./Cyber_Protection_Agent_for_Linux_x86_64.bin $INSTALL_FLAGS
+fi
+
+INSTALL_EXIT_CODE=$?
+
+echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Check installation result
+if [ $INSTALL_EXIT_CODE -eq 0 ]; then
+    print_success "Installation completed successfully!"
+    echo ""
+
+    # Start services
+    echo "→ Starting Acronis services..."
+    systemctl start aakore
+    systemctl start acronis_mms
+    systemctl start acronis_schedule
+    echo ""
+
+    # Check if services started
+    sleep 2
+    if systemctl is-active --quiet acronis_mms; then
+        print_success "Services started successfully"
+        echo ""
+
+        # Show next steps
+        echo -e "${BOLD}Next Steps:${NC}"
+        echo ""
+
+        if [ "$install_mode" = "4" ]; then
+            echo "  1. Register the agent with Acronis Cloud"
+            echo "     → Select 'Register with Cloud' from Acronis menu"
+            echo ""
+        fi
+
+        echo "  2. Configure backup plans in Acronis web console"
+        echo "     → Visit: https://${SERVICE_URL}"
+        echo ""
+        echo "  3. Check agent status"
+        echo "     → Select 'Check Agent Status' from Acronis menu"
+        echo ""
+    else
+        print_error "Services failed to start"
+        echo ""
+        echo "Check logs for details:"
+        echo "  tail -f /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
+        echo ""
+    fi
+
+else
+    print_error "Installation failed with exit code $INSTALL_EXIT_CODE"
+    echo ""
+    echo "Check the output above for error details."
+    echo ""
+    echo "Common issues:"
+    echo "  • Incompatible system (requires 64-bit Linux)"
+    echo "  • Insufficient disk space"
+    echo "  • Conflicting backup software"
+    echo "  • Invalid registration token"
+    echo ""
+fi
+
+# Cleanup
+echo "→ Cleaning up installation files..."
+cd "$SCRIPT_DIR"
+rm -rf "$INSTALL_DIR"
+
+echo ""
+press_enter
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+################################################################################
+# Acronis List Backups
+################################################################################
+# Purpose: List all backups and archives using acrocmd
+# Features:
+# - Show backup archives
+# - Show backup versions
+# - Display backup details (size, date, location)
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+clear
+print_banner "List Backups & Archives"
+
+echo ""
+echo -e "${BOLD}Retrieving backup information...${NC}"
+echo ""
+
+# Check if acrocmd is available
+if [ ! -f "/usr/sbin/acrocmd" ]; then
+    print_error "acrocmd command-line tool not found"
+    echo ""
+    press_enter
+    exit 1
+fi
+
+# List archives
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo -e "${BOLD}Backup Archives${NC}"
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+
+if /usr/sbin/acrocmd list archives 2>/dev/null | grep -q .; then
+    /usr/sbin/acrocmd list archives 2>/dev/null
+else
+    echo -e "${YELLOW}No backup archives found${NC}"
+    echo ""
+    echo "Possible reasons:"
+    echo "  • No backups have been created yet"
+    echo "  • Agent not registered with Acronis Cloud"
+    echo "  • No backup plans configured"
+fi
+
+echo ""
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo -e "${BOLD}Backup Details${NC}"
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+
+if /usr/sbin/acrocmd list backups 2>/dev/null | grep -q .; then
+    /usr/sbin/acrocmd list backups 2>/dev/null
+else
+    echo -e "${YELLOW}No backup details available${NC}"
+fi
+
+echo ""
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+echo -e "${BOLD}Options:${NC}"
+echo ""
+echo "  • Create backups via 'Trigger Manual Backup'"
+echo "  • Configure plans in Acronis web console"
+echo "  • Check backup status for active operations"
+echo ""
+
+press_enter
@@ -0,0 +1,296 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Log Viewer
+################################################################################
+# Purpose: View and tail Acronis Cyber Protect logs
+# Log location: /var/lib/Acronis/BackupAndRecovery/MMS/
+# Primary log: mms.0.log
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+# Log directory
+LOG_DIR="/var/lib/Acronis/BackupAndRecovery/MMS"
+PRIMARY_LOG="$LOG_DIR/mms.0.log"
+
+print_banner "Acronis Logs Viewer"
+
+# Check if Acronis is installed
+if [ ! -d "$LOG_DIR" ]; then
+    echo ""
+    print_error "Acronis log directory not found"
+    echo ""
+    echo "Acronis may not be installed or logs are in a different location."
+    echo ""
+    press_enter
+    exit 1
+fi
+
+echo ""
+echo -e "${BOLD}Acronis Log Management${NC}"
+echo ""
+echo "Log directory: ${LOG_DIR}"
+echo ""
+
+# Show log menu
+show_log_menu() {
+    clear
+    print_banner "Acronis Logs Viewer"
+    echo ""
+    echo -e "${BOLD}Available Logs:${NC}"
+    echo ""
+
+    # List all log files with sizes
+    if [ -d "$LOG_DIR" ]; then
+        local log_count=0
+        while IFS= read -r log_file; do
+            ((log_count++))
+            local size=$(du -h "$log_file" 2>/dev/null | awk '{print $1}')
+            local filename=$(basename "$log_file")
+            local mod_time=$(stat -c %y "$log_file" 2>/dev/null | cut -d'.' -f1)
+            echo -e "  ${CYAN}${log_count})${NC} ${filename}"
+            echo -e "     Size: ${size} | Modified: ${mod_time}"
+        done < <(find "$LOG_DIR" -name "*.log" -type f | sort)
+
+        if [ $log_count -eq 0 ]; then
+            echo -e "  ${DIM}No log files found${NC}"
+        fi
+    fi
+
+    echo ""
+    echo -e "${BOLD}Actions:${NC}"
+    echo ""
+    echo -e "  ${GREEN}v)${NC} View Primary Log (last 100 lines)"
+    echo -e "  ${GREEN}t)${NC} Tail Primary Log (live follow)"
+    echo -e "  ${GREEN}s)${NC} Search Logs"
+    echo -e "  ${GREEN}e)${NC} Show Errors Only"
+    echo -e "  ${GREEN}a)${NC} Archive Old Logs"
+    echo ""
+    echo -e "  ${RED}0)${NC} Return to Menu"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo -n "Select option: "
+}
+
+# View primary log
+view_primary_log() {
+    clear
+    print_banner "Acronis Primary Log (Last 100 Lines)"
+    echo ""
+
+    if [ -f "$PRIMARY_LOG" ]; then
+        tail -100 "$PRIMARY_LOG"
+        echo ""
+        echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+        echo ""
+        press_enter
+    else
+        print_error "Primary log file not found: $PRIMARY_LOG"
+        press_enter
+    fi
+}
+
+# Tail primary log
+tail_primary_log() {
+    clear
+    print_banner "Acronis Live Log (Ctrl+C to Exit)"
+    echo ""
+    echo "Following: $PRIMARY_LOG"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo ""
+
+    if [ -f "$PRIMARY_LOG" ]; then
+        tail -f "$PRIMARY_LOG"
+    else
+        print_error "Primary log file not found: $PRIMARY_LOG"
+        press_enter
+    fi
+}
+
+# Search logs
+search_logs() {
+    clear
+    print_banner "Search Acronis Logs"
+    echo ""
+    echo -n "Enter search term: "
+    read -r search_term
+
+    if [ -z "$search_term" ]; then
+        print_error "No search term provided"
+        press_enter
+        return
+    fi
+
+    echo ""
+    echo "Searching for: ${search_term}"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo ""
+
+    # Search all log files
+    local found=false
+    while IFS= read -r log_file; do
+        if grep -qi "$search_term" "$log_file" 2>/dev/null; then
+            found=true
+            echo -e "${BOLD}$(basename "$log_file"):${NC}"
+            grep -i --color=always "$search_term" "$log_file" | tail -20
+            echo ""
+        fi
+    done < <(find "$LOG_DIR" -name "*.log" -type f)
+
+    if [ "$found" = false ]; then
+        echo "No matches found for: $search_term"
+    fi
+
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo ""
+    press_enter
+}
+
+# Show errors only
+show_errors() {
+    clear
+    print_banner "Acronis Errors (Last 50)"
+    echo ""
+
+    if [ -f "$PRIMARY_LOG" ]; then
+        echo "Filtering for ERROR, WARN, FAIL, CRITICAL..."
+        echo ""
+        echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+        echo ""
+
+        grep -iE "error|warn|fail|critical" "$PRIMARY_LOG" | tail -50 | while IFS= read -r line; do
+            # Color code by severity
+            if echo "$line" | grep -qi "critical"; then
+                echo -e "${RED}${BOLD}${line}${NC}"
+            elif echo "$line" | grep -qi "error"; then
+                echo -e "${RED}${line}${NC}"
+            elif echo "$line" | grep -qi "warn"; then
+                echo -e "${YELLOW}${line}${NC}"
+            else
+                echo "$line"
+            fi
+        done
+
+        echo ""
+        echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+        echo ""
+    else
+        print_error "Primary log file not found"
+    fi
+
+    press_enter
+}
+
+# Archive old logs
+archive_old_logs() {
+    clear
+    print_banner "Archive Old Logs"
+    echo ""
+
+    # Calculate total size
+    local total_size=$(du -sh "$LOG_DIR" 2>/dev/null | awk '{print $1}')
+    local log_count=$(find "$LOG_DIR" -name "*.log" -type f | wc -l)
+
+    echo "Current log status:"
+    echo "  Directory: $LOG_DIR"
+    echo "  Total size: $total_size"
+    echo "  Log files: $log_count"
+    echo ""
+
+    # Find old logs (older than 30 days)
+    local old_logs=$(find "$LOG_DIR" -name "*.log" -type f -mtime +30 2>/dev/null | wc -l)
+
+    if [ $old_logs -eq 0 ]; then
+        echo -e "${GREEN}✓ No old logs found (>30 days)${NC}"
+        echo ""
+        press_enter
+        return
+    fi
+
+    echo "Found $old_logs log file(s) older than 30 days"
+    echo ""
+    echo "Archive location: /root/acronis-logs-archive-$(date +%Y%m%d).tar.gz"
+    echo ""
+    echo -n "Create archive and remove old logs? (yes/no): "
+    read -r confirm
+
+    if [ "$confirm" != "yes" ]; then
+        echo ""
+        echo "Archive cancelled"
+        press_enter
+        return
+    fi
+
+    echo ""
+    echo "→ Creating archive..."
+
+    # Create archive
+    local archive_name="/root/acronis-logs-archive-$(date +%Y%m%d).tar.gz"
+    if find "$LOG_DIR" -name "*.log" -type f -mtime +30 -print0 2>/dev/null | tar -czf "$archive_name" --null -T -; then
+        print_success "Archive created: $archive_name"
+
+        # Remove old logs
+        echo ""
+        echo "→ Removing old logs..."
+        find "$LOG_DIR" -name "*.log" -type f -mtime +30 -delete 2>/dev/null
+
+        local remaining=$(find "$LOG_DIR" -name "*.log" -type f | wc -l)
+        echo ""
+        print_success "Old logs archived and removed"
+        echo ""
+        echo "Remaining log files: $remaining"
+    else
+        print_error "Failed to create archive"
+    fi
+
+    echo ""
+    press_enter
+}
+
+# Main loop
+while true; do
+    show_log_menu
+    read -r choice
+
+    case $choice in
+        v) view_primary_log ;;
+        t) tail_primary_log ;;
+        s) search_logs ;;
+        e) show_errors ;;
+        a) archive_old_logs ;;
+        0) exit 0 ;;
+        *)
+            # Check if numeric selection for specific log file
+            if [[ "$choice" =~ ^[0-9]+$ ]]; then
+                log_files=($(find "$LOG_DIR" -name "*.log" -type f | sort))
+                if [ $choice -gt 0 ] && [ $choice -le ${#log_files[@]} ]; then
+                    selected_log="${log_files[$((choice-1))]}"
+                    clear
+                    print_banner "Log: $(basename "$selected_log")"
+                    echo ""
+                    tail -100 "$selected_log"
+                    echo ""
+                    press_enter
+                else
+                    print_error "Invalid log selection"
+                    sleep 1
+                fi
+            else
+                print_error "Invalid option"
+                sleep 1
+            fi
+            ;;
+    esac
+done
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Create Manual Backup"
+
+echo ""
+echo -e "${BOLD}Manual Backup Creation${NC}"
+echo ""
+echo "Manual backups are triggered through the Acronis web console or CLI."
+echo ""
+echo -e "${CYAN}Web Console Method (Recommended):${NC}"
+echo ""
+echo "1. Log in to Acronis web console"
+echo "2. Go to: Devices → Select this server"
+echo "3. Click 'Back up now' button"
+echo "4. Monitor backup progress in real-time"
+echo ""
+echo -e "${CYAN}Command Line Method:${NC}"
+echo ""
+echo "Use the Acronis CLI tool (acrocmd):"
+echo ""
+echo "  # List available plans"
+echo "  acrocmd list plans"
+echo ""
+echo "  # Run backup for specific plan"
+echo "  acrocmd backup run --plan <plan_id>"
+echo ""
+echo "  # Create ad-hoc backup"
+echo "  acrocmd backup create --source /path/to/data --destination /backup/path"
+echo ""
+echo -e "${BOLD}Note:${NC} Detailed CLI backup functionality can be added here based on"
+echo "your specific requirements. Would you like me to implement the full"
+echo "CLI backup interface?"
+echo ""
+press_enter
@@ -0,0 +1,210 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Plan Manager
+################################################################################
+# Purpose: Manage Acronis protection plans
+# Features:
+# - List protection plans
+# - View plan details
+# - Enable/disable plans
+# - Guidance for plan configuration
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+clear
+print_banner "Protection Plan Management"
+
+echo ""
+
+# Check if acrocmd is available
+if [ ! -f "/usr/sbin/acrocmd" ]; then
+    print_error "acrocmd command-line tool not found"
+    echo ""
+    press_enter
+    exit 1
+fi
+
+# List plans
+echo -e "${BOLD}Current Protection Plans${NC}"
+echo ""
+
+plan_output=$(/usr/sbin/acrocmd list plans 2>&1)
+
+if echo "$plan_output" | grep -qi "error\|no.*plans"; then
+    echo -e "${YELLOW}No protection plans configured${NC}"
+    HAS_PLANS=false
+else
+    echo "$plan_output"
+    HAS_PLANS=true
+fi
+
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+if [ "$HAS_PLANS" = true ]; then
+    echo -e "${BOLD}Plan Management Options${NC}"
+    echo ""
+    echo "  1) View detailed plan information"
+    echo "  2) Enable/disable plan"
+    echo "  3) Delete plan"
+    echo "  4) Create new plan (via web console)"
+    echo "  0) Return"
+    echo ""
+    echo -n "Select option [0]: "
+    read -r choice
+    choice="${choice:-0}"
+
+    case "$choice" in
+        1)
+            echo ""
+            echo -n "Enter plan ID or name: "
+            read -r plan_id
+
+            if [ -n "$plan_id" ]; then
+                echo ""
+                echo -e "${BOLD}Plan Details:${NC}"
+                echo ""
+                /usr/sbin/acrocmd show plan "$plan_id" 2>&1 || {
+                    echo ""
+                    print_error "Could not retrieve plan details"
+                    echo "Check that the plan ID/name is correct"
+                }
+            fi
+            ;;
+
+        2)
+            echo ""
+            echo -n "Enter plan ID to enable/disable: "
+            read -r plan_id
+
+            if [ -n "$plan_id" ]; then
+                echo ""
+                echo "  1) Enable plan"
+                echo "  2) Disable plan"
+                echo ""
+                echo -n "Select [1]: "
+                read -r action
+                action="${action:-1}"
+
+                if [ "$action" = "1" ]; then
+                    /usr/sbin/acrocmd plan enable "$plan_id" 2>&1 && {
+                        print_success "Plan enabled"
+                    } || {
+                        print_error "Failed to enable plan"
+                    }
+                else
+                    /usr/sbin/acrocmd plan disable "$plan_id" 2>&1 && {
+                        print_success "Plan disabled"
+                    } || {
+                        print_error "Failed to disable plan"
+                    }
+                fi
+            fi
+            ;;
+
+        3)
+            echo ""
+            echo -e "${RED}${BOLD}Delete Protection Plan${NC}"
+            echo ""
+            echo -e "${YELLOW}Warning:${NC} This will delete the plan configuration."
+            echo "Existing backups will be retained."
+            echo ""
+            echo -n "Enter plan ID to delete: "
+            read -r plan_id
+
+            if [ -n "$plan_id" ]; then
+                echo ""
+                echo -n "Confirm deletion (type 'yes'): "
+                read -r confirm
+
+                if [ "$confirm" = "yes" ]; then
+                    /usr/sbin/acrocmd delete plan "$plan_id" 2>&1 && {
+                        print_success "Plan deleted"
+                    } || {
+                        print_error "Failed to delete plan"
+                    }
+                else
+                    echo "Cancelled"
+                fi
+            fi
+            ;;
+
+        4)
+            echo ""
+            echo -e "${BOLD}Create New Protection Plan${NC}"
+            echo ""
+            echo "Protection plans are best created via the web console"
+            echo "for full configuration options and validation."
+            echo ""
+            echo -e "${CYAN}Web Console Method:${NC}"
+            echo ""
+            echo "1. Log in to Acronis web console"
+
+            # Get cloud URL
+            if [ -f "/etc/Acronis/Global.config" ]; then
+                cloud_url=$(grep -oP 'CloudUrl[>=\"].*?https://[^\"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^\"<]+' | head -1)
+                if [ -n "$cloud_url" ]; then
+                    echo "   ${cloud_url}"
+                fi
+            fi
+
+            echo ""
+            echo "2. Navigate to: Devices → Select this server"
+            echo "3. Click 'Add protection plan'"
+            echo "4. Configure plan settings:"
+            echo "   • What to back up (entire system/volumes/files)"
+            echo "   • Where to store (cloud/local)"
+            echo "   • When to run (schedule)"
+            echo "   • How long to keep (retention)"
+            echo "5. Save and activate"
+            echo ""
+            echo -e "${BOLD}Advanced CLI Method:${NC}"
+            echo ""
+            echo "For advanced users, plans can be created via acrocmd:"
+            echo "  acrocmd create plan --help"
+            ;;
+    esac
+else
+    echo -e "${BOLD}Getting Started with Protection Plans${NC}"
+    echo ""
+    echo "Protection plans define your backup strategy:"
+    echo ""
+    echo -e "${CYAN}What:${NC}  Files, folders, volumes, or entire system"
+    echo -e "${CYAN}Where:${NC} Cloud storage or local destination"
+    echo -e "${CYAN}When:${NC}  Scheduled times (hourly/daily/weekly/monthly)"
+    echo -e "${CYAN}Keep:${NC}  Retention policy (days/versions to keep)"
+    echo ""
+    echo -e "${BOLD}To Create Your First Plan:${NC}"
+    echo ""
+    echo "1. Log in to Acronis web console"
+
+    # Get cloud URL
+    if [ -f "/etc/Acronis/Global.config" ]; then
+        cloud_url=$(grep -oP 'CloudUrl[>=\"].*?https://[^\"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^\"<]+' | head -1)
+        if [ -n "$cloud_url" ]; then
+            echo "   ${cloud_url}"
+        fi
+    fi
+
+    echo ""
+    echo "2. Navigate to: Devices → This server"
+    echo "3. Click 'Add protection plan'"
+    echo "4. Follow the configuration wizard"
+    echo "5. Activate the plan"
+    echo ""
+    echo -e "${GREEN}Tip:${NC} Start with a simple file backup plan to test,"
+    echo "     then create full system backup plans as needed."
+fi
+
+echo ""
+press_enter
@@ -0,0 +1,231 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Agent Registration
+################################################################################
+# Purpose: Register Acronis agent with Acronis Cloud
+# Command: /usr/lib/Acronis/RegisterAgentTool/RegisterAgent
+# Flags:
+#   -o register       - Operation: register
+#   -t cloud          - Type: cloud-based
+#   -a <url>          - Service URL
+#   --token <token>   - Registration token
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Acronis Agent Registration"
+
+# Check if agent is installed
+if [ ! -f "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" ]; then
+    echo ""
+    print_error "Acronis agent is not installed"
+    echo ""
+    echo "Please install the agent first:"
+    echo "  1. Return to Acronis Management menu"
+    echo "  2. Select 'Install Acronis Agent'"
+    echo ""
+    press_enter
+    exit 1
+fi
+
+echo ""
+
+# Check current registration status
+echo -e "${BOLD}Current Registration Status:${NC}"
+echo ""
+
+if [ -f "/etc/Acronis/Global.config" ]; then
+    if grep -q "CloudUrl" "/etc/Acronis/Global.config" 2>/dev/null; then
+        echo -e "  ${GREEN}✓${NC} Agent is currently registered"
+
+        # Extract current cloud URL
+        current_url=$(grep -oP 'CloudUrl[>="].*?https://[^"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^"<]+' | head -1)
+        if [ -n "$current_url" ]; then
+            echo -e "  Current URL: ${current_url}"
+        fi
+
+        echo ""
+        echo -e "${YELLOW}⚠ Agent is already registered${NC}"
+        echo ""
+        echo "Do you want to:"
+        echo "  1) Keep current registration"
+        echo "  2) Re-register (will overwrite current registration)"
+        echo ""
+        echo -n "Select [1]: "
+        read -r choice
+        choice="${choice:-1}"
+
+        if [ "$choice" = "1" ]; then
+            echo ""
+            echo "Keeping current registration"
+            press_enter
+            exit 0
+        fi
+
+        echo ""
+        echo "Proceeding with re-registration..."
+    else
+        echo -e "  ${YELLOW}○${NC} Agent is not registered"
+    fi
+else
+    echo -e "  ${YELLOW}○${NC} No configuration found"
+fi
+
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -e "${BOLD}Agent Registration${NC}"
+echo ""
+echo "You'll need:"
+echo "  • Acronis Cloud service URL (e.g., us5-cloud.acronis.com)"
+echo "  • Registration token from Acronis web console"
+echo ""
+echo "To get a registration token:"
+echo "  1. Log in to Acronis web console"
+echo "  2. Go to Settings → Registration tokens"
+echo "  3. Create a new token or copy existing one"
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Get service URL
+echo -n "Enter Acronis Cloud service URL [us5-cloud.acronis.com]: "
+read -r service_url
+service_url="${service_url:-us5-cloud.acronis.com}"
+
+# Validate URL format
+if [[ ! "$service_url" =~ ^[a-z0-9.-]+\.acronis\.com$ ]]; then
+    print_error "Invalid service URL format"
+    echo ""
+    echo "Expected format: region-cloud.acronis.com"
+    echo "Examples:"
+    echo "  • us5-cloud.acronis.com"
+    echo "  • eu2-cloud.acronis.com"
+    echo "  • ap1-cloud.acronis.com"
+    echo ""
+    press_enter
+    exit 1
+fi
+
+# Get registration token
+echo ""
+echo -n "Enter registration token: "
+read -r reg_token
+
+if [ -z "$reg_token" ]; then
+    print_error "Registration token is required"
+    press_enter
+    exit 1
+fi
+
+# Confirm registration
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -e "${BOLD}Registration Summary:${NC}"
+echo ""
+echo "  Service URL:  https://${service_url}"
+echo "  Token:        ${reg_token:0:8}...${reg_token: -4}"
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -n "Proceed with registration? (yes/no): "
+read -r confirm
+
+if [ "$confirm" != "yes" ]; then
+    echo ""
+    print_error "Registration cancelled"
+    press_enter
+    exit 0
+fi
+
+echo ""
+echo -e "${BOLD}Registering Agent...${NC}"
+echo ""
+
+# Run registration command
+REGISTER_CMD="/usr/lib/Acronis/RegisterAgentTool/RegisterAgent"
+REGISTER_ARGS="-o register -t cloud -a https://${service_url} --token ${reg_token}"
+
+echo "→ Contacting Acronis Cloud..."
+echo ""
+echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
+
+# Execute registration
+if $REGISTER_CMD $REGISTER_ARGS; then
+    REG_EXIT_CODE=$?
+else
+    REG_EXIT_CODE=$?
+fi
+
+echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Check result
+if [ $REG_EXIT_CODE -eq 0 ]; then
+    print_success "Registration successful!"
+    echo ""
+
+    # Restart services to apply registration
+    echo "→ Restarting Acronis services..."
+    systemctl restart acronis_mms
+    systemctl restart aakore
+    sleep 2
+
+    if systemctl is-active --quiet acronis_mms; then
+        print_success "Services restarted successfully"
+        echo ""
+
+        echo -e "${BOLD}Agent Registered Successfully!${NC}"
+        echo ""
+        echo "Next steps:"
+        echo "  1. Log in to Acronis web console:"
+        echo "     → https://${service_url}"
+        echo ""
+        echo "  2. Find this agent in the device list"
+        echo "     → Navigate to: Devices → All devices"
+        echo ""
+        echo "  3. Assign backup plans to this agent"
+        echo "     → Select device → Protection → Add plan"
+        echo ""
+        echo "  4. Check agent status from this toolkit"
+        echo "     → Select 'Check Agent Status' from Acronis menu"
+        echo ""
+    else
+        print_error "Services failed to restart"
+        echo ""
+        echo "Registration may have succeeded but services need attention."
+        echo "Check logs: tail -f /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
+        echo ""
+    fi
+
+else
+    print_error "Registration failed with exit code $REG_EXIT_CODE"
+    echo ""
+    echo "Common issues:"
+    echo "  • Invalid registration token"
+    echo "  • Incorrect service URL"
+    echo "  • Network connectivity issues"
+    echo "  • Firewall blocking connection to Acronis Cloud"
+    echo "  • Token already used or expired"
+    echo ""
+    echo "Troubleshooting:"
+    echo "  1. Verify token in Acronis web console"
+    echo "  2. Check network connectivity:"
+    echo "     curl -I https://${service_url}"
+    echo ""
+    echo "  3. Check agent logs:"
+    echo "     tail -f /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
+    echo ""
+fi
+
+press_enter
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Restore from Backup"
+
+echo ""
+echo -e "${RED}${BOLD}⚠️  RESTORE OPERATION ⚠️${NC}"
+echo ""
+echo "Restoring from backups requires careful planning to avoid data loss."
+echo ""
+echo -e "${BOLD}Restore Methods:${NC}"
+echo ""
+echo -e "${CYAN}1. Web Console Method (Recommended)${NC}"
+echo "   • Most user-friendly with visual interface"
+echo "   • Full preview of backup contents"
+echo "   • Granular file/folder selection"
+echo ""
+echo "   Steps:"
+echo "   a) Log in to Acronis web console"
+echo "   b) Navigate to: Backup → Recovery"
+echo "   c) Select backup archive"
+echo "   d) Choose recovery point (date/time)"
+echo "   e) Select files/folders to restore"
+echo "   f) Choose restore destination"
+echo "   g) Start recovery process"
+echo ""
+echo -e "${CYAN}2. Command Line Method${NC}"
+echo "   • For advanced users and automation"
+echo "   • Requires acrocmd CLI tool"
+echo ""
+echo "   Basic syntax:"
+echo "   acrocmd recover --archive <archive_id> \\"
+echo "     --recoverypoint <point_id> \\"
+echo "     --destination /restore/path"
+echo ""
+echo -e "${CYAN}3. Bootable Media Recovery${NC}"
+echo "   • For full system disaster recovery"
+echo "   • Boot from Acronis bootable USB/ISO"
+echo "   • Restore entire system image"
+echo ""
+echo -e "${BOLD}Important Notes:${NC}"
+echo ""
+echo "  ⚠ Test restores in a non-production environment first"
+echo "  ⚠ Verify backup integrity before critical restores"
+echo "  ⚠ Consider restoring to alternate location first"
+echo "  ⚠ Backup current data before overwriting"
+echo ""
+echo "Would you like me to implement an interactive restore wizard"
+echo "with CLI backup browsing and restore capabilities?"
+echo ""
+press_enter
@@ -0,0 +1,109 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Schedule Viewer
+################################################################################
+# Purpose: View backup schedules and protection plans
+# Features:
+# - List all protection plans
+# - Show backup schedules
+# - Display plan details
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+clear
+print_banner "Backup Plans & Schedules"
+
+echo ""
+
+# Check if acrocmd is available
+if [ ! -f "/usr/sbin/acrocmd" ]; then
+    print_error "acrocmd command-line tool not found"
+    echo ""
+    press_enter
+    exit 1
+fi
+
+# List protection plans
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo -e "${BOLD}Protection Plans${NC}"
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+
+plan_output=$(/usr/sbin/acrocmd list plans 2>&1)
+
+if echo "$plan_output" | grep -qi "error\|no.*plans"; then
+    echo -e "${YELLOW}No protection plans found${NC}"
+    echo ""
+    echo "Protection plans define what, when, and how to back up."
+    echo ""
+    echo -e "${BOLD}To Create Protection Plans:${NC}"
+    echo ""
+    echo "1. Log in to Acronis web console"
+
+    # Try to get cloud URL
+    if [ -f "/etc/Acronis/Global.config" ]; then
+        cloud_url=$(grep -oP 'CloudUrl[>=\"].*?https://[^\"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^\"<]+' | head -1)
+        if [ -n "$cloud_url" ]; then
+            echo "   ${cloud_url}"
+        fi
+    fi
+
+    echo ""
+    echo "2. Navigate to: Devices → Select this server"
+    echo "3. Click 'Add protection plan'"
+    echo "4. Configure:"
+    echo "   • Backup source (files/folders/volumes)"
+    echo "   • Backup destination (cloud/local)"
+    echo "   • Schedule (hourly/daily/weekly/monthly)"
+    echo "   • Retention policy"
+    echo "5. Save and activate plan"
+else
+    echo "$plan_output"
+fi
+
+echo ""
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+
+# Check schedule status from service
+echo -e "${BOLD}Schedule Service Status${NC}"
+echo ""
+
+if systemctl is-active --quiet acronis_schedule 2>/dev/null; then
+    echo -e "${GREEN}✓${NC} Acronis scheduler is running"
+
+    # Show recent schedule events from log
+    if [ -f "/var/lib/Acronis/BackupAndRecovery/scheduler.log" ]; then
+        echo ""
+        echo "Recent scheduler activity:"
+        echo ""
+        tail -5 /var/lib/Acronis/BackupAndRecovery/scheduler.log 2>/dev/null | while read -r line; do
+            echo "  $line"
+        done
+    fi
+else
+    echo -e "${YELLOW}⚠${NC} Acronis scheduler is not running"
+    echo ""
+    echo "Start it with: systemctl start acronis_schedule"
+fi
+
+echo ""
+echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
+echo ""
+echo -e "${BOLD}Next Steps:${NC}"
+echo ""
+echo "  • Trigger manual backup: Select 'Trigger Manual Backup'"
+echo "  • Manage plans: Select 'Manage Protection Plans'"
+echo "  • Check status: Select 'Check Backup Status'"
+echo ""
+
+press_enter
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "View Backup Status"
+
+echo ""
+echo -e "${BOLD}Acronis Backup Status${NC}"
+echo ""
+echo "Checking backup status..."
+echo ""
+
+# Check if acrocmd exists
+if ! command -v acrocmd &>/dev/null; then
+    echo -e "${YELLOW}acrocmd CLI tool not found${NC}"
+    echo ""
+    echo "Backup status is available through:"
+    echo "  • Acronis web console (real-time status)"
+    echo "  • Agent logs (see 'View Logs' option)"
+    echo ""
+    echo "To use CLI: acrocmd may need to be installed separately"
+    echo ""
+    press_enter
+    exit 0
+fi
+
+# Show recent backup activities from logs
+if [ -f "/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log" ]; then
+    echo -e "${BOLD}Recent Backup Activity:${NC}"
+    echo ""
+    grep -i "backup.*completed\|backup.*started\|backup.*failed" /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log 2>/dev/null | tail -10
+    echo ""
+fi
+
+echo "For detailed status, use:"
+echo "  • Web console: Full backup history and status"
+echo "  • acrocmd: Command-line status queries"
+echo ""
+press_enter
@@ -0,0 +1,202 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Trigger Backup
+################################################################################
+# Purpose: Trigger manual backups using acrocmd
+# Features:
+# - List available backup plans
+# - Run backup for specific plan
+# - Trigger ad-hoc backup
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+clear
+print_banner "Trigger Manual Backup"
+
+echo ""
+
+# Check if acrocmd is available
+if [ ! -f "/usr/sbin/acrocmd" ]; then
+    print_error "acrocmd command-line tool not found"
+    echo ""
+    press_enter
+    exit 1
+fi
+
+# List available plans
+echo -e "${BOLD}Available Backup Plans${NC}"
+echo ""
+echo "Querying backup plans from Acronis..."
+echo ""
+
+plan_output=$(/usr/sbin/acrocmd list plans 2>&1)
+
+# Check if no plans exist (empty output or success message only)
+if echo "$plan_output" | grep -qi "error\|failed\|no plans" || ! echo "$plan_output" | grep -q "[a-f0-9]\{8\}-[a-f0-9]\{4\}"; then
+    echo -e "${YELLOW}No backup plans found or error querying plans${NC}"
+    echo ""
+    echo "Possible reasons:"
+    echo "  • No CLI-managed plans exist (acrocmd only shows local plans)"
+    echo "  • Cloud-managed plans created in web console are not visible here"
+    echo "  • Agent not registered with Acronis Cloud"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo ""
+    echo -e "${BOLD}Important Note:${NC}"
+    echo ""
+    echo "Plans created in the Acronis web console are managed at the cloud level"
+    echo "and are NOT accessible via the acrocmd CLI tool. The CLI can only see and"
+    echo "manage plans created locally via acrocmd commands."
+    echo ""
+    echo -e "${BOLD}To Trigger Cloud-Managed Backups:${NC}"
+    echo ""
+    echo "1. Log in to Acronis web console"
+    echo "2. Navigate to: Devices → Select this server"
+    echo "3. Click 'Back up now' to trigger your existing plan"
+    echo ""
+    echo -e "${BOLD}To Create CLI-Managed Plans:${NC}"
+    echo ""
+    echo "Use: acrocmd create plan --help"
+    echo "Note: CLI plans give you more control and optimization options"
+    echo ""
+    press_enter
+    exit 0
+fi
+
+echo "$plan_output"
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -e "${BOLD}Select a Plan to Backup:${NC}"
+echo ""
+echo "Enter the plan name or ID from the list above,"
+echo "or press Enter to cancel and use web console instead."
+echo ""
+echo -n "Plan name/ID: "
+read -r plan_id
+
+if [ -z "$plan_id" ]; then
+    echo ""
+    echo -e "${BOLD}Use Web Console Instead${NC}"
+    echo ""
+    echo "To trigger backup via web console:"
+    echo ""
+    echo "1. Log in to Acronis web console"
+
+    # Try to get cloud URL
+    if [ -f "/etc/Acronis/Global.config" ]; then
+        cloud_url=$(grep -oP 'CloudUrl[>=\"].*?https://[^\"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^\"<]+' | head -1)
+        if [ -n "$cloud_url" ]; then
+            echo "   ${cloud_url}"
+        fi
+    fi
+
+    echo ""
+    echo "2. Navigate to: Devices → This server"
+    echo "3. Click 'Back up now' button"
+    echo "4. Monitor progress in real-time"
+    echo ""
+    press_enter
+    exit 0
+fi
+
+# User selected a plan, proceed with backup type selection
+echo ""
+echo -e "${BOLD}Backup Type Selection${NC}"
+        echo ""
+        echo "Select backup type:"
+        echo "  1) Auto (use plan's configured type)"
+        echo "  2) Full backup"
+        echo "  3) Incremental backup"
+        echo "  4) Differential backup"
+        echo ""
+        echo -n "Select type [1]: "
+        read -r backup_type_choice
+        backup_type_choice="${backup_type_choice:-1}"
+
+        BACKUP_FLAGS=""
+        case "$backup_type_choice" in
+            2)
+                BACKUP_FLAGS="--backuptype=full"
+                echo "  → Full backup selected"
+                ;;
+            3)
+                BACKUP_FLAGS="--backuptype=incremental"
+                echo "  → Incremental backup selected (faster, stores only changes)"
+                ;;
+            4)
+                BACKUP_FLAGS="--backuptype=differential"
+                echo "  → Differential backup selected (changes since last full)"
+                ;;
+            *)
+                echo "  → Using plan's default backup type"
+                ;;
+        esac
+
+        echo ""
+        echo -e "${BOLD}Performance Options${NC}"
+        echo ""
+        echo -n "Enable performance optimizations? (y/n) [n]: "
+        read -r opt_choice
+
+        if [ "$opt_choice" = "y" ] || [ "$opt_choice" = "Y" ]; then
+            echo ""
+            echo "Available optimizations:"
+            echo "  1) Lower compression (faster backup, larger size)"
+            echo "  2) High priority (use more system resources)"
+            echo "  3) Both"
+            echo ""
+            echo -n "Select [3]: "
+            read -r perf_choice
+            perf_choice="${perf_choice:-3}"
+
+            case "$perf_choice" in
+                1)
+                    BACKUP_FLAGS="$BACKUP_FLAGS --compression=normal"
+                    echo "  → Lower compression enabled"
+                    ;;
+                2)
+                    BACKUP_FLAGS="$BACKUP_FLAGS --priority=high"
+                    echo "  → High priority enabled"
+                    ;;
+                3)
+                    BACKUP_FLAGS="$BACKUP_FLAGS --compression=normal --priority=high"
+                    echo "  → Lower compression + high priority enabled"
+                    ;;
+            esac
+        fi
+
+        echo ""
+        echo -e "${BOLD}Starting Backup...${NC}"
+        echo ""
+        echo "Plan: $plan_id"
+        [ -n "$BACKUP_FLAGS" ] && echo "Options: $BACKUP_FLAGS"
+        echo ""
+
+        # Try to run backup
+        if /usr/sbin/acrocmd backup run --plan "$plan_id" $BACKUP_FLAGS 2>&1; then
+            echo ""
+            print_success "Backup initiated successfully"
+            echo ""
+            echo "Monitor progress with 'Check Backup Status'"
+        else
+            echo ""
+            print_error "Failed to start backup"
+            echo ""
+            echo "Check that:"
+            echo "  • Plan ID/name is correct"
+            echo "  • Agent is online and registered"
+            echo "  • No conflicting backups running"
+        fi
+
+echo ""
+press_enter
@@ -0,0 +1,471 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Backup Troubleshooter
+################################################################################
+# Purpose: Diagnose and troubleshoot Acronis backup failures
+# Features:
+# - Multi-log location scanning
+# - Common failure pattern detection
+# - Service health checks
+# - Disk space analysis
+# - Network connectivity tests
+# - Automated fix suggestions
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+# Log locations to check
+declare -A LOG_LOCATIONS=(
+    ["MMS"]="/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
+    ["MMS_OLD"]="/var/lib/Acronis/BackupAndRecovery/MMS/mms.*.log"
+    ["AGENT"]="/var/log/acronis/agent/*.log"
+    ["CORE"]="/var/lib/Acronis/BackupAndRecovery/aakore.log"
+    ["SCHEDULE"]="/var/lib/Acronis/BackupAndRecovery/scheduler.log"
+    ["SYSTEM"]="/var/log/messages"
+    ["SYSLOG"]="/var/log/syslog"
+)
+
+print_banner "Acronis Backup Troubleshooter"
+
+echo ""
+echo -e "${BOLD}Diagnostic Mode${NC}"
+echo ""
+echo "This tool will analyze:"
+echo "  • Service status and health"
+echo "  • Log files for errors and failures"
+echo "  • System resources (disk, memory)"
+echo "  • Network connectivity to Acronis Cloud"
+echo "  • Common backup failure patterns"
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Track issues found
+declare -a ISSUES_FOUND=()
+declare -a WARNINGS_FOUND=()
+declare -a RECOMMENDATIONS=()
+
+# Function to add issue
+add_issue() {
+    ISSUES_FOUND+=("$1")
+}
+
+# Function to add warning
+add_warning() {
+    WARNINGS_FOUND+=("$1")
+}
+
+# Function to add recommendation
+add_recommendation() {
+    RECOMMENDATIONS+=("$1")
+}
+
+# 1. Check service status
+echo -e "${BOLD}[1/7] Checking Acronis Services...${NC}"
+echo ""
+
+declare -a SERVICES=("aakore" "acronis_mms" "acronis_schedule" "active-protection")
+all_services_running=true
+
+for service in "${SERVICES[@]}"; do
+    if systemctl list-unit-files | grep -q "^${service}.service"; then
+        if systemctl is-active --quiet "$service"; then
+            echo -e "  ${GREEN}✓${NC} $service is running"
+        else
+            echo -e "  ${RED}✗${NC} $service is NOT running"
+            add_issue "Service $service is stopped"
+            add_recommendation "Start service: systemctl start $service"
+            all_services_running=false
+        fi
+    fi
+done
+
+if [ "$all_services_running" = false ]; then
+    add_recommendation "Start all services: Go to Acronis menu → Check Agent Status → Start All Services"
+fi
+
+echo ""
+
+# 2. Check disk space
+echo -e "${BOLD}[2/7] Checking Disk Space...${NC}"
+echo ""
+
+# Check backup directory
+if [ -d "/var/lib/Acronis" ]; then
+    backup_disk_usage=$(df -h /var/lib/Acronis | tail -1 | awk '{print $5}' | tr -d '%')
+    backup_disk_avail=$(df -h /var/lib/Acronis | tail -1 | awk '{print $4}')
+
+    echo "  Acronis directory: /var/lib/Acronis"
+    echo "  Disk usage: ${backup_disk_usage}%"
+    echo "  Available: ${backup_disk_avail}"
+
+    if [ "$backup_disk_usage" -gt 95 ]; then
+        add_issue "Disk space critically low (${backup_disk_usage}% used)"
+        add_recommendation "Free up disk space or change backup destination"
+    elif [ "$backup_disk_usage" -gt 90 ]; then
+        add_warning "Disk space running low (${backup_disk_usage}% used)"
+        add_recommendation "Monitor disk space closely"
+    else
+        echo -e "  ${GREEN}✓${NC} Disk space OK"
+    fi
+fi
+
+# Check system disk
+root_disk_usage=$(df -h / | tail -1 | awk '{print $5}' | tr -d '%')
+if [ "$root_disk_usage" -gt 90 ]; then
+    add_warning "Root filesystem at ${root_disk_usage}% capacity"
+fi
+
+echo ""
+
+# 3. Check memory
+echo -e "${BOLD}[3/7] Checking Memory...${NC}"
+echo ""
+
+mem_total=$(free -h | grep "^Mem:" | awk '{print $2}')
+mem_available=$(free -h | grep "^Mem:" | awk '{print $7}')
+mem_used_percent=$(free | grep "^Mem:" | awk '{printf "%.0f", ($3/$2)*100}')
+
+echo "  Total memory: ${mem_total}"
+echo "  Available: ${mem_available}"
+echo "  Used: ${mem_used_percent}%"
+
+if [ "$mem_used_percent" -gt 95 ]; then
+    add_warning "Memory usage critically high (${mem_used_percent}%)"
+    add_recommendation "Check for memory leaks or reduce backup concurrency"
+elif [ "$mem_used_percent" -gt 90 ]; then
+    add_warning "Memory usage high (${mem_used_percent}%)"
+else
+    echo -e "  ${GREEN}✓${NC} Memory OK"
+fi
+
+echo ""
+
+# 4. Check network connectivity
+echo -e "${BOLD}[4/7] Checking Network Connectivity...${NC}"
+echo ""
+
+# Check if registered
+if [ -f "/etc/Acronis/Global.config" ]; then
+    cloud_url=$(grep -oP 'CloudUrl[>="].*?https://[^"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^"<]+' | head -1)
+
+    if [ -n "$cloud_url" ]; then
+        echo "  Testing connection to: $cloud_url"
+
+        # Extract hostname
+        cloud_host=$(echo "$cloud_url" | sed 's|https://||' | sed 's|/.*||')
+
+        # Test connectivity
+        if curl -s --connect-timeout 5 -I "$cloud_url" >/dev/null 2>&1; then
+            echo -e "  ${GREEN}✓${NC} Connection successful"
+        else
+            add_issue "Cannot connect to Acronis Cloud: $cloud_url"
+            add_recommendation "Check firewall rules and network connectivity"
+            add_recommendation "Test manually: curl -I $cloud_url"
+        fi
+
+        # Test DNS resolution
+        if host "$cloud_host" >/dev/null 2>&1; then
+            echo -e "  ${GREEN}✓${NC} DNS resolution OK"
+        else
+            add_issue "DNS resolution failed for $cloud_host"
+            add_recommendation "Check DNS configuration: /etc/resolv.conf"
+        fi
+    else
+        add_warning "Agent may not be registered with Acronis Cloud"
+        add_recommendation "Register agent: Acronis menu → Register with Cloud"
+    fi
+else
+    add_warning "Acronis configuration file not found"
+fi
+
+echo ""
+
+# 5. Scan logs for errors
+echo -e "${BOLD}[5/7] Scanning Logs for Errors...${NC}"
+echo ""
+
+# Common error patterns
+declare -A ERROR_PATTERNS=(
+    ["INSUFFICIENT_SPACE"]="insufficient.*space|no.*space.*left|disk.*full"
+    ["PERMISSION_DENIED"]="permission.*denied|access.*denied|cannot.*access"
+    ["CONNECTION_FAILED"]="connection.*failed|connection.*refused|timeout|network.*error"
+    ["AUTH_FAILED"]="authentication.*failed|invalid.*credentials|unauthorized"
+    ["BACKUP_FAILED"]="backup.*failed|backup.*error|task.*failed"
+    ["VSS_ERROR"]="vss.*error|snapshot.*failed|shadow.*copy.*error"
+    ["DATABASE_ERROR"]="database.*error|sql.*error|db.*lock"
+    ["FILE_LOCKED"]="file.*locked|file.*in.*use|sharing.*violation"
+)
+
+# Scan primary log
+primary_log="/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
+
+if [ -f "$primary_log" ]; then
+    echo "  Scanning primary log: mms.0.log"
+
+    for pattern_name in "${!ERROR_PATTERNS[@]}"; do
+        pattern="${ERROR_PATTERNS[$pattern_name]}"
+
+        if grep -iE "$pattern" "$primary_log" 2>/dev/null | tail -1 | grep -q .; then
+            error_count=$(grep -icE "$pattern" "$primary_log" 2>/dev/null)
+            last_error=$(grep -iE "$pattern" "$primary_log" 2>/dev/null | tail -1)
+
+            echo -e "  ${RED}⚠${NC} Found $pattern_name errors (count: $error_count)"
+            echo -e "     Last: ${DIM}${last_error:0:80}...${NC}"
+
+            add_issue "$pattern_name detected in logs (count: $error_count)"
+
+            # Add specific recommendations
+            case "$pattern_name" in
+                "INSUFFICIENT_SPACE")
+                    add_recommendation "Free up disk space or change backup destination"
+                    ;;
+                "PERMISSION_DENIED")
+                    add_recommendation "Check file/directory permissions"
+                    add_recommendation "Ensure Acronis agent has necessary access rights"
+                    ;;
+                "CONNECTION_FAILED")
+                    add_recommendation "Check network connectivity and firewall rules"
+                    add_recommendation "Verify Acronis Cloud URL is accessible"
+                    ;;
+                "AUTH_FAILED")
+                    add_recommendation "Re-register agent with valid token"
+                    add_recommendation "Check registration status in web console"
+                    ;;
+                "VSS_ERROR")
+                    add_recommendation "Check VSS service: vssadmin list writers"
+                    add_recommendation "Restart VSS: net stop vss && net start vss"
+                    ;;
+                "DATABASE_ERROR")
+                    add_recommendation "Check database connections and locks"
+                    add_recommendation "Consider application-aware backup settings"
+                    ;;
+                "FILE_LOCKED")
+                    add_recommendation "Identify processes locking files: lsof"
+                    add_recommendation "Schedule backups during low-activity periods"
+                    ;;
+            esac
+        fi
+    done
+
+    # Check for recent backup failures
+    recent_failures=$(grep -i "backup.*failed\|task.*failed" "$primary_log" 2>/dev/null | tail -5)
+    if [ -n "$recent_failures" ]; then
+        echo ""
+        echo -e "  ${YELLOW}Recent backup failures:${NC}"
+        echo "$recent_failures" | while read -r line; do
+            echo -e "    ${DIM}${line:0:100}${NC}"
+        done
+    fi
+
+else
+    add_warning "Primary log file not found: $primary_log"
+fi
+
+echo ""
+
+# 6. Check for stuck backups
+echo -e "${BOLD}[6/7] Checking for Stuck Processes...${NC}"
+echo ""
+
+# Check for long-running Acronis processes
+old_processes=$(ps aux | grep -i acronis | grep -v grep | awk '{if ($10 ~ /[0-9][0-9]:[0-9][0-9]/) print $0}')
+
+if [ -n "$old_processes" ]; then
+    echo -e "  ${YELLOW}⚠${NC} Long-running Acronis processes detected:"
+    echo "$old_processes" | while read -r line; do
+        echo -e "    ${DIM}$line${NC}"
+    done
+    add_warning "Long-running Acronis processes may indicate stuck backups"
+    add_recommendation "Review processes and consider restarting services if stuck"
+else
+    echo -e "  ${GREEN}✓${NC} No stuck processes detected"
+fi
+
+echo ""
+
+# 7. Check configuration issues
+echo -e "${BOLD}[7/7] Checking Configuration...${NC}"
+echo ""
+
+# Check if backup plans are configured
+if command -v acrocmd &>/dev/null; then
+    plan_count=$(acrocmd list plans 2>/dev/null | grep -c "^Plan ID" || echo "0")
+    echo "  Configured backup plans: $plan_count"
+
+    if [ "$plan_count" -eq 0 ]; then
+        add_warning "No backup plans configured"
+        add_recommendation "Configure backup plans in Acronis web console"
+    fi
+else
+    echo "  ${DIM}acrocmd not available - cannot check backup plans${NC}"
+fi
+
+# Check agent version
+if [ -f "/usr/lib/Acronis/BackupAndRecovery/aakore" ]; then
+    agent_version=$(/usr/lib/Acronis/BackupAndRecovery/aakore --version 2>/dev/null | head -1 || echo "Unknown")
+    echo "  Agent version: $agent_version"
+else
+    add_warning "Cannot determine agent version"
+fi
+
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Summary Report
+echo -e "${BOLD}DIAGNOSTIC SUMMARY${NC}"
+echo ""
+
+if [ ${#ISSUES_FOUND[@]} -eq 0 ] && [ ${#WARNINGS_FOUND[@]} -eq 0 ]; then
+    echo -e "${GREEN}${BOLD}✓ No issues detected${NC}"
+    echo ""
+    echo "Acronis appears to be healthy. If you're experiencing backup"
+    echo "failures, check the web console for detailed backup logs."
+else
+    # Show issues
+    if [ ${#ISSUES_FOUND[@]} -gt 0 ]; then
+        echo -e "${RED}${BOLD}Critical Issues (${#ISSUES_FOUND[@]}):${NC}"
+        for issue in "${ISSUES_FOUND[@]}"; do
+            echo -e "  ${RED}✗${NC} $issue"
+        done
+        echo ""
+    fi
+
+    # Show warnings
+    if [ ${#WARNINGS_FOUND[@]} -gt 0 ]; then
+        echo -e "${YELLOW}${BOLD}Warnings (${#WARNINGS_FOUND[@]}):${NC}"
+        for warning in "${WARNINGS_FOUND[@]}"; do
+            echo -e "  ${YELLOW}⚠${NC} $warning"
+        done
+        echo ""
+    fi
+
+    # Show recommendations
+    if [ ${#RECOMMENDATIONS[@]} -gt 0 ]; then
+        echo -e "${CYAN}${BOLD}Recommendations:${NC}"
+        local rec_num=1
+        for rec in "${RECOMMENDATIONS[@]}"; do
+            echo -e "  ${CYAN}${rec_num}.${NC} $rec"
+            ((rec_num++))
+        done
+        echo ""
+    fi
+fi
+
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Quick actions
+echo -e "${BOLD}Quick Actions:${NC}"
+echo ""
+echo -e "  ${CYAN}1)${NC} View Full Logs (all errors)"
+echo -e "  ${CYAN}2)${NC} Restart All Services"
+echo -e "  ${CYAN}3)${NC} Generate Detailed Report"
+echo -e "  ${CYAN}4)${NC} Export Logs for Support"
+echo ""
+echo -e "  ${RED}0)${NC} Return to Menu"
+echo ""
+echo -n "Select action (or press Enter to return): "
+read -r action
+
+case "$action" in
+    1)
+        # Show all errors
+        clear
+        print_banner "All Errors from Logs"
+        echo ""
+        if [ -f "$primary_log" ]; then
+            grep -iE "error|fail|critical|warn" "$primary_log" | tail -50
+        fi
+        echo ""
+        press_enter
+        ;;
+    2)
+        # Restart services
+        echo ""
+        echo "Restarting all Acronis services..."
+        systemctl restart aakore
+        systemctl restart acronis_mms
+        systemctl restart acronis_schedule
+        systemctl restart active-protection
+        echo ""
+        print_success "Services restarted"
+        echo ""
+        echo "Waiting 5 seconds for services to stabilize..."
+        sleep 5
+        echo ""
+        echo "Running diagnostic again..."
+        sleep 2
+        exec "$0"
+        ;;
+    3)
+        # Generate detailed report
+        report_file="/tmp/acronis-diagnostic-$(date +%Y%m%d-%H%M%S).txt"
+        echo ""
+        echo "Generating detailed report..."
+
+        {
+            echo "Acronis Diagnostic Report"
+            echo "Generated: $(date)"
+            echo "Hostname: $(hostname)"
+            echo ""
+            echo "=== Service Status ==="
+            for service in "${SERVICES[@]}"; do
+                systemctl status "$service" 2>&1 | head -20
+                echo ""
+            done
+            echo ""
+            echo "=== Recent Log Entries ==="
+            if [ -f "$primary_log" ]; then
+                tail -200 "$primary_log"
+            fi
+            echo ""
+            echo "=== System Resources ==="
+            df -h
+            echo ""
+            free -h
+            echo ""
+            echo "=== Network ==="
+            netstat -tuln | grep -E "7770|7800|8443|44445"
+            echo ""
+            echo "=== Processes ==="
+            ps aux | grep -i acronis | grep -v grep
+        } > "$report_file"
+
+        print_success "Report generated: $report_file"
+        echo ""
+        echo "You can send this report to Acronis support or review it locally."
+        echo ""
+        press_enter
+        ;;
+    4)
+        # Export logs
+        archive_file="/tmp/acronis-logs-$(date +%Y%m%d-%H%M%S).tar.gz"
+        echo ""
+        echo "Exporting logs..."
+
+        if [ -d "/var/lib/Acronis/BackupAndRecovery/MMS" ]; then
+            tar -czf "$archive_file" /var/lib/Acronis/BackupAndRecovery/MMS/*.log 2>/dev/null
+            print_success "Logs exported: $archive_file"
+            echo ""
+            echo "Archive size: $(du -h "$archive_file" | awk '{print $1}')"
+        else
+            print_error "Log directory not found"
+        fi
+        echo ""
+        press_enter
+        ;;
+    *)
+        exit 0
+        ;;
+esac
@@ -0,0 +1,249 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Agent Uninstaller
+################################################################################
+# Purpose: Safely uninstall Acronis Cyber Protect agent
+# Process:
+# 1. Stop all Acronis services
+# 2. Unregister from cloud (optional)
+# 3. Remove Acronis packages
+# 4. Clean up data directories (optional)
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Acronis Agent Uninstaller"
+
+# Check if Acronis is installed
+if ! systemctl list-unit-files | grep -q "acronis_mms.service"; then
+    echo ""
+    echo -e "${YELLOW}⚠ Acronis Not Installed${NC}"
+    echo ""
+    echo "Acronis Cyber Protect does not appear to be installed on this system."
+    echo ""
+    press_enter
+    exit 0
+fi
+
+echo ""
+echo -e "${RED}${BOLD}⚠️  WARNING ⚠️${NC}"
+echo ""
+echo "This will completely remove Acronis Cyber Protect from this system."
+echo ""
+echo -e "${BOLD}What will be removed:${NC}"
+echo "  • All Acronis services (aakore, mms, schedule, active-protection)"
+echo "  • Acronis software packages"
+echo "  • Agent registration (if selected)"
+echo "  • Backup data and logs (if selected)"
+echo ""
+echo -e "${RED}This action cannot be easily undone!${NC}"
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Confirm uninstallation
+echo -n "Type 'uninstall' to confirm removal: "
+read -r confirm
+
+if [ "$confirm" != "uninstall" ]; then
+    echo ""
+    print_error "Uninstallation cancelled"
+    press_enter
+    exit 0
+fi
+
+echo ""
+echo -e "${BOLD}Uninstallation Options:${NC}"
+echo ""
+
+# Ask about data retention
+echo -n "Remove backup data and logs? (yes/no) [no]: "
+read -r remove_data
+remove_data="${remove_data:-no}"
+
+echo ""
+echo -n "Unregister from Acronis Cloud? (yes/no) [yes]: "
+read -r unregister
+unregister="${unregister:-yes}"
+
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -e "${BOLD}Uninstallation Summary:${NC}"
+echo ""
+echo "  Stop services:       Yes"
+echo "  Remove software:     Yes"
+echo "  Unregister agent:    ${unregister}"
+echo "  Remove data/logs:    ${remove_data}"
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -n "Proceed with uninstallation? (yes/no): "
+read -r final_confirm
+
+if [ "$final_confirm" != "yes" ]; then
+    echo ""
+    print_error "Uninstallation cancelled"
+    press_enter
+    exit 0
+fi
+
+echo ""
+echo -e "${BOLD}Starting Uninstallation...${NC}"
+echo ""
+
+# Stop all services
+echo "→ Stopping Acronis services..."
+systemctl stop active-protection.service 2>/dev/null
+systemctl stop acronis_schedule 2>/dev/null
+systemctl stop acronis_mms 2>/dev/null
+systemctl stop aakore 2>/dev/null
+service acronis_mms stop 2>/dev/null
+
+sleep 2
+
+if systemctl is-active --quiet acronis_mms; then
+    print_error "Warning: Some services may still be running"
+else
+    print_success "Services stopped"
+fi
+
+echo ""
+
+# Unregister from cloud if requested
+if [ "$unregister" = "yes" ]; then
+    echo "→ Unregistering from Acronis Cloud..."
+
+    if [ -f "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" ]; then
+        if /usr/lib/Acronis/RegisterAgentTool/RegisterAgent -o unregister 2>/dev/null; then
+            print_success "Agent unregistered"
+        else
+            echo "  ${YELLOW}Note: Unregistration may have failed (continuing anyway)${NC}"
+        fi
+    else
+        echo "  ${YELLOW}Note: Registration tool not found (skipping)${NC}"
+    fi
+
+    echo ""
+fi
+
+# Disable services
+echo "→ Disabling Acronis services..."
+systemctl disable aakore 2>/dev/null
+systemctl disable acronis_mms 2>/dev/null
+systemctl disable acronis_schedule 2>/dev/null
+systemctl disable active-protection.service 2>/dev/null
+echo "  ${GREEN}✓${NC} Services disabled"
+echo ""
+
+# Remove packages
+echo "→ Removing Acronis packages..."
+
+# Try different package managers
+if command -v dpkg &>/dev/null; then
+    # Debian/Ubuntu
+    dpkg -l | grep -i acronis | awk '{print $2}' | while read -r pkg; do
+        echo "  Removing: $pkg"
+        dpkg --purge "$pkg" 2>/dev/null
+    done
+elif command -v rpm &>/dev/null; then
+    # RedHat/CentOS
+    rpm -qa | grep -i acronis | while read -r pkg; do
+        echo "  Removing: $pkg"
+        rpm -e "$pkg" 2>/dev/null
+    done
+fi
+
+print_success "Packages removed"
+echo ""
+
+# Remove data directories if requested
+if [ "$remove_data" = "yes" ]; then
+    echo "→ Removing Acronis data and logs..."
+
+    declare -a DATA_DIRS=(
+        "/var/lib/Acronis"
+        "/usr/lib/Acronis"
+        "/etc/Acronis"
+        "/opt/acronis"
+    )
+
+    for dir in "${DATA_DIRS[@]}"; do
+        if [ -d "$dir" ]; then
+            local size=$(du -sh "$dir" 2>/dev/null | awk '{print $1}')
+            echo "  Removing: $dir (${size})"
+            rm -rf "$dir" 2>/dev/null
+        fi
+    done
+
+    print_success "Data directories removed"
+    echo ""
+fi
+
+# Clean up systemd
+echo "→ Cleaning up system configuration..."
+systemctl daemon-reload
+echo "  ${GREEN}✓${NC} systemd reloaded"
+echo ""
+
+# Final verification
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -e "${GREEN}${BOLD}✓ Uninstallation Complete${NC}"
+echo ""
+
+# Check if anything remains
+local remaining=0
+
+if systemctl list-unit-files | grep -q "acronis"; then
+    echo -e "${YELLOW}⚠ Some service files may still be present${NC}"
+    ((remaining++))
+fi
+
+if [ -d "/var/lib/Acronis" ] || [ -d "/usr/lib/Acronis" ]; then
+    echo -e "${YELLOW}⚠ Some directories were not removed${NC}"
+    ((remaining++))
+fi
+
+if [ $remaining -eq 0 ]; then
+    echo "Acronis Cyber Protect has been completely removed from this system."
+else
+    echo ""
+    echo "Uninstallation mostly complete, but some files may remain."
+    echo "This is usually safe and won't affect system operation."
+fi
+
+echo ""
+
+# Show what was kept
+if [ "$remove_data" = "no" ]; then
+    echo -e "${BOLD}Retained Data:${NC}"
+    echo ""
+    echo "Backup data and logs were kept as requested:"
+    if [ -d "/var/lib/Acronis" ]; then
+        local data_size=$(du -sh /var/lib/Acronis 2>/dev/null | awk '{print $1}')
+        echo "  Location: /var/lib/Acronis"
+        echo "  Size:     $data_size"
+        echo ""
+        echo "To remove this data later:"
+        echo "  rm -rf /var/lib/Acronis"
+    fi
+    echo ""
+fi
+
+echo "To reinstall Acronis in the future:"
+echo "  1. Return to Backup & Recovery menu"
+echo "  2. Select 'Acronis Management'"
+echo "  3. Choose 'Install Acronis Agent'"
+echo ""
+
+press_enter
@@ -0,0 +1,314 @@
+#!/bin/bash
+
+################################################################################
+# Acronis Agent Update/Upgrade
+################################################################################
+# Purpose: Update Acronis Cyber Protect agent to latest version
+# Methods:
+# - Automatic via cloud (web console)
+# - Manual download and upgrade (preserves config/registration)
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Update Acronis Agent"
+
+echo ""
+
+# Check if Acronis is installed
+if ! systemctl list-unit-files | grep -q "acronis_mms.service"; then
+    print_error "Acronis is not installed"
+    echo ""
+    echo "Install Acronis first:"
+    echo "  1. Return to Acronis menu"
+    echo "  2. Select 'Install Acronis Agent'"
+    echo ""
+    press_enter
+    exit 1
+fi
+
+echo -e "${BOLD}Current Installation${NC}"
+echo ""
+
+# Check current version
+echo "→ Checking current agent version..."
+if [ -f "/usr/lib/Acronis/BackupAndRecovery/aakore" ]; then
+    current_version=$(/usr/lib/Acronis/BackupAndRecovery/aakore --version 2>/dev/null | head -1 || echo "Unknown")
+    echo "  Current version: ${current_version}"
+else
+    echo "  ${YELLOW}Version unknown${NC}"
+fi
+
+# Check service status
+echo ""
+echo "→ Service status:"
+if systemctl is-active --quiet acronis_mms; then
+    echo "  ${GREEN}✓${NC} Services are running"
+else
+    echo "  ${YELLOW}⚠${NC} Some services are stopped"
+fi
+
+echo ""
+echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+echo ""
+echo -e "${BOLD}Update Methods${NC}"
+echo ""
+echo -e "${CYAN}1. Automatic Update (via Acronis Cloud)${NC}"
+echo "   • Managed from web console"
+echo "   • Navigate to: Settings → Agent updates"
+echo "   • Can enable automatic updates"
+echo "   • Recommended for production environments"
+echo ""
+echo -e "${CYAN}2. Manual Update (Download + Upgrade)${NC}"
+echo "   • Downloads latest installer"
+echo "   • Runs upgrade automatically"
+echo "   • Preserves configuration and registration"
+echo "   • Agent stays registered to same account"
+echo ""
+echo -n "Select update method (1/2) or 0 to cancel [2]: "
+read -r method
+method="${method:-2}"
+
+case "$method" in
+    1)
+        # Automatic update instructions
+        clear
+        print_banner "Automatic Agent Updates"
+        echo ""
+        echo -e "${BOLD}Configure Automatic Updates via Web Console${NC}"
+        echo ""
+        echo "Steps:"
+        echo "  1. Log in to Acronis web console"
+
+        # Try to get cloud URL
+        if [ -f "/etc/Acronis/Global.config" ]; then
+            cloud_url=$(grep -oP 'CloudUrl[>="].*?https://[^"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^"<]+' | head -1)
+            if [ -n "$cloud_url" ]; then
+                echo "     ${cloud_url}"
+            fi
+        fi
+
+        echo ""
+        echo "  2. Navigate to: Settings → Agent updates"
+        echo ""
+        echo "  3. Options available:"
+        echo "     • Enable automatic updates"
+        echo "     • Schedule update time"
+        echo "     • Set update policy per device"
+        echo "     • Configure notification preferences"
+        echo ""
+        echo "  4. Agents will update during maintenance window"
+        echo ""
+        echo -e "${GREEN}Benefits:${NC}"
+        echo "  ✓ Centrally managed"
+        echo "  ✓ Scheduled updates"
+        echo "  ✓ Rollback capability"
+        echo "  ✓ Update verification"
+        echo ""
+        press_enter
+        ;;
+
+    2)
+        # Manual update/upgrade
+        clear
+        print_banner "Manual Agent Upgrade"
+        echo ""
+        echo -e "${BOLD}Upgrade Process${NC}"
+        echo ""
+        echo "This will:"
+        echo "  1. Download the latest Acronis agent installer"
+        echo "  2. Run installer over existing installation"
+        echo "  3. Automatically upgrade to latest version"
+        echo "  4. Preserve all configuration and registration"
+        echo "  5. Restart services with new version"
+        echo ""
+        echo -e "${YELLOW}Note:${NC} The agent will stay registered to your Acronis account."
+        echo "       No need to re-register after upgrade."
+        echo ""
+        echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+        echo ""
+
+        # Get cloud URL for download
+        SERVICE_URL="us5-cloud.acronis.com"
+        if [ -f "/etc/Acronis/Global.config" ]; then
+            config_url=$(grep -oP 'CloudUrl[>="].*?https://[^"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^"<]+' | head -1)
+            if [ -n "$config_url" ]; then
+                SERVICE_URL=$(echo "$config_url" | sed 's|https://||' | sed 's|/.*||')
+            fi
+        fi
+
+        echo "Download region: ${SERVICE_URL}"
+        echo ""
+        echo -n "Proceed with upgrade? (yes/no): "
+        read -r confirm
+
+        if [[ ! "$confirm" =~ ^[Yy]([Ee][Ss])?$ ]]; then
+            echo ""
+            print_error "Upgrade cancelled"
+            press_enter
+            exit 0
+        fi
+
+        echo ""
+        echo -e "${BOLD}Starting Upgrade...${NC}"
+        echo ""
+
+        # Create download directory
+        DOWNLOAD_DIR="$SCRIPT_DIR/downloads"
+        mkdir -p "$DOWNLOAD_DIR"
+        cd "$DOWNLOAD_DIR" || exit 1
+
+        INSTALL_DIR="$DOWNLOAD_DIR/acronis-upgrade-$(date +%Y%m%d-%H%M%S)"
+        mkdir -p "$INSTALL_DIR"
+        cd "$INSTALL_DIR" || exit 1
+
+        # Download installer
+        echo "→ Downloading latest Acronis agent..."
+        DOWNLOAD_URL="https://${SERVICE_URL}/bc/api/ams/links/agents/redirect?language=multi&system=linux&architecture=64&productType=enterprise"
+
+        if wget -q --show-progress "$DOWNLOAD_URL" -O "Cyber_Protection_Agent_for_Linux_x86_64.bin"; then
+            print_success "Download complete"
+        else
+            print_error "Download failed"
+            echo ""
+            echo "Possible causes:"
+            echo "  • No internet connection"
+            echo "  • Invalid service URL"
+            echo "  • Firewall blocking connection"
+            echo ""
+            cd "$SCRIPT_DIR"
+            rm -rf "$INSTALL_DIR"
+            press_enter
+            exit 1
+        fi
+
+        echo ""
+
+        # Make executable
+        chmod +x "Cyber_Protection_Agent_for_Linux_x86_64.bin" 2>/dev/null
+
+        # Verify file
+        file_size=$(stat -c%s "Cyber_Protection_Agent_for_Linux_x86_64.bin" 2>/dev/null || echo "0")
+        if [ "$file_size" -lt 1000000 ]; then
+            print_error "Downloaded file is too small (possibly corrupted)"
+            cd "$SCRIPT_DIR"
+            rm -rf "$INSTALL_DIR"
+            press_enter
+            exit 1
+        fi
+
+        # Run upgrade (unattended mode)
+        echo "→ Running upgrade..."
+        echo ""
+        echo "The installer will automatically:"
+        echo "  • Detect existing installation"
+        echo "  • Upgrade to latest version"
+        echo "  • Preserve configuration"
+        echo "  • Keep registration"
+        echo ""
+        sleep 2
+
+        echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
+
+        # Run installer in unattended mode
+        ./Cyber_Protection_Agent_for_Linux_x86_64.bin -a
+
+        UPGRADE_EXIT_CODE=$?
+
+        echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
+        echo ""
+
+        # Check result
+        if [ $UPGRADE_EXIT_CODE -eq 0 ]; then
+            print_success "Upgrade completed successfully!"
+            echo ""
+
+            # Check new version
+            echo "→ Verifying upgrade..."
+            sleep 2
+
+            if [ -f "/usr/lib/Acronis/BackupAndRecovery/aakore" ]; then
+                new_version=$(/usr/lib/Acronis/BackupAndRecovery/aakore --version 2>/dev/null | head -1 || echo "Unknown")
+                echo "  New version: ${new_version}"
+                echo ""
+
+                if [ "$new_version" != "$current_version" ]; then
+                    print_success "Agent upgraded: $current_version → $new_version"
+                else
+                    echo "  ${YELLOW}Version appears unchanged (may already be latest)${NC}"
+                fi
+            fi
+
+            echo ""
+
+            # Check services
+            echo "→ Checking services..."
+            sleep 1
+
+            if systemctl is-active --quiet acronis_mms; then
+                print_success "Services are running"
+            else
+                echo "  ${YELLOW}⚠ Services may need restart${NC}"
+                echo ""
+                echo -n "Restart Acronis services? (yes/no): "
+                read -r restart_confirm
+
+                if [[ "$restart_confirm" =~ ^[Yy]([Ee][Ss])?$ ]]; then
+                    echo ""
+                    echo "→ Restarting services..."
+                    systemctl restart aakore
+                    systemctl restart acronis_mms
+                    systemctl restart acronis_schedule
+                    sleep 2
+
+                    if systemctl is-active --quiet acronis_mms; then
+                        print_success "Services restarted"
+                    else
+                        print_error "Service restart failed"
+                        echo "Check status: systemctl status acronis_mms"
+                    fi
+                fi
+            fi
+
+            echo ""
+            echo -e "${GREEN}${BOLD}✓ Upgrade Complete${NC}"
+            echo ""
+            echo "The agent has been upgraded and remains registered."
+            echo "Backups will continue according to existing schedules."
+            echo ""
+
+        else
+            print_error "Upgrade failed with exit code $UPGRADE_EXIT_CODE"
+            echo ""
+            echo "Common issues:"
+            echo "  • Agent is already latest version"
+            echo "  • Insufficient disk space"
+            echo "  • Services in use"
+            echo ""
+            echo "Check logs for details:"
+            echo "  tail -f /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
+            echo ""
+        fi
+
+        # Cleanup
+        echo "→ Cleaning up installation files..."
+        cd "$SCRIPT_DIR"
+        rm -rf "$INSTALL_DIR"
+        echo ""
+
+        press_enter
+        ;;
+
+    *)
+        echo ""
+        echo "Update cancelled"
+        press_enter
+        ;;
+esac
@@ -937,12 +937,13 @@ System may be vulnerable" \
        fi
    fi

-    # Check for cPanel updates (if cPanel)
-    if [ -f "/usr/local/cpanel/version" ]; then
-        local cpanel_version=$(cat /usr/local/cpanel/version)
-        # Note: We can't easily check if update is available without WHM API
-        # Just record the version
-        echo "cPanel version: $cpanel_version" >> "$TEMP_DIR/system_info.txt"
+    # Check for control panel version
+    if [ "$SYS_CONTROL_PANEL" = "cpanel" ] && [ -n "$SYS_CONTROL_PANEL_VERSION" ]; then
+        echo "cPanel version: $SYS_CONTROL_PANEL_VERSION" >> "$TEMP_DIR/system_info.txt"
+    elif [ "$SYS_CONTROL_PANEL" = "plesk" ] && [ -n "$SYS_CONTROL_PANEL_VERSION" ]; then
+        echo "Plesk version: $SYS_CONTROL_PANEL_VERSION" >> "$TEMP_DIR/system_info.txt"
+    elif [ "$SYS_CONTROL_PANEL" = "interworx" ] && [ -n "$SYS_CONTROL_PANEL_VERSION" ]; then
+        echo "InterWorx version: $SYS_CONTROL_PANEL_VERSION" >> "$TEMP_DIR/system_info.txt"
    fi
 }

@@ -0,0 +1,243 @@
+#!/bin/bash
+
+################################################################################
+# Server Toolkit Data Cleanup
+################################################################################
+# Purpose: Remove all toolkit-generated data (for wiping before system transfer)
+# Use Case: When moving toolkit to another server or fresh start
+#
+# What gets cleaned:
+# - IP reputation database
+# - Temporary analysis files
+# - Cached data
+# - Generated reports
+# - Session data
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+print_banner "Server Toolkit Data Cleanup"
+
+echo ""
+echo -e "${YELLOW}${BOLD}⚠️  WARNING ⚠️${NC}"
+echo ""
+echo "This will remove ALL data collected by the Server Toolkit:"
+echo ""
+echo "  • IP reputation database (/var/lib/server-toolkit/)"
+echo "  • Temporary analysis files (/tmp/)"
+echo "  • Generated reports"
+echo "  • Cached data"
+echo "  • Session files"
+echo ""
+echo -e "${RED}This action CANNOT be undone!${NC}"
+echo ""
+echo "Use this when:"
+echo "  ✓ Moving toolkit to a different server"
+echo "  ✓ Starting fresh analysis"
+echo "  ✓ Removing server-specific data before sharing"
+echo ""
+echo -e "${CYAN}────────────────────────────────────────────────────────────${NC}"
+echo ""
+read -p "Type 'yes' to confirm cleanup: " confirm
+
+if [ "$confirm" != "yes" ]; then
+    echo ""
+    print_error "Cleanup cancelled"
+    exit 0
+fi
+
+echo ""
+echo "Starting cleanup..."
+echo ""
+
+# Track what was cleaned
+cleaned_count=0
+cleaned_size=0
+
+# Function to safely remove directory/file and track size
+safe_remove() {
+    local path="$1"
+    local description="$2"
+
+    if [ -e "$path" ]; then
+        # Calculate size before removing
+        if [ -d "$path" ]; then
+            size=$(du -sb "$path" 2>/dev/null | awk '{print $1}' || echo "0")
+        else
+            size=$(stat -c%s "$path" 2>/dev/null || echo "0")
+        fi
+
+        # Remove
+        rm -rf "$path" 2>/dev/null
+
+        if [ $? -eq 0 ]; then
+            cleaned_size=$((cleaned_size + size))
+            ((cleaned_count++))
+            echo -e "  ${GREEN}✓${NC} Removed: $description"
+            return 0
+        else
+            echo -e "  ${RED}✗${NC} Failed to remove: $description"
+            return 1
+        fi
+    else
+        echo -e "  ${DIM}○${NC} Not found: $description (already clean)"
+        return 0
+    fi
+}
+
+echo -e "${BOLD}IP Reputation Database:${NC}"
+safe_remove "/var/lib/server-toolkit/ip-reputation" "IP reputation database (including hash index)"
+safe_remove "/var/lib/server-toolkit" "Toolkit data directory"
+echo ""
+
+echo -e "${BOLD}Temporary Analysis Files:${NC}"
+# Bot analyzer temp files
+for pattern in /tmp/bot_analysis_* /tmp/*_bot_*.txt; do
+    if ls $pattern 2>/dev/null | grep -q .; then
+        rm -f $pattern 2>/dev/null
+        echo -e "  ${GREEN}✓${NC} Removed: Bot analysis temp files"
+        ((cleaned_count++))
+        break
+    fi
+done
+
+# 500 error tracker temp files
+for pattern in /tmp/500-tracker-* /tmp/*500*.txt; do
+    if ls $pattern 2>/dev/null | grep -q .; then
+        rm -rf $pattern 2>/dev/null
+        echo -e "  ${GREEN}✓${NC} Removed: 500 error tracker temp files"
+        ((cleaned_count++))
+        break
+    fi
+done
+
+# Live monitoring temp files
+for pattern in /tmp/live-monitor-* /tmp/*monitor*.tmp; do
+    if ls $pattern 2>/dev/null | grep -q .; then
+        rm -rf $pattern 2>/dev/null
+        echo -e "  ${GREEN}✓${NC} Removed: Live monitoring temp files"
+        ((cleaned_count++))
+        break
+    fi
+done
+
+# Error analyzer temp files
+for pattern in /tmp/error_analysis_* /tmp/*error*.tmp; do
+    if ls $pattern 2>/dev/null | grep -q .; then
+        rm -f $pattern 2>/dev/null
+        echo -e "  ${GREEN}✓${NC} Removed: Error analyzer temp files"
+        ((cleaned_count++))
+        break
+    fi
+done
+
+# Generic toolkit temp files
+for pattern in /tmp/toolkit_* /tmp/server-toolkit*; do
+    if ls $pattern 2>/dev/null | grep -q .; then
+        rm -rf $pattern 2>/dev/null
+        echo -e "  ${GREEN}✓${NC} Removed: Generic toolkit temp files"
+        ((cleaned_count++))
+        break
+    fi
+done
+
+echo ""
+
+echo -e "${BOLD}Generated Reports:${NC}"
+# Look for common report locations
+for pattern in /tmp/*_report_*.txt /tmp/*_analysis_*.txt /root/*toolkit*.txt /root/*_report*.txt; do
+    if ls $pattern 2>/dev/null | grep -q .; then
+        count=$(ls $pattern 2>/dev/null | wc -l)
+        rm -f $pattern 2>/dev/null
+        echo -e "  ${GREEN}✓${NC} Removed: $count report file(s)"
+        ((cleaned_count++))
+        break
+    fi
+done
+
+echo ""
+
+echo -e "${BOLD}Cache and Session Data:${NC}"
+# Cached analysis data
+if [ -d "/var/cache/server-toolkit" ]; then
+    safe_remove "/var/cache/server-toolkit" "Toolkit cache directory"
+fi
+
+# Session/lock files
+for pattern in /var/run/server-toolkit* /var/lock/server-toolkit*; do
+    if ls $pattern 2>/dev/null | grep -q .; then
+        rm -f $pattern 2>/dev/null
+        echo -e "  ${GREEN}✓${NC} Removed: Session/lock files"
+        ((cleaned_count++))
+        break
+    fi
+done
+
+echo ""
+
+echo -e "${BOLD}Log Files (Optional):${NC}"
+echo -n "Remove toolkit execution logs? (yes/no) [no]: "
+read remove_logs
+remove_logs="${remove_logs:-no}"
+
+if [ "$remove_logs" = "yes" ]; then
+    for pattern in /var/log/server-toolkit*.log; do
+        if ls $pattern 2>/dev/null | grep -q .; then
+            count=$(ls $pattern 2>/dev/null | wc -l)
+            rm -f $pattern 2>/dev/null
+            echo -e "  ${GREEN}✓${NC} Removed: $count log file(s)"
+            ((cleaned_count++))
+            break
+        fi
+    done
+else
+    echo -e "  ${DIM}○${NC} Logs kept (skipped)"
+fi
+
+echo ""
+echo -e "${CYAN}────────────────────────────────────────────────────────────${NC}"
+echo ""
+
+# Convert size to human readable
+if [ $cleaned_size -lt 1024 ]; then
+    size_human="${cleaned_size}B"
+elif [ $cleaned_size -lt 1048576 ]; then
+    size_human="$((cleaned_size / 1024))KB"
+elif [ $cleaned_size -lt 1073741824 ]; then
+    size_human="$((cleaned_size / 1048576))MB"
+else
+    size_human="$((cleaned_size / 1073741824))GB"
+fi
+
+echo -e "${GREEN}${BOLD}✓ Cleanup Complete!${NC}"
+echo ""
+echo "Summary:"
+echo "  Items removed: $cleaned_count"
+echo "  Space freed:   $size_human"
+echo ""
+echo "The toolkit is now clean and ready for:"
+echo "  • Transfer to another server"
+echo "  • Fresh analysis start"
+echo "  • Sharing without server-specific data"
+echo ""
+
+# Verify critical directories are gone
+missing=0
+[ -d "/var/lib/server-toolkit" ] && { echo -e "${YELLOW}Warning: /var/lib/server-toolkit still exists${NC}"; ((missing++)); }
+[ -d "/tmp/live-monitor-current" ] && { echo -e "${YELLOW}Warning: /tmp/live-monitor-current still exists${NC}"; ((missing++)); }
+
+if [ $missing -gt 0 ]; then
+    echo ""
+    echo -e "${YELLOW}Some directories could not be removed (may be in use)${NC}"
+    echo "Try stopping any running toolkit scripts and run cleanup again."
+fi
+
+echo ""
+press_enter
@@ -182,19 +182,27 @@ This is significantly higher than typical usage" \
 analyze_web_traffic() {
    echo -e "${CYAN}[INFO]${NC} Analyzing web server traffic patterns..."

-    # Find Apache log directory
+    # Multi-panel log directory discovery
    local log_dir=""
-    if [ -d "/var/log/apache2/domlogs" ]; then
-        log_dir="/var/log/apache2/domlogs"
-    elif [ -d "/etc/apache2/logs/domlogs" ]; then
-        log_dir="/etc/apache2/logs/domlogs"
+    if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
+        # InterWorx: Multiple log locations (use first user's logs as sample)
+        log_dir=$(find /home/*/var/*/logs -type d 2>/dev/null | head -1)
+    elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
+        # Plesk: System logs
+        log_dir="/var/www/vhosts/system"
+    elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
+        # cPanel or detected log directory
+        log_dir="$SYS_LOG_DIR"
    elif [ -d "/var/log/httpd" ]; then
+        # Standalone fallback
        log_dir="/var/log/httpd"
+    elif [ -d "/var/log/apache2" ]; then
+        log_dir="/var/log/apache2"
    fi

    if [ -z "$log_dir" ] || [ ! -d "$log_dir" ]; then
        add_finding "INFO" "Web Server Logs Not Found" \
-            "Could not locate Apache/web server logs" \
+            "Could not locate Apache/web server logs (Panel: $SYS_CONTROL_PANEL)" \
            "Web traffic analysis requires Apache logs"
        return
    fi
@@ -27,11 +27,25 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/user-manager.sh"
+source "$SCRIPT_DIR/lib/ip-reputation.sh"
+source "$SCRIPT_DIR/lib/bot-signatures.sh"
+source "$SCRIPT_DIR/lib/attack-patterns.sh"
+source "$SCRIPT_DIR/lib/threat-intelligence.sh"

 # Default configuration (auto-detected from system)
 LOG_DIR="${SYS_LOG_DIR:-/var/log/apache2/domlogs}"
-TEMP_DIR="/tmp/bot_analysis_$$"
-OUTPUT_FILE="/tmp/bot_analysis_report_$(date +%Y%m%d_%H%M%S).txt"
+
+# Use toolkit's tmp directory instead of system /tmp to avoid filling it up
+# On large servers with 200+ domains, compressed temp files can still be 50-100MB
+# Using toolkit's tmp dir means:
+# - Won't fill up system /tmp
+# - Gets auto-cleaned when toolkit is removed
+# - Included in cleanup script (clean-and-push-toolkit.sh)
+TOOLKIT_TMP_DIR="$SCRIPT_DIR/tmp"
+mkdir -p "$TOOLKIT_TMP_DIR" 2>/dev/null
+
+TEMP_DIR="$TOOLKIT_TMP_DIR/bot_analysis_$$"
+OUTPUT_FILE="$TOOLKIT_TMP_DIR/bot_analysis_report_$(date +%Y%m%d_%H%M%S).txt"
 DAYS_BACK=""  # Empty means all logs, otherwise filter by days
 HOURS_BACK=""  # Empty means all logs, otherwise filter by hours
 FILTER_USER=""  # Empty means all users, otherwise specific user
@@ -176,6 +190,7 @@ YELLOW='\033[1;33m'
 GREEN='\033[0;32m'
 BLUE='\033[0;34m'
 CYAN='\033[0;36m'
+BOLD='\033[1m'
 NC='\033[0m' # No Color

 # Check for required commands
@@ -196,15 +211,16 @@ check_dependencies() {
 # Check disk space
 check_disk_space() {
    local available_kb
-    available_kb=$(df /tmp 2>/dev/null | tail -1 | awk '{print $4}')
+    local check_path="$SCRIPT_DIR"
+    available_kb=$(df "$check_path" 2>/dev/null | tail -1 | awk '{print $4}')

    if [ -z "$available_kb" ]; then
-        echo -e "${YELLOW}Warning: Cannot determine available disk space in /tmp${NC}" >&2
+        echo -e "${YELLOW}Warning: Cannot determine available disk space for toolkit directory${NC}" >&2
        return
    fi

    if [ "$available_kb" -lt 102400 ]; then  # Less than 100MB
-        echo -e "${YELLOW}Warning: Low disk space in /tmp: $((available_kb/1024))MB available${NC}" >&2
+        echo -e "${YELLOW}Warning: Low disk space in toolkit directory: $((available_kb/1024))MB available${NC}" >&2
        read -p "Continue anyway? (y/N): " -n 1 -r
        echo
        if [[ ! $REPLY =~ ^[Yy]$ ]]; then
@@ -229,80 +245,8 @@ trap "rm -rf $TEMP_DIR" EXIT
 #############################################################################
 # Bot Signature Database
 #############################################################################
-
-# Legitimate bots (search engines)
-declare -A LEGIT_BOTS=(
-    ["Googlebot"]="Google Search"
-    ["Googlebot-Image"]="Google Images"
-    ["Googlebot-Video"]="Google Video"
-    ["Googlebot-News"]="Google News"
-    ["Google-InspectionTool"]="Google Search Console"
-    ["Storebot-Google"]="Google Merchant"
-    ["APIs-Google"]="Google APIs"
-    ["AdsBot-Google"]="Google Ads"
-    ["Mediapartners-Google"]="Google AdSense"
-    ["bingbot"]="Bing Search"
-    ["msnbot"]="MSN Search"
-    ["Slurp"]="Yahoo Search"
-    ["DuckDuckBot"]="DuckDuckGo"
-    ["Baiduspider"]="Baidu Search"
-    ["YandexBot"]="Yandex Search"
-)
-
-# AI Bots
-declare -A AI_BOTS=(
-    ["GPTBot"]="OpenAI"
-    ["ChatGPT-User"]="OpenAI ChatGPT"
-    ["ClaudeBot"]="Anthropic Claude"
-    ["Claude-Web"]="Anthropic Web"
-    ["Bytespider"]="ByteDance (TikTok)"
-    ["PetalBot"]="Huawei"
-    ["CCBot"]="Common Crawl"
-    ["anthropic-ai"]="Anthropic"
-    ["Applebot"]="Apple Intelligence"
-    ["facebookexternalhit"]="Facebook/Meta"
-    ["Meta-ExternalAgent"]="Meta AI"
-    ["cohere-ai"]="Cohere AI"
-    ["PerplexityBot"]="Perplexity AI"
-    ["YouBot"]="You.com AI"
-    ["Diffbot"]="Diffbot AI"
-    ["ImagesiftBot"]="ImageSift AI"
-    ["Omgilibot"]="Omgili AI"
-)
-
-# Monitoring/SEO bots
-declare -A MONITOR_BOTS=(
-    ["AhrefsBot"]="Ahrefs SEO"
-    ["SemrushBot"]="SEMrush SEO"
-    ["MJ12bot"]="Majestic SEO"
-    ["DotBot"]="Moz/OpenSite"
-    ["BLEXBot"]="BLEXBot SEO"
-    ["PingdomBot"]="Pingdom Monitoring"
-    ["UptimeRobot"]="Uptime Monitoring"
-    ["StatusCake"]="StatusCake Monitoring"
-    ["SiteImprove"]="SiteImprove Analytics"
-)
-
-# Suspicious/Aggressive bots (malicious or security scanners)
-declare -A SUSPICIOUS_BOTS=(
-    ["MauiBot"]="Malicious crawler"
-    ["DataForSeoBot"]="Data scraper"
-    ["ZoominfoBot"]="Data harvester"
-    ["MegaIndex"]="Aggressive crawler"
-    ["SeznamBot"]="Aggressive crawler"
-    ["Yeti"]="Naver crawler"
-    ["serpstatbot"]="SEO crawler"
-    ["LinkpadBot"]="Link checker"
-    ["Nessus"]="Vulnerability scanner"
-    ["Nikto"]="Security scanner"
-    ["sqlmap"]="SQL injection tool"
-    ["ZmEu"]="Scanner/exploit"
-    ["masscan"]="Port scanner"
-    ["nmap"]="Port scanner"
-    ["wget"]="Command-line tool"
-    ["curl"]="Command-line tool"
-    ["python-requests"]="Script/automation"
-)
+# NOTE: Bot signatures now loaded from lib/bot-signatures.sh
+# Arrays available: LEGIT_BOTS, AI_BOTS, MONITOR_BOTS, SUSPICIOUS_BOTS

 #############################################################################
 # Helper Functions
@@ -335,7 +279,11 @@ print_success() {
 #############################################################################

 parse_logs() {
-    print_info "Parsing logs from: $LOG_DIR"
+    if [ "$INTERWORX_MODE" = "yes" ]; then
+        print_info "Parsing InterWorx domain logs from: /home/*/var/*/logs/"
+    else
+        print_info "Parsing logs from: $LOG_DIR"
+    fi

    local find_opts=()

@@ -349,13 +297,38 @@ parse_logs() {
        print_info "Filtering logs from last $DAYS_BACK days"
    fi

-    # Parse all domain logs (excluding -bytes_log, .offset, and error_log files)
-    # cPanel creates files like: domain.com, domain.com-ssl_log
-    find "$LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*.offset" ! -name "*error_log" "${find_opts[@]}" 2>/dev/null | while read -r logfile; do
+    # Determine log file search pattern based on control panel
+    local log_search_path
+    local log_search_name
+    if [ "$INTERWORX_MODE" = "yes" ]; then
+        # InterWorx: /home/user/var/domain.com/logs/access_log
+        log_search_path="/home/*/var/*/logs"
+        log_search_name="access_log"
+    else
+        # cPanel/Plesk: /var/log/apache2/domlogs/domain.com
+        log_search_path="$LOG_DIR"
+        log_search_name="*"
+    fi
+
+    # Parse all domain logs
+    local file_count=0
+    local progress_interval=50
+    echo ""
+    find "$log_search_path" -type f -name "$log_search_name" ! -name "*-bytes_log" ! -name "*.offset" ! -name "*error_log" "${find_opts[@]}" 2>/dev/null | while read -r logfile; do
        # Skip empty files
        [ -s "$logfile" ] || continue

-        domain=$(basename "$logfile" | sed 's/-ssl_log$//')
+        # Extract domain name based on control panel
+        if [ "$INTERWORX_MODE" = "yes" ]; then
+            # InterWorx: extract from path /home/user/var/domain.com/logs/access_log
+            domain=$(echo "$logfile" | sed -n 's|^/home/.*/var/\([^/]*\)/logs/.*|\1|p')
+        else
+            # cPanel: extract from filename
+            domain=$(basename "$logfile" | sed 's/-ssl_log$//')
+        fi
+
+        # Skip if domain extraction failed
+        [ -z "$domain" ] && continue

        # User filtering: skip domains not belonging to the specified user
        if [ -n "$FILTER_USER" ]; then
@@ -364,6 +337,12 @@ parse_logs() {
            fi
        fi

+        # Show progress every N files
+        file_count=$((file_count + 1))
+        if [ $((file_count % progress_interval)) -eq 0 ]; then
+            echo -ne "\r  Parsed $file_count log files... (current: $domain)"
+        fi
+
        # Parse Apache Combined Log Format with error handling
        # Format: IP - - [timestamp] "METHOD URL PROTOCOL" STATUS SIZE "REFERRER" "USER-AGENT"
        awk -v domain="$domain" '
@@ -407,8 +386,11 @@ parse_logs() {
            if (ip != "" && ip !~ /^[[:space:]]*$/) {
                print ip "|" domain "|" request_url "|" status "|" size "|" user_agent "|" http_method "|" timestamp
            }
-        }' "$logfile" >> "$TEMP_DIR/parsed_logs.txt" 2>/dev/null
-    done
+        }' "$logfile" 2>/dev/null
+    done > "$TEMP_DIR/parsed_logs.txt"
+
+    # Clear the progress line
+    echo -ne "\r\033[K"

    if [ ! -s "$TEMP_DIR/parsed_logs.txt" ]; then
        print_alert "No log entries were parsed. Check log format or permissions."
@@ -417,7 +399,14 @@ parse_logs() {

    local line_count
    line_count=$(wc -l < "$TEMP_DIR/parsed_logs.txt")
-    print_success "Logs parsed successfully ($line_count entries)"
+    local file_size_kb
+    file_size_kb=$(du -k "$TEMP_DIR/parsed_logs.txt" | cut -f1)
+
+    # Compress for storage (gzip saves ~90% space on text)
+    # But we keep uncompressed version for fast analysis
+    gzip -c "$TEMP_DIR/parsed_logs.txt" > "$TEMP_DIR/parsed_logs.txt.gz" &
+
+    print_success "Logs parsed successfully ($line_count entries, ${file_size_kb}KB uncompressed)"
    return 0
 }

@@ -516,7 +505,7 @@ classify_bots() {
        if (bot_type != "unknown") {
            print ip "|" domain "|" url "|" status "|" size "|" ua "|" method "|" timestamp "|" bot_type "|" bot_name
        }
-    }' "$TEMP_DIR/parsed_logs.txt" > "$TEMP_DIR/classified_bots.txt"
+    }' < "$TEMP_DIR/parsed_logs.txt" > "$TEMP_DIR/classified_bots.txt"

    if [ ! -s "$TEMP_DIR/classified_bots.txt" ]; then
        print_alert "Bot classification failed"
@@ -525,7 +514,13 @@ classify_bots() {

    local classified_count
    classified_count=$(wc -l < "$TEMP_DIR/classified_bots.txt")
-    print_success "Bot classification complete ($classified_count entries)"
+    local file_size_kb
+    file_size_kb=$(du -k "$TEMP_DIR/classified_bots.txt" | cut -f1)
+
+    # Compress for storage in background
+    gzip -c "$TEMP_DIR/classified_bots.txt" > "$TEMP_DIR/classified_bots.txt.gz" &
+
+    print_success "Bot classification complete ($classified_count entries, ${file_size_kb}KB uncompressed)"
    return 0
 }

@@ -612,7 +607,7 @@ detect_threats() {
        # Track response codes for intelligence
        print status > "'"$TEMP_DIR"'/response_codes_raw.txt"
    }
-    ' "$TEMP_DIR/parsed_logs.txt"
+    ' < <(cat "$TEMP_DIR/parsed_logs.txt")

    # Process attack vectors by type
    if [ -f "$TEMP_DIR/attack_vectors_raw.txt" ]; then
@@ -678,23 +673,23 @@ detect_botnets() {

    # Group IPs by similar behavior patterns
    # Pattern 1: Multiple IPs hitting same URLs in coordinated manner
-    awk -F'|' '{print $1"|"$3}' "$TEMP_DIR/parsed_logs.txt" | \
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1"|"$3}' | \
        sort | uniq -c | awk '$1 > 10 {print $2}' | \
        cut -d'|' -f2 | sort | uniq -c | sort -rn | \
        awk '$1 > 5 {print $2}' > "$TEMP_DIR/coordinated_urls.txt"

    # Pattern 2: IPs with similar User-Agents hitting multiple domains
-    awk -F'|' '{print $1"|"$6}' "$TEMP_DIR/parsed_logs.txt" | \
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1"|"$6}' | \
        sort | uniq > "$TEMP_DIR/ip_ua_pairs.txt"

    # Pattern 3: Detect IP ranges (Class C networks) with suspicious activity
-    awk -F'|' '{print $1}' "$TEMP_DIR/parsed_logs.txt" | \
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1}' | \
        awk -F'.' '{print $1"."$2"."$3".0/24"}' | \
        sort | uniq -c | sort -rn | awk '$1 > 20' > "$TEMP_DIR/suspicious_networks.txt"

    # Pattern 4: Rapid fire requests (DDoS indicators)
    # Extract timestamp and count requests per IP per minute
-    awk -F'|' '{
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{
        ip = $1
        timestamp = $8
        # Extract date/time components (handles format: DD/MMM/YYYY:HH:MM:SS)
@@ -703,7 +698,7 @@ detect_botnets() {
            time_key = ts[3] ts[2] ts[1] "_" ts[4] ts[5]
            print ip "|" time_key
        }
-    }' "$TEMP_DIR/parsed_logs.txt" | \
+    }' | \
        sort | uniq -c | \
        awk '$1 > 50 {print $1 " " $2}' | \
        awk -F'|' '{print $1}' | \
@@ -765,10 +760,39 @@ detect_server_ips() {
    fi
 }

+# Helper function to validate IP address format
+is_valid_ip() {
+    local ip="$1"
+
+    # IPv4 validation
+    if [[ "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+        local IFS='.'
+        local -a octets=($ip)
+        for octet in "${octets[@]}"; do
+            if [ "$octet" -gt 255 ]; then
+                return 1  # Invalid
+            fi
+        done
+        return 0  # Valid IPv4
+    fi
+
+    # IPv6 basic validation (simplified)
+    if [[ "$ip" =~ ^([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}$ ]]; then
+        return 0  # Valid IPv6
+    fi
+
+    return 1  # Invalid
+}
+
 # Helper function to check if an IP should be excluded
 is_excluded_ip() {
    local ip="$1"

+    # First validate IP format
+    if ! is_valid_ip "$ip"; then
+        return 0  # Exclude invalid IPs
+    fi
+
    # Check if private/internal IP
    if [[ "$ip" =~ ^127\. ]] || \
       [[ "$ip" =~ ^10\. ]] || \
@@ -798,13 +822,13 @@ analyze_time_series() {
    print_info "Analyzing time-series patterns..."

    # Extract hourly bot traffic
-    awk -F'|' '$9 != "unknown" {
+    cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '$9 != "unknown" {
        timestamp = $8
        if (match(timestamp, /([0-9]{2})\/([A-Za-z]{3})\/([0-9]{4}):([0-9]{2}):([0-9]{2}):([0-9]{2})/, ts)) {
            hour = ts[4]
            print hour
        }
-    }' "$TEMP_DIR/classified_bots.txt" | sort | uniq -c > "$TEMP_DIR/hourly_bot_traffic.txt"
+    }' | sort | uniq -c > "$TEMP_DIR/hourly_bot_traffic.txt"

    # Extract hourly attack traffic
    if [ -f "$TEMP_DIR/attack_vectors_raw.txt" ]; then
@@ -815,7 +839,7 @@ analyze_time_series() {
                hour = ts[4]
                print hour
            }
-        }' "$TEMP_DIR/attack_vectors_raw.txt" "$TEMP_DIR/parsed_logs.txt" | sort | uniq -c > "$TEMP_DIR/hourly_attack_traffic.txt"
+        }' "$TEMP_DIR/attack_vectors_raw.txt" <(cat "$TEMP_DIR/parsed_logs.txt") | sort | uniq -c > "$TEMP_DIR/hourly_attack_traffic.txt"
    fi

    print_success "Time-series analysis complete"
@@ -832,59 +856,50 @@ calculate_threat_scores() {
    declare -A ip_request_counts
    while IFS='|' read -r ip rest; do
        ((ip_request_counts["$ip"]++))
-    done < "$TEMP_DIR/parsed_logs.txt"
+    done < <(cat "$TEMP_DIR/parsed_logs.txt")

    # Build hash tables from threat files for O(1) lookups
+    # OPTIMIZATION: Use awk instead of echo|awk|cut in loops (10x faster)
    declare -A threat_ips_sqli threat_ips_xss threat_ips_path threat_ips_rce threat_ips_login
    declare -A threat_ips_suspicious threat_ips_ddos threat_admin_count threat_404_count

-    # Parse each threat file and build hash tables
-    [ -f "$TEMP_DIR/sqli_attempts.txt" ] && while read -r line; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
-        [ -n "$ip" ] && threat_ips_sqli["$ip"]=1
-    done < "$TEMP_DIR/sqli_attempts.txt"
+    # Parse each threat file and build hash tables (optimized with awk)
+    [ -f "$TEMP_DIR/sqli_attempts.txt" ] && while read -r ip; do
+        threat_ips_sqli["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/sqli_attempts.txt" | cut -d'|' -f1)

-    [ -f "$TEMP_DIR/xss_attempts.txt" ] && while read -r line; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
-        [ -n "$ip" ] && threat_ips_xss["$ip"]=1
-    done < "$TEMP_DIR/xss_attempts.txt"
+    [ -f "$TEMP_DIR/xss_attempts.txt" ] && while read -r ip; do
+        threat_ips_xss["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/xss_attempts.txt" | cut -d'|' -f1)

-    [ -f "$TEMP_DIR/path_traversal_attempts.txt" ] && while read -r line; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
-        [ -n "$ip" ] && threat_ips_path["$ip"]=1
-    done < "$TEMP_DIR/path_traversal_attempts.txt"
+    [ -f "$TEMP_DIR/path_traversal_attempts.txt" ] && while read -r ip; do
+        threat_ips_path["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/path_traversal_attempts.txt" | cut -d'|' -f1)

-    [ -f "$TEMP_DIR/rce_upload_attempts.txt" ] && while read -r line; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
-        [ -n "$ip" ] && threat_ips_rce["$ip"]=1
-    done < "$TEMP_DIR/rce_upload_attempts.txt"
+    [ -f "$TEMP_DIR/rce_upload_attempts.txt" ] && while read -r ip; do
+        threat_ips_rce["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/rce_upload_attempts.txt" | cut -d'|' -f1)

-    [ -f "$TEMP_DIR/login_bruteforce_attempts.txt" ] && while read -r line; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
-        [ -n "$ip" ] && threat_ips_login["$ip"]=1
-    done < "$TEMP_DIR/login_bruteforce_attempts.txt"
+    [ -f "$TEMP_DIR/login_bruteforce_attempts.txt" ] && while read -r ip; do
+        threat_ips_login["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/login_bruteforce_attempts.txt" | cut -d'|' -f1)

-    [ -f "$TEMP_DIR/suspicious_ua.txt" ] && while read -r line; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
-        [ -n "$ip" ] && threat_ips_suspicious["$ip"]=1
-    done < "$TEMP_DIR/suspicious_ua.txt"
+    [ -f "$TEMP_DIR/suspicious_ua.txt" ] && while read -r ip; do
+        threat_ips_suspicious["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/suspicious_ua.txt" | cut -d'|' -f1)

-    [ -f "$TEMP_DIR/rapid_fire_ips.txt" ] && while read -r line; do
-        ip=$(echo "$line" | awk '{print $2}')
-        [ -n "$ip" ] && threat_ips_ddos["$ip"]=1
-    done < "$TEMP_DIR/rapid_fire_ips.txt"
+    [ -f "$TEMP_DIR/rapid_fire_ips.txt" ] && while read -r ip; do
+        threat_ips_ddos["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/rapid_fire_ips.txt")

-    [ -f "$TEMP_DIR/admin_probes.txt" ] && while read -r line; do
-        count=$(echo "$line" | awk '{print $1}')
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
+    # Parse count-based threat files
+    [ -f "$TEMP_DIR/admin_probes.txt" ] && while read -r count ip; do
        [ -n "$ip" ] && threat_admin_count["$ip"]=$count
-    done < "$TEMP_DIR/admin_probes.txt"
+    done < <(awk '{print $1, $2}' "$TEMP_DIR/admin_probes.txt" | sed 's/|.*//')

-    [ -f "$TEMP_DIR/404_scans.txt" ] && while read -r line; do
-        count=$(echo "$line" | awk '{print $1}')
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
+    [ -f "$TEMP_DIR/404_scans.txt" ] && while read -r count ip; do
        [ -n "$ip" ] && threat_404_count["$ip"]=$count
-    done < "$TEMP_DIR/404_scans.txt"
+    done < <(awk '{print $1, $2}' "$TEMP_DIR/404_scans.txt" | sed 's/|.*//')

    # Now calculate scores for each IP (using pre-counted requests)
    for ip in "${!ip_request_counts[@]}"; do
@@ -920,14 +935,59 @@ calculate_threat_scores() {
        scan_404=${threat_404_count[$ip]:-0}
        [ "$scan_404" -gt 50 ] 2>/dev/null && score=$((score + 3))

+        # OPTIMIZATION: Skip external API calls for performance
+        # Threat Intelligence Enrichment can be done post-analysis for high-risk IPs only
+        # Uncommenting these will SIGNIFICANTLY slow down analysis (API calls for every IP)
+        #
+        # To enable threat intelligence enrichment:
+        # 1. Uncomment the code below
+        # 2. Ensure check_abuseipdb, get_country_code, and is_high_risk_country functions exist
+        # 3. Be aware this will make thousands of API calls and take much longer
+        #
+        # local abuse_data=$(check_abuseipdb "$ip" 2>/dev/null || echo "0|0|Unknown|Unknown")
+        # IFS='|' read -r abuse_confidence abuse_reports abuse_country abuse_isp <<< "$abuse_data"
+        #
+        # if [ "$abuse_confidence" -ge 75 ]; then
+        #     score=$((score + 15))  # High confidence malicious
+        # elif [ "$abuse_confidence" -ge 50 ]; then
+        #     score=$((score + 8))   # Moderate confidence
+        # elif [ "$abuse_confidence" -ge 25 ]; then
+        #     score=$((score + 3))   # Low confidence
+        # fi
+        #
+        # local geo_country=$(get_country_code "$ip" 2>/dev/null || echo "XX")
+        # if is_high_risk_country "$geo_country" 2>/dev/null; then
+        #     score=$((score + 5))   # High-risk country bonus
+        # fi
+
        # Cap at 100
        [ $score -gt 100 ] && score=100

        # Only output IPs with score > 0
        [ $score -gt 0 ] && echo "$score|$ip|$req_count"
+
+        # Track in centralized IP reputation database (background process)
+        if [ $score -gt 0 ]; then
+            (
+                # Update IP with hit count
+                increment_ip_hits "$ip" "$req_count" >/dev/null 2>&1
+
+                # Tag with specific attack types found
+                [ -n "${threat_ips_sqli[$ip]}" ] && flag_ip_attack "$ip" "SQL_INJECTION" 0 "Bot analyzer: SQL injection attempts" >/dev/null 2>&1
+                [ -n "${threat_ips_xss[$ip]}" ] && flag_ip_attack "$ip" "XSS" 0 "Bot analyzer: XSS attempts" >/dev/null 2>&1
+                [ -n "${threat_ips_path[$ip]}" ] && flag_ip_attack "$ip" "PATH_TRAVERSAL" 0 "Bot analyzer: Path traversal" >/dev/null 2>&1
+                [ -n "${threat_ips_rce[$ip]}" ] && flag_ip_attack "$ip" "RCE" 0 "Bot analyzer: RCE/shell upload attempts" >/dev/null 2>&1
+                [ -n "${threat_ips_login[$ip]}" ] && flag_ip_attack "$ip" "BRUTEFORCE" 0 "Bot analyzer: Login bruteforce" >/dev/null 2>&1
+                [ -n "${threat_ips_ddos[$ip]}" ] && flag_ip_attack "$ip" "DDOS" 0 "Bot analyzer: Rapid-fire requests" >/dev/null 2>&1
+                [ -n "${threat_ips_suspicious[$ip]}" ] && flag_ip_attack "$ip" "SCANNER" 0 "Bot analyzer: Suspicious user-agent" >/dev/null 2>&1
+            ) &
+        fi
    done | sort -t'|' -k1 -rn > "$TEMP_DIR/threat_scores.txt"

-    print_success "Threat scores calculated"
+    # Wait for background IP reputation updates to complete
+    wait
+
+    print_success "Threat scores calculated and IP reputation updated"
 }

 #############################################################################
@@ -938,7 +998,7 @@ detect_false_positives() {
    print_info "Detecting legitimate services (false positives)..."

    # Known monitoring service patterns
-    awk -F'|' '{
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{
        ip = $1
        domain = $2
        url = $3
@@ -964,7 +1024,7 @@ detect_false_positives() {
        else if (match(ua, /jetpack|vaultpress|updraftplus/)) {
            print ip "|Backup Service|" ua "|" domain
        }
-    }' "$TEMP_DIR/parsed_logs.txt" | sort -u > "$TEMP_DIR/false_positives.txt"
+    }' | sort -u > "$TEMP_DIR/false_positives.txt"

    print_success "False positive detection complete"
 }
@@ -976,32 +1036,60 @@ detect_false_positives() {
 generate_statistics() {
    print_info "Generating statistics..."

-    # Top 5 bots by request count
-    awk -F'|' '$9 != "unknown" {print $10}' "$TEMP_DIR/classified_bots.txt" | \
+    # OPTIMIZATION: Use single-pass AWK to generate multiple stats from parsed logs
+    # This reads the uncompressed file ONCE instead of 4+ separate reads
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '
+    {
+        # Count by domain (for top sites)
+        domains[$2]++
+
+        # Count by IP (for top IPs)
+        ips[$1]++
+
+        # Count by domain+URL (for top URLs)
+        urls[$2"|"$3]++
+    }
+    END {
+        # Output top sites
+        for (domain in domains) {
+            print domains[domain], domain > "'"$TEMP_DIR"'/top_sites_raw.txt"
+        }
+
+        # Output top IPs
+        for (ip in ips) {
+            print ips[ip], ip > "'"$TEMP_DIR"'/top_ips_raw.txt"
+        }
+
+        # Output top URLs
+        for (url in urls) {
+            print urls[url], url > "'"$TEMP_DIR"'/top_urls_raw.txt"
+        }
+    }'
+
+    # Sort and limit results
+    sort -rn "$TEMP_DIR/top_sites_raw.txt" | head -5 > "$TEMP_DIR/top_sites.txt"
+    sort -rn "$TEMP_DIR/top_ips_raw.txt" | head -5 > "$TEMP_DIR/top_ips.txt"
+    sort -rn "$TEMP_DIR/top_urls_raw.txt" | head -5 > "$TEMP_DIR/top_urls.txt"
+
+    # Top 5 bots by request count (single decompression)
+    cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '$9 != "unknown" {print $10}' | \
        sort | uniq -c | sort -rn | head -5 > "$TEMP_DIR/top_bots.txt"

-    # Top 5 most-hit sites
-    awk -F'|' '{print $2}' "$TEMP_DIR/parsed_logs.txt" | \
-        sort | uniq -c | sort -rn | head -5 > "$TEMP_DIR/top_sites.txt"
-    
-    # Top 5 most-hit URLs
-    awk -F'|' '{print $2"|"$3}' "$TEMP_DIR/parsed_logs.txt" | \
-        sort | uniq -c | sort -rn | head -5 > "$TEMP_DIR/top_urls.txt"
-    
-    # Top 5 IP addresses by request count
-    awk -F'|' '{print $1}' "$TEMP_DIR/parsed_logs.txt" | \
-        sort | uniq -c | sort -rn | head -5 > "$TEMP_DIR/top_ips.txt"
-    
-    # Traffic breakdown by bot type
-    awk -F'|' '{print $9}' "$TEMP_DIR/classified_bots.txt" | \
+    # Traffic breakdown by bot type (single decompression)
+    cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '{print $9}' | \
        sort | uniq -c | sort -rn > "$TEMP_DIR/traffic_breakdown.txt"

-    # Per-domain traffic sources
-    while read -r domain; do
-        echo "$domain" > "$TEMP_DIR/domain_${domain}_stats.txt"
-        grep "|$domain|" "$TEMP_DIR/classified_bots.txt" | \
-            awk -F'|' '{print $9}' | sort | uniq -c | sort -rn >> "$TEMP_DIR/domain_${domain}_stats.txt"
-    done < <(awk -F'|' '{print $2}' "$TEMP_DIR/parsed_logs.txt" | sort -u)
+    # Per-domain traffic sources (OPTIMIZED: read uncompressed file once, use grep)
+    if [ -f "$TEMP_DIR/all_domains.txt" ]; then
+        # Create indexed bot traffic file (decompress once)
+        cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '{print $2"|"$9}' > "$TEMP_DIR/domain_bot_types.txt"
+
+        while read -r domain; do
+            echo "$domain" > "$TEMP_DIR/domain_${domain}_stats.txt"
+            grep "^$domain|" "$TEMP_DIR/domain_bot_types.txt" | cut -d'|' -f2 | \
+                sort | uniq -c | sort -rn >> "$TEMP_DIR/domain_${domain}_stats.txt"
+        done < "$TEMP_DIR/all_domains.txt"
+    fi

    print_success "Statistics generated"
 }
@@ -1085,19 +1173,19 @@ generate_report() {
    # QUICK STATS DASHBOARD
    print_header "QUICK STATS DASHBOARD"

-    total_requests=$(wc -l < "$TEMP_DIR/parsed_logs.txt")
-    unique_ips=$(awk -F'|' '{print $1}' "$TEMP_DIR/parsed_logs.txt" | sort -u | wc -l)
-    unique_domains=$(awk -F'|' '{print $2}' "$TEMP_DIR/parsed_logs.txt" | sort -u | wc -l)
-    bot_requests=$(awk -F'|' '$9 != "unknown"' "$TEMP_DIR/classified_bots.txt" | wc -l)
+    total_requests=$(cat "$TEMP_DIR/parsed_logs.txt" | wc -l)
+    unique_ips=$(cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1}' | sort -u | wc -l)
+    unique_domains=$(cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $2}' | sort -u | wc -l)
+    bot_requests=$(cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '$9 != "unknown"' | wc -l)

    # Count private/internal IPs (excluded from threat analysis)
-    private_ips=$(awk -F'|' '{print $1}' "$TEMP_DIR/parsed_logs.txt" | sort -u | grep -E '^(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|169\.254\.)' | wc -l)
+    private_ips=$(cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1}' | sort -u | grep -E '^(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|169\.254\.)' | wc -l)

    # Count server's own IPs in the logs
    server_ip_hits=0
    if [ -f "$TEMP_DIR/server_ips.txt" ] && [ -s "$TEMP_DIR/server_ips.txt" ]; then
        while read -r server_ip; do
-            if grep -q "^$server_ip|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null; then
+            if cat "$TEMP_DIR/parsed_logs.txt" | grep -q "^$server_ip|" 2>/dev/null; then
                server_ip_hits=$((server_ip_hits + 1))
            fi
        done < "$TEMP_DIR/server_ips.txt"
@@ -1200,7 +1288,7 @@ generate_report() {
            ip=$(echo "$line" | cut -d'|' -f1)
            service=$(echo "$line" | cut -d'|' -f2)
            domain=$(echo "$line" | cut -d'|' -f4)
-            req_count=$(grep -c "^$ip|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || echo 0)
+            req_count=$(cat "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | grep -c "^$ip|" || echo 0)
            echo "  $ip - $req_count requests - Identified as: $service"
            echo "    → Domain: $domain"
            echo "    → Action: VERIFY OWNERSHIP then whitelist"
@@ -1311,8 +1399,8 @@ generate_report() {
    if [ -s "$TEMP_DIR/large_transfers.txt" ]; then
        # Calculate total bot bandwidth
        total_bot_bandwidth=0
-        if [ -f "$TEMP_DIR/classified_bots.txt" ]; then
-            total_bot_bandwidth=$(awk -F'|' '$9 != "unknown" && $5 ~ /^[0-9]+$/ {sum += $5} END {print sum}' "$TEMP_DIR/classified_bots.txt")
+        if [ -f "$TEMP_DIR/classified_bots.txt.gz" ]; then
+            total_bot_bandwidth=$(cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '$9 != "unknown" && $5 ~ /^[0-9]+$/ {sum += $5} END {print sum}')
        fi

        if [ -n "$total_bot_bandwidth" ] && [ "$total_bot_bandwidth" -gt 0 ]; then
@@ -1321,7 +1409,7 @@ generate_report() {
            # Estimate cost at $0.09/GB (typical CDN pricing)
            estimated_cost=$(awk "BEGIN {printf \"%.2f\", ($total_bot_bandwidth/1073741824) * 0.09}")

-            total_bandwidth=$(awk -F'|' '$5 ~ /^[0-9]+$/ {sum += $5} END {print sum}' "$TEMP_DIR/parsed_logs.txt")
+            total_bandwidth=$(cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '$5 ~ /^[0-9]+$/ {sum += $5} END {print sum}')
            bot_pct=$(awk "BEGIN {printf \"%.1f\", ($total_bot_bandwidth/$total_bandwidth)*100}")

            echo ""
@@ -1548,8 +1636,8 @@ baseline_health_check() {

    # If no domains found from log files, try reference database
    if [ ! -s "$TEMP_DIR/domain_list.txt" ]; then
-        if [ -s "$TOOLKIT_BASE_DIR/.sysref" ]; then
-            grep "^DOMAIN|" "$TOOLKIT_BASE_DIR/.sysref" 2>/dev/null | \
+        if [ -s "$SCRIPT_DIR/.sysref" ]; then
+            grep "^DOMAIN|" "$SCRIPT_DIR/.sysref" 2>/dev/null | \
                cut -d'|' -f2 | sort -u > "$TEMP_DIR/domain_list.txt"
        fi
    fi
@@ -1704,45 +1792,83 @@ main() {
    echo ""
    print_header "Starting Apache/cPanel Bot Analysis"

-    # Check if log directory exists
-    if [ ! -d "$LOG_DIR" ]; then
-        print_alert "Error: Log directory not found: $LOG_DIR"
-        echo "Please specify the correct log directory with -l option"
-        exit 1
-    fi
+    # InterWorx requires special log discovery (logs are in /home/user/var/domain.com/logs/)
+    if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
+        print_info "InterWorx detected - discovering domain logs..."

-    # Check if logs exist
-    local find_opts=()
-    if [ -n "$HOURS_BACK" ]; then
-        local minutes=$((HOURS_BACK * 60))
-        find_opts+=(-mmin -"$minutes")
-    elif [ -n "$DAYS_BACK" ]; then
-        find_opts+=(-mtime -"$DAYS_BACK")
+        # Build time filter options
+        local find_opts=()
+        if [ -n "$HOURS_BACK" ]; then
+            local minutes=$((HOURS_BACK * 60))
+            find_opts+=(-mmin -"$minutes")
+        elif [ -n "$DAYS_BACK" ]; then
+            find_opts+=(-mtime -"$DAYS_BACK")
+        fi
+
+        # Find all access_log files in InterWorx structure
+        log_count=$(find /home/*/var/*/logs -type f -name "access_log" "${find_opts[@]}" 2>/dev/null | wc -l)
+
+        if [ "$log_count" -eq 0 ]; then
+            print_alert "Error: No InterWorx access logs found in /home/*/var/*/logs/"
+            if [ -n "$HOURS_BACK" ]; then
+                echo "No logs found from the last $HOURS_BACK hours"
+            elif [ -n "$DAYS_BACK" ]; then
+                echo "No logs found from the last $DAYS_BACK days"
+            fi
+            exit 1
+        fi
+
+        print_info "Found $log_count InterWorx domain log files to analyze"
+
+        # Override LOG_DIR for parse_logs function to use
+        export INTERWORX_MODE="yes"
+        export INTERWORX_FIND_OPTS="${find_opts[*]}"
+    else
+        # Standard cPanel/Plesk log discovery
+        # Check if log directory exists
+        if [ ! -d "$LOG_DIR" ]; then
+            print_alert "Error: Log directory not found: $LOG_DIR"
+            echo "Please specify the correct log directory with -l option"
+            exit 1
+        fi
+
+        # Check if logs exist
+        local find_opts=()
+        if [ -n "$HOURS_BACK" ]; then
+            local minutes=$((HOURS_BACK * 60))
+            find_opts+=(-mmin -"$minutes")
+        elif [ -n "$DAYS_BACK" ]; then
+            find_opts+=(-mtime -"$DAYS_BACK")
+        fi
+
+        log_count=$(find "$LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*.offset" ! -name "*error_log" "${find_opts[@]}" 2>/dev/null | wc -l)
+        if [ "$log_count" -eq 0 ]; then
+            print_alert "Error: No log files found in $LOG_DIR"
+            if [ -n "$HOURS_BACK" ]; then
+                echo "No logs found from the last $HOURS_BACK hours"
+            elif [ -n "$DAYS_BACK" ]; then
+                echo "No logs found from the last $DAYS_BACK days"
+            fi
+            exit 1
+        fi
+
+        print_info "Found $log_count log files to analyze"
    fi

    # User filtering
    if [ -n "$FILTER_USER" ]; then
        print_info "Filtering logs for user: $FILTER_USER"
-        user_domains=$(get_user_domains "$FILTER_USER")
+        export user_domains=$(get_user_domains "$FILTER_USER")
        if [ -z "$user_domains" ]; then
            print_error "No domains found for user: $FILTER_USER"
            exit 1
        fi
        print_info "User has $(echo "$user_domains" | wc -l) domain(s)"
+    else
+        export user_domains=""
    fi

-    log_count=$(find "$LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*.offset" ! -name "*error_log" "${find_opts[@]}" 2>/dev/null | wc -l)
-    if [ "$log_count" -eq 0 ]; then
-        print_alert "Error: No log files found in $LOG_DIR"
-        if [ -n "$HOURS_BACK" ]; then
-            echo "No logs found from the last $HOURS_BACK hours"
-        elif [ -n "$DAYS_BACK" ]; then
-            echo "No logs found from the last $DAYS_BACK days"
-        fi
-        exit 1
-    fi
-
-    print_info "Found $log_count log files to analyze"
+    # Print time range info
    if [ -n "$HOURS_BACK" ]; then
        print_info "Analyzing logs from the last $HOURS_BACK hours"
    elif [ -n "$DAYS_BACK" ]; then
@@ -1796,65 +1922,77 @@ analyze_domain_threats() {
    > "$TEMP_DIR/domain_threats.txt"
    > "$TEMP_DIR/domain_high_risk_ips.txt"

-    # Get all unique domains from parsed logs
-    awk -F'|' '{print $2}' "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | sort -u > "$TEMP_DIR/all_domains.txt"
+    # MASSIVE OPTIMIZATION: Single AWK pass instead of nested loops with 25,000+ greps
+    # Old approach: O(domains × high_risk_IPs × file_size) = 83 minutes for 500 domains
+    # New approach: O(file_size) = seconds

-    # For each domain, calculate threat metrics
-    while read -r domain; do
-        [ -z "$domain" ] && continue
+    awk -F'|' '
+    BEGIN {
+        # Load high-risk IPs into memory
+        while ((getline < "'"$TEMP_DIR"'/threat_scores.txt") > 0) {
+            score = $1
+            ip = $2
+            if (score >= 70) {
+                high_risk[ip] = score
+            }
+        }
+        close("'"$TEMP_DIR"'/threat_scores.txt")

-        # Total requests to this domain
-        local total_requests=$(grep -c "^[^|]*|$domain|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || echo "0")
+        # Load attack vectors
+        while ((getline < "'"$TEMP_DIR"'/attack_vectors_raw.txt") > 0) {
+            domain = $2
+            attack_counts[domain]++
+        }
+        close("'"$TEMP_DIR"'/attack_vectors_raw.txt")
+    }

-        # Bot requests to this domain
-        local bot_requests=$(grep "|$domain|" "$TEMP_DIR/classified_bots.txt" 2>/dev/null | wc -l || echo "0")
+    # Process parsed logs (single pass)
+    {
+        ip = $1
+        domain = $2

-        # High-risk IPs hitting this domain (score >= 70)
-        local high_risk_count=0
-        local high_risk_ips=""
+        # Count total requests per domain
+        domain_requests[domain]++

-        if [ -s "$TEMP_DIR/threat_scores.txt" ]; then
-            while read -r score_line; do
-                local score=$(echo "$score_line" | cut -d'|' -f1)
-                local ip=$(echo "$score_line" | cut -d'|' -f2)
+        # Track high-risk IPs per domain
+        if (ip in high_risk) {
+            domain_high_risk_count[domain]++
+            domain_high_risk_ips[domain] = domain_high_risk_ips[domain] ip ":" high_risk[ip] ":" ++domain_ip_count[domain":"ip] " "
+        }
+    }
+    END {
+        # Now process classified bots
+        while ((getline < "'"$TEMP_DIR"'/classified_bots.txt") > 0) {
+            domain = $2
+            bot_counts[domain]++
+        }
+        close("'"$TEMP_DIR"'/classified_bots.txt")

-                if [ "$score" -ge 70 ]; then
-                    # Check if this IP hit this domain
-                    if grep -q "^$ip|$domain|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null; then
-                        local ip_requests=$(grep -c "^$ip|$domain|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || echo "0")
-                        high_risk_count=$((high_risk_count + 1))
-                        high_risk_ips="${high_risk_ips}${ip}:${score}:${ip_requests} "
-                    fi
-                fi
-            done < "$TEMP_DIR/threat_scores.txt"
-        fi
+        # Output results for each domain
+        for (domain in domain_requests) {
+            total_req = domain_requests[domain]
+            bot_req = bot_counts[domain] + 0
+            bot_pct = (total_req > 0) ? (bot_req / total_req * 100) : 0
+            high_risk_count = domain_high_risk_count[domain] + 0
+            attacks = attack_counts[domain] + 0
+            high_risk_detail = domain_high_risk_ips[domain]

-        # Attack attempts targeting this domain
-        local attack_attempts=0
-        if [ -s "$TEMP_DIR/attack_vectors_raw.txt" ]; then
-            attack_attempts=$(grep "|$domain|" "$TEMP_DIR/attack_vectors_raw.txt" 2>/dev/null | wc -l || echo "0")
-        fi
+            # domain|total_requests|bot_requests|bot_percentage|high_risk_ip_count|attack_attempts|high_risk_ips_detail
+            printf "%s|%d|%d|%.1f|%d|%d|%s\n", domain, total_req, bot_req, bot_pct, high_risk_count, attacks, high_risk_detail > "'"$TEMP_DIR"'/domain_threats.txt"

-        # Calculate bot percentage
-        local bot_percentage=0
-        if [ "$total_requests" -gt 0 ]; then
-            bot_percentage=$(awk "BEGIN {printf \"%.1f\", ($bot_requests / $total_requests) * 100}")
-        fi
-
-        # Store domain threat data
-        # Format: domain|total_requests|bot_requests|bot_percentage|high_risk_ip_count|attack_attempts|high_risk_ips_detail
-        echo "$domain|$total_requests|$bot_requests|$bot_percentage|$high_risk_count|$attack_attempts|$high_risk_ips" >> "$TEMP_DIR/domain_threats.txt"
-
-        # Track which high-risk IPs hit which domains
-        if [ $high_risk_count -gt 0 ]; then
-            echo "$domain|$high_risk_count|$high_risk_ips" >> "$TEMP_DIR/domain_high_risk_ips.txt"
-        fi
-
-    done < "$TEMP_DIR/all_domains.txt"
+            # Track high-risk IPs per domain
+            if (high_risk_count > 0) {
+                printf "%s|%d|%s\n", domain, high_risk_count, high_risk_detail > "'"$TEMP_DIR"'/domain_high_risk_ips.txt"
+            }
+        }
+    }' "$TEMP_DIR/parsed_logs.txt"

    # Sort by high-risk IP count (descending)
    sort -t'|' -k5 -rn "$TEMP_DIR/domain_threats.txt" > "$TEMP_DIR/domain_threats_sorted.txt"

+    # Get all unique domains
+    awk -F'|' '{print $1}' "$TEMP_DIR/domain_threats.txt" | sort -u > "$TEMP_DIR/all_domains.txt"
+
    print_success "Domain threat analysis complete"
 }

@@ -2729,8 +2867,8 @@ execute_htaccess_domain_blocking() {

    # Find document root for this domain using reference database
    local doc_root=""
-    if [ -s "$TOOLKIT_BASE_DIR/.sysref" ]; then
-        doc_root=$(grep "^DOMAIN|$target_domain|" "$TOOLKIT_BASE_DIR/.sysref" 2>/dev/null | head -1 | cut -d'|' -f4)
+    if [ -s "$SCRIPT_DIR/.sysref" ]; then
+        doc_root=$(grep "^DOMAIN|$target_domain|" "$SCRIPT_DIR/.sysref" 2>/dev/null | head -1 | cut -d'|' -f4)
    fi

    if [ -z "$doc_root" ]; then
@@ -2774,7 +2912,7 @@ execute_htaccess_domain_blocking() {
    print_info "Adding bot blocking rules..."

    # Get high-risk IPs for this domain
-    local block_ips=$(grep "^[^|]*|$target_domain|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | cut -d'|' -f1 | sort -u | while read ip; do
+    local block_ips=$(cat "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | grep "^[^|]*|$target_domain|" | cut -d'|' -f1 | sort -u | while read ip; do
        # Check if this IP has high threat score
        if grep -q "|$ip$" "$TEMP_DIR/threat_scores.txt" 2>/dev/null; then
            local score=$(grep "|$ip$" "$TEMP_DIR/threat_scores.txt" | cut -d'|' -f1)
@@ -0,0 +1,494 @@
+#!/bin/bash
+
+################################################################################
+# IP Reputation Manager
+################################################################################
+# Purpose: View, query, and manage the centralized IP reputation database
+# Features:
+# - Query individual IPs
+# - View top malicious IPs
+# - View top active IPs
+# - Export database
+# - Database statistics
+# - Cleanup old entries
+# - Manual IP flagging/whitelisting
+################################################################################
+
+# Get script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+source "$SCRIPT_DIR/lib/ip-reputation.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+# Menu display
+show_menu() {
+    clear
+    print_banner "IP Reputation Manager"
+
+    # Show quick stats
+    local total_ips=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
+    local db_size=$(du -h "$IP_REP_DB" 2>/dev/null | awk '{print $1}' || echo "0B")
+
+    echo ""
+    echo -e "${BLUE}${BOLD}Database Status:${NC} $total_ips IPs tracked | Size: $db_size"
+    echo ""
+    echo -e "${BOLD}Query & View:${NC}"
+    echo ""
+    echo -e "  ${GREEN}1)${NC} Query IP Reputation       - Look up specific IP"
+    echo -e "  ${GREEN}2)${NC} Top Malicious IPs         - Highest reputation scores"
+    echo -e "  ${GREEN}3)${NC} Top Active IPs            - Most hits/requests"
+    echo -e "  ${GREEN}4)${NC} Database Statistics       - Overview of tracked IPs"
+    echo -e "  ${GREEN}5)${NC} Live Monitoring           - Real-time reputation updates"
+    echo ""
+    echo -e "${BOLD}Database Management:${NC}"
+    echo ""
+    echo -e "  ${BLUE}6)${NC} Export Database           - Export to readable text file"
+    echo -e "  ${BLUE}7)${NC} Cleanup Old Entries       - Remove IPs not seen in X days"
+    echo -e "  ${BLUE}8)${NC} Compact Database          - Remove duplicate entries (faster writes)"
+    echo -e "  ${BLUE}9)${NC} Rebuild Index             - Optimize database for speed"
+    echo ""
+    echo -e "${BOLD}Manual Actions:${NC}"
+    echo ""
+    echo -e "  ${YELLOW}10)${NC} Flag IP as Malicious      - Manually mark IP as threat"
+    echo -e "  ${YELLOW}11)${NC} Mark IP as Legitimate     - Whitelist/reduce score"
+    echo -e "  ${YELLOW}12)${NC} Import IPs from Log       - Batch import from file"
+    echo ""
+    echo -e "  ${RED}0)${NC} Exit"
+    echo ""
+    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
+    echo -n "Select option: "
+}
+
+# Query individual IP
+query_ip_interactive() {
+    clear
+    print_banner "Query IP Reputation"
+    echo ""
+    echo -n "Enter IP address to query: "
+    read -r ip_address
+
+    if [ -z "$ip_address" ]; then
+        print_error "No IP address provided"
+        press_enter
+        return
+    fi
+
+    # Validate IP format (basic check)
+    if ! [[ "$ip_address" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+        print_error "Invalid IP address format"
+        press_enter
+        return
+    fi
+
+    echo ""
+    query_ip_reputation "$ip_address"
+
+    echo ""
+    press_enter
+}
+
+# View top malicious IPs
+view_top_malicious() {
+    clear
+    print_banner "Top Malicious IPs"
+    echo ""
+    echo -n "How many top IPs to show? [20]: "
+    read -r limit
+    limit="${limit:-20}"
+
+    echo ""
+    echo -e "${RED}${BOLD}Top $limit Most Malicious IPs (by Reputation Score)${NC}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    printf "%-15s | %-7s | %-4s | %-8s | %-8s | %-30s\n" \
+        "IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACK TYPES"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+    get_top_malicious_ips "$limit" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
+        local category=$(get_ip_reputation_category "$rep_score")
+        local attacks=$(decode_attack_flags "$attack_flags")
+
+        # Color code by reputation
+        local color="$NC"
+        case "$category" in
+            CRITICAL) color="$RED$BOLD" ;;
+            HIGH) color="$RED" ;;
+            MEDIUM) color="$YELLOW" ;;
+            LOW) color="$CYAN" ;;
+        esac
+
+        printf "${color}%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s${NC}\n" \
+            "$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}"
+    done
+
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    press_enter
+}
+
+# View top active IPs
+view_top_active() {
+    clear
+    print_banner "Top Active IPs"
+    echo ""
+    echo -n "How many top IPs to show? [20]: "
+    read -r limit
+    limit="${limit:-20}"
+
+    echo ""
+    echo -e "${YELLOW}${BOLD}Top $limit Most Active IPs (by Hit Count)${NC}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    printf "%-15s | %-7s | %-4s | %-8s | %-8s | %-30s\n" \
+        "IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACK TYPES"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+    get_top_active_ips "$limit" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
+        local category=$(get_ip_reputation_category "$rep_score")
+        local attacks=$(decode_attack_flags "$attack_flags")
+
+        # Color code by hit count
+        local color="$NC"
+        if [ $hit_count -gt 10000 ]; then
+            color="$RED$BOLD"
+        elif [ $hit_count -gt 1000 ]; then
+            color="$YELLOW"
+        fi
+
+        printf "${color}%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s${NC}\n" \
+            "$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}"
+    done
+
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    press_enter
+}
+
+# Show statistics
+view_statistics() {
+    clear
+    print_banner "Database Statistics"
+    echo ""
+    show_ip_statistics
+    echo ""
+
+    # Additional stats
+    echo "Recent Activity (Last 24 hours):"
+    local cutoff=$(($(date +%s) - 86400))
+    local recent_count=$(awk -F'|' -v cut="$cutoff" '$7 >= cut' "$IP_REP_DB" 2>/dev/null | wc -l)
+    echo "  Active IPs:         $recent_count"
+    echo ""
+
+    # Top countries
+    echo "Top Countries by IP Count:"
+    awk -F'|' '{print $4}' "$IP_REP_DB" 2>/dev/null | grep -v '^$' | sort | uniq -c | sort -rn | head -5 | \
+    while read count country; do
+        printf "  %-4s: %s IPs\n" "$country" "$count"
+    done
+    echo ""
+
+    press_enter
+}
+
+# Export database
+export_database_interactive() {
+    clear
+    print_banner "Export IP Reputation Database"
+    echo ""
+    echo -n "Enter output file path [/tmp/ip_reputation_export.txt]: "
+    read -r output_path
+    output_path="${output_path:-/tmp/ip_reputation_export.txt}"
+
+    echo ""
+    echo "Exporting database to $output_path..."
+    export_ip_reputation "$output_path"
+
+    echo ""
+    print_success "Database exported successfully!"
+    echo ""
+    echo "View with: cat $output_path"
+    echo "Or:        less $output_path"
+    echo ""
+    press_enter
+}
+
+# Cleanup old entries
+cleanup_database_interactive() {
+    clear
+    print_banner "Cleanup Old Entries"
+    echo ""
+    echo "Remove IPs that haven't been seen in how many days?"
+    echo ""
+    echo -n "Days [90]: "
+    read -r days
+    days="${days:-90}"
+
+    echo ""
+    echo "This will remove IPs not seen in the last $days days."
+    echo -n "Continue? (yes/no): "
+    read -r confirm
+
+    if [ "$confirm" != "yes" ]; then
+        echo "Cancelled"
+        press_enter
+        return
+    fi
+
+    echo ""
+    cleanup_old_ips "$days"
+    echo ""
+    print_success "Cleanup complete!"
+    echo ""
+    press_enter
+}
+
+# Compact database
+compact_database_interactive() {
+    clear
+    print_banner "Compact Database"
+    echo ""
+    local total_before=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
+    echo "Current database size: $total_before entries"
+    echo ""
+    echo "This will remove duplicate IP entries created by fast append-only writes."
+    echo "The database will be compacted and re-indexed."
+    echo ""
+    echo -n "Continue? (yes/no): "
+    read -r confirm
+
+    if [ "$confirm" != "yes" ]; then
+        echo "Cancelled"
+        press_enter
+        return
+    fi
+
+    echo ""
+    compact_database
+    echo ""
+    print_success "Database compacted successfully!"
+    echo ""
+    press_enter
+}
+
+# Rebuild index
+rebuild_index_interactive() {
+    clear
+    print_banner "Rebuild Database Index"
+    echo ""
+    echo "Rebuilding index for optimized lookups..."
+    rebuild_index
+    echo ""
+    print_success "Index rebuilt successfully!"
+    echo ""
+    press_enter
+}
+
+# Flag IP as malicious
+flag_ip_interactive() {
+    clear
+    print_banner "Flag IP as Malicious"
+    echo ""
+    echo -n "Enter IP address: "
+    read -r ip_address
+
+    if [ -z "$ip_address" ]; then
+        print_error "No IP address provided"
+        press_enter
+        return
+    fi
+
+    echo ""
+    echo "Attack Type:"
+    echo "  1) SQL Injection"
+    echo "  2) XSS"
+    echo "  3) Path Traversal"
+    echo "  4) RCE/Shell Upload"
+    echo "  5) Brute Force"
+    echo "  6) DDoS"
+    echo "  7) Bot/Scanner"
+    echo "  8) Exploit"
+    echo ""
+    echo -n "Select [1]: "
+    read -r attack_choice
+    attack_choice="${attack_choice:-1}"
+
+    case "$attack_choice" in
+        1) attack_type="SQL_INJECTION" ;;
+        2) attack_type="XSS" ;;
+        3) attack_type="PATH_TRAVERSAL" ;;
+        4) attack_type="RCE" ;;
+        5) attack_type="BRUTEFORCE" ;;
+        6) attack_type="DDOS" ;;
+        7) attack_type="SCANNER" ;;
+        8) attack_type="EXPLOIT" ;;
+        *) attack_type="SUSPICIOUS" ;;
+    esac
+
+    echo ""
+    echo -n "Notes/Description: "
+    read -r notes
+
+    echo ""
+    echo "Flagging $ip_address for $attack_type..."
+    flag_ip_attack "$ip_address" "$attack_type" 0 "$notes"
+
+    echo ""
+    print_success "IP flagged successfully!"
+    echo ""
+    query_ip_reputation "$ip_address"
+    echo ""
+    press_enter
+}
+
+# Mark IP as legitimate
+whitelist_ip_interactive() {
+    clear
+    print_banner "Mark IP as Legitimate"
+    echo ""
+    echo -n "Enter IP address: "
+    read -r ip_address
+
+    if [ -z "$ip_address" ]; then
+        print_error "No IP address provided"
+        press_enter
+        return
+    fi
+
+    echo ""
+    echo -n "Reason/Notes: "
+    read -r notes
+
+    echo ""
+    echo "Marking $ip_address as legitimate..."
+    mark_ip_legitimate "$ip_address" "$notes"
+
+    echo ""
+    print_success "IP marked as legitimate!"
+    echo ""
+    query_ip_reputation "$ip_address"
+    echo ""
+    press_enter
+}
+
+# Import from log file
+import_log_interactive() {
+    clear
+    print_banner "Import IPs from Log File"
+    echo ""
+    echo -n "Enter log file path: "
+    read -r log_path
+
+    if [ ! -f "$log_path" ]; then
+        print_error "File not found: $log_path"
+        press_enter
+        return
+    fi
+
+    echo ""
+    echo "Attack Type (will be applied to all IPs):"
+    echo "  1) Suspicious (default)"
+    echo "  2) SQL Injection"
+    echo "  3) XSS"
+    echo "  4) Bot/Scanner"
+    echo "  5) DDoS"
+    echo ""
+    echo -n "Select [1]: "
+    read -r attack_choice
+    attack_choice="${attack_choice:-1}"
+
+    case "$attack_choice" in
+        2) attack_type="SQL_INJECTION" ;;
+        3) attack_type="XSS" ;;
+        4) attack_type="SCANNER" ;;
+        5) attack_type="DDOS" ;;
+        *) attack_type="SUSPICIOUS" ;;
+    esac
+
+    echo ""
+    echo "Importing IPs from $log_path as $attack_type..."
+    import_ips_from_log "$log_path" "$attack_type" 5
+
+    echo ""
+    print_success "Import complete!"
+    echo ""
+    press_enter
+}
+
+# Live monitoring (real-time updates)
+live_monitoring() {
+    clear
+    print_banner "Live IP Reputation Monitoring"
+    echo ""
+    echo "Watching database for changes... (Press Ctrl+C to exit)"
+    echo ""
+
+    local last_count=0
+    local last_update=0
+
+    while true; do
+        local current_count=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
+        local current_time=$(stat -c %Y "$IP_REP_DB" 2>/dev/null || echo 0)
+
+        if [ $current_count -ne $last_count ] || [ $current_time -ne $last_update ]; then
+            clear
+            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+            echo "LIVE IP REPUTATION MONITORING - $(date '+%H:%M:%S')"
+            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+            echo ""
+            show_ip_statistics
+            echo ""
+            echo "Recent Top 10 Updates:"
+            get_top_malicious_ips 10 | head -10 | while IFS='|' read -r ip hit_count rep_score country attack_flags _ _ _ _; do
+                local category=$(get_ip_reputation_category "$rep_score")
+                local attacks=$(decode_attack_flags "$attack_flags")
+                printf "%-15s | %5s hits | %3s/100 | %-8s | %s\n" "$ip" "$hit_count" "$rep_score" "$category" "${attacks:0:40}"
+            done
+            echo ""
+            echo "Press Ctrl+C to exit | Refreshing every 2 seconds..."
+
+            last_count=$current_count
+            last_update=$current_time
+        fi
+
+        sleep 2
+    done
+}
+
+# Main loop
+main() {
+    while true; do
+        show_menu
+        read -r choice
+
+        case $choice in
+            1) query_ip_interactive ;;
+            2) view_top_malicious ;;
+            3) view_top_active ;;
+            4) view_statistics ;;
+            5) live_monitoring ;;
+            6) export_database_interactive ;;
+            7) cleanup_database_interactive ;;
+            8) compact_database_interactive ;;
+            9) rebuild_index_interactive ;;
+            10) flag_ip_interactive ;;
+            11) whitelist_ip_interactive ;;
+            12) import_log_interactive ;;
+            0)
+                clear
+                echo "Exiting..."
+                exit 0
+                ;;
+            *)
+                print_error "Invalid option"
+                sleep 1
+                ;;
+        esac
+    done
+}
+
+# Run main
+main
@@ -0,0 +1,418 @@
+#!/bin/bash
+
+################################################################################
+# Live Network Security Monitor
+################################################################################
+# Purpose: Real-time monitoring of active attacks and suspicious traffic
+# Use Case: When server is currently under attack, monitor all activity live
+# Author: Server Toolkit
+#
+# FEATURES:
+# - Multi-source monitoring (SSH, Web, Email, Firewall)
+# - Real-time threat detection and classification
+# - Color-coded alerts (Critical/High/Medium/Low)
+# - Live statistics dashboard
+# - Connection tracking and blocking suggestions
+# - Attack pattern recognition
+################################################################################
+
+# Get script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+source "$SCRIPT_DIR/lib/ip-reputation.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+# Color definitions for threat levels
+CRITICAL_COLOR='\033[1;41;97m'  # White on Red background
+HIGH_COLOR='\033[1;31m'          # Bold Red
+MEDIUM_COLOR='\033[1;33m'        # Bold Yellow
+LOW_COLOR='\033[0;36m'           # Cyan
+INFO_COLOR='\033[0;37m'          # White
+NC='\033[0m'
+
+# Configuration
+REFRESH_INTERVAL=2  # Seconds between dashboard refreshes
+MAX_DISPLAY_LINES=30
+THREAT_THRESHOLD_HIGH=10  # Requests per second from single IP
+THREAT_THRESHOLD_MEDIUM=5
+
+# Temporary files for tracking - use fixed directory for subshell access
+TEMP_DIR="/tmp/live-monitor-current"
+rm -rf "$TEMP_DIR" 2>/dev/null  # Clean any previous session
+mkdir -p "$TEMP_DIR"
+touch "$TEMP_DIR/recent_events"
+
+# Cleanup function to kill all child processes
+cleanup() {
+    echo ""
+    echo "Stopping monitoring processes..."
+
+    # Kill all processes in this process group
+    kill $(jobs -p) 2>/dev/null
+
+    # Also kill any stray tail processes monitoring our logs
+    pkill -P $$ 2>/dev/null
+
+    # Clean up temp directory
+    rm -rf "$TEMP_DIR" 2>/dev/null
+
+    # Restore cursor
+    tput cnorm
+
+    echo "✓ Cleanup complete"
+    exit 0
+}
+
+trap cleanup EXIT INT TERM
+
+# Statistics counters
+declare -A IP_COUNTER
+declare -A IP_THREAT_LEVEL
+declare -A ATTACK_TYPE_COUNTER
+declare -A BLOCKED_IPS
+TOTAL_EVENTS=0
+TOTAL_THREATS=0
+START_TIME=$(date +%s)
+
+# Hide cursor for cleaner display
+tput civis
+
+################################################################################
+# Threat Classification Functions
+################################################################################
+
+classify_threat_level() {
+    local count="$1"
+
+    if [ "$count" -ge "$THREAT_THRESHOLD_HIGH" ]; then
+        echo "CRITICAL"
+    elif [ "$count" -ge "$THREAT_THRESHOLD_MEDIUM" ]; then
+        echo "HIGH"
+    else
+        echo "MEDIUM"
+    fi
+}
+
+get_threat_color() {
+    local level="$1"
+
+    case "$level" in
+        CRITICAL) echo "$CRITICAL_COLOR" ;;
+        HIGH) echo "$HIGH_COLOR" ;;
+        MEDIUM) echo "$MEDIUM_COLOR" ;;
+        LOW) echo "$LOW_COLOR" ;;
+        *) echo "$INFO_COLOR" ;;
+    esac
+}
+
+identify_attack_type() {
+    local log_line="$1"
+
+    # SSH brute force
+    if echo "$log_line" | grep -qi "Failed password\|authentication failure"; then
+        echo "SSH_BRUTEFORCE"
+    # SQL injection attempts
+    elif echo "$log_line" | grep -qiE "union.*select|concat.*\(|substring.*\(|' or '1'='1"; then
+        echo "SQL_INJECTION"
+    # XSS attempts
+    elif echo "$log_line" | grep -qiE "<script|javascript:|onerror=|onload="; then
+        echo "XSS_ATTACK"
+    # Path traversal
+    elif echo "$log_line" | grep -qE "\.\./|\.\.%2[fF]"; then
+        echo "PATH_TRAVERSAL"
+    # Port scanning
+    elif echo "$log_line" | grep -qi "port scan\|SYN_RECV"; then
+        echo "PORT_SCAN"
+    # Directory enumeration
+    elif echo "$log_line" | grep -qE "404.*\.(php|asp|jsp|cgi)"; then
+        echo "DIR_ENUM"
+    # Bot/crawler
+    elif echo "$log_line" | grep -qiE "bot|crawler|spider|scraper"; then
+        echo "BOT"
+    # DDoS patterns
+    elif echo "$log_line" | grep -qi "SYN flood\|UDP flood"; then
+        echo "DDOS"
+    # Exploit attempts
+    elif echo "$log_line" | grep -qiE "exploit|shell|backdoor|webshell"; then
+        echo "EXPLOIT"
+    # Excessive requests (likely DDoS or bot)
+    else
+        echo "SUSPICIOUS"
+    fi
+}
+
+get_attack_icon() {
+    local attack_type="$1"
+
+    case "$attack_type" in
+        SSH_BRUTEFORCE) echo "🔐" ;;
+        SQL_INJECTION) echo "💉" ;;
+        XSS_ATTACK) echo "⚠️ " ;;
+        PATH_TRAVERSAL) echo "📁" ;;
+        PORT_SCAN) echo "🔍" ;;
+        DIR_ENUM) echo "📂" ;;
+        BOT) echo "🤖" ;;
+        DDOS) echo "💥" ;;
+        EXPLOIT) echo "☠️ " ;;
+        *) echo "❓" ;;
+    esac
+}
+
+################################################################################
+# Dashboard Display Functions
+################################################################################
+
+draw_header() {
+    clear
+    local uptime=$(($(date +%s) - START_TIME))
+    local uptime_str=$(printf "%02d:%02d:%02d" $((uptime/3600)) $((uptime%3600/60)) $((uptime%60)))
+
+    echo -e "${CRITICAL_COLOR}╔════════════════════════════════════════════════════════════════════════════╗${NC}"
+    echo -e "${CRITICAL_COLOR}║                    🚨 LIVE NETWORK SECURITY MONITOR 🚨                     ║${NC}"
+    echo -e "${CRITICAL_COLOR}╚════════════════════════════════════════════════════════════════════════════╝${NC}"
+    echo -e "${INFO_COLOR}Runtime: ${uptime_str} | Events: ${TOTAL_EVENTS} | Threats Detected: ${TOTAL_THREATS} | Monitoring...${NC}"
+    echo ""
+}
+
+draw_statistics_panel() {
+    echo -e "${HIGH_COLOR}┌─ THREAT STATISTICS ────────────────────────────────────────────────────────┐${NC}"
+
+    # Top attacking IPs
+    echo -e "${MEDIUM_COLOR}Top Attacking IPs:${NC}"
+    local count=0
+    for ip in "${!IP_COUNTER[@]}"; do
+        local hits="${IP_COUNTER[$ip]}"
+        local level="${IP_THREAT_LEVEL[$ip]:-MEDIUM}"
+        local color=$(get_threat_color "$level")
+
+        printf "${color}  %-15s %5d hits [%s]${NC}\n" "$ip" "$hits" "$level"
+
+        ((count++))
+        [ $count -ge 5 ] && break
+    done | sort -t' ' -k2 -rn
+
+    echo ""
+
+    # Attack type breakdown
+    echo -e "${MEDIUM_COLOR}Attack Type Distribution:${NC}"
+    for attack_type in "${!ATTACK_TYPE_COUNTER[@]}"; do
+        local count="${ATTACK_TYPE_COUNTER[$attack_type]}"
+        local icon=$(get_attack_icon "$attack_type")
+        printf "  ${icon} %-20s %5d\n" "$attack_type" "$count"
+    done | sort -t' ' -k3 -rn | head -5
+
+    echo -e "${HIGH_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
+    echo ""
+}
+
+draw_live_feed() {
+    echo -e "${HIGH_COLOR}┌─ LIVE THREAT FEED ─────────────────────────────────────────────────────────┐${NC}"
+
+    if [ -f "$TEMP_DIR/recent_events" ]; then
+        tail -n "$MAX_DISPLAY_LINES" "$TEMP_DIR/recent_events"
+    else
+        echo -e "${LOW_COLOR}  Waiting for events...${NC}"
+    fi
+
+    echo -e "${HIGH_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
+    echo ""
+}
+
+draw_action_suggestions() {
+    echo -e "${MEDIUM_COLOR}┌─ SUGGESTED ACTIONS ────────────────────────────────────────────────────────┐${NC}"
+
+    # Suggest blocking top attackers
+    local suggested=0
+    for ip in "${!IP_COUNTER[@]}"; do
+        local hits="${IP_COUNTER[$ip]}"
+        local level="${IP_THREAT_LEVEL[$ip]}"
+
+        if [ "$level" = "CRITICAL" ] && [ -z "${BLOCKED_IPS[$ip]}" ]; then
+            echo -e "  ${CRITICAL_COLOR}▶${NC} Block IP immediately: ${HIGH_COLOR}csf -d $ip${NC}"
+            ((suggested++))
+            [ $suggested -ge 3 ] && break
+        fi
+    done
+
+    if [ $suggested -eq 0 ]; then
+        echo -e "${LOW_COLOR}  No immediate actions required at this time${NC}"
+    fi
+
+    echo -e "${MEDIUM_COLOR}└────────────────────────────────────────────────────────────────────────────┘${NC}"
+    echo ""
+    echo -e "${INFO_COLOR}Press Ctrl+C to exit | Updates every ${REFRESH_INTERVAL}s${NC}"
+}
+
+################################################################################
+# Log Monitoring Functions
+################################################################################
+
+monitor_ssh_attacks() {
+    # Monitor SSH brute force attempts
+    if [ -f "/var/log/secure" ]; then
+        tail -n 0 -F /var/log/secure 2>/dev/null | while read -r line; do
+            if echo "$line" | grep -qi "Failed password\|authentication failure"; then
+                local ip=$(echo "$line" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
+                if [ -n "$ip" ]; then
+                    process_threat_event "$ip" "SSH_BRUTEFORCE" "$line"
+                fi
+            fi
+        done &
+    fi
+}
+
+monitor_web_attacks() {
+    # Monitor Apache access logs for web attacks
+    local access_log="/var/log/apache2/domlogs/*"
+
+    if ls $access_log >/dev/null 2>&1; then
+        tail -n 0 -F $access_log 2>/dev/null | while read -r line; do
+            local ip=$(echo "$line" | awk '{print $1}')
+            local request=$(echo "$line" | awk '{print $7}')
+
+            # Check for suspicious patterns
+            if echo "$line" | grep -qiE "union.*select|<script|\.\.\/|\' or |exec\("; then
+                local attack_type=$(identify_attack_type "$line")
+                process_threat_event "$ip" "$attack_type" "$request"
+            # Track high-frequency requests (potential DDoS)
+            elif [ -n "$ip" ]; then
+                ((IP_COUNTER[$ip]++))
+                if [ "${IP_COUNTER[$ip]}" -gt "$THREAT_THRESHOLD_MEDIUM" ]; then
+                    process_threat_event "$ip" "HIGH_FREQUENCY" "$request"
+                fi
+            fi
+        done &
+    fi
+}
+
+monitor_firewall_blocks() {
+    # Monitor CSF/iptables blocks in real-time
+    if [ -f "/var/log/messages" ]; then
+        tail -n 0 -F /var/log/messages 2>/dev/null | while read -r line; do
+            if echo "$line" | grep -qi "Firewall\|iptables\|DENY"; then
+                local ip=$(echo "$line" | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
+                if [ -n "$ip" ]; then
+                    BLOCKED_IPS[$ip]=1
+                    log_event "$ip" "FIREWALL_BLOCK" "${LOW_COLOR}" "Blocked by firewall"
+                fi
+            fi
+        done &
+    fi
+}
+
+monitor_cphulk_blocks() {
+    # Monitor cPHulk blocks
+    if [ -x "/usr/local/cpanel/bin/cphulk_pam_ctl" ]; then
+        # Poll cPHulk status periodically
+        while true; do
+            whmapi1 cphulkd_list_blocks 2>/dev/null | grep -E "ip:" | while read -r line; do
+                local ip=$(echo "$line" | awk '{print $2}')
+                if [ -n "$ip" ] && [ -z "${BLOCKED_IPS[$ip]}" ]; then
+                    BLOCKED_IPS[$ip]=1
+                    log_event "$ip" "CPHULK_BLOCK" "${MEDIUM_COLOR}" "Blocked by cPHulk"
+                fi
+            done
+            sleep 5
+        done &
+    fi
+}
+
+################################################################################
+# Event Processing
+################################################################################
+
+process_threat_event() {
+    local ip="$1"
+    local attack_type="$2"
+    local details="$3"
+
+    # Update counters
+    ((IP_COUNTER[$ip]++))
+    ((ATTACK_TYPE_COUNTER[$attack_type]++))
+    ((TOTAL_EVENTS++))
+    ((TOTAL_THREATS++))
+
+    # Classify threat level
+    local threat_level=$(classify_threat_level "${IP_COUNTER[$ip]}")
+    IP_THREAT_LEVEL[$ip]="$threat_level"
+
+    # Track in centralized IP reputation database
+    # Map attack types to reputation flags
+    local rep_attack_type="SUSPICIOUS"
+    case "$attack_type" in
+        SSH_BRUTEFORCE) rep_attack_type="BRUTEFORCE" ;;
+        SQL_INJECTION) rep_attack_type="SQL_INJECTION" ;;
+        XSS_ATTACK) rep_attack_type="XSS" ;;
+        PATH_TRAVERSAL) rep_attack_type="PATH_TRAVERSAL" ;;
+        EXPLOIT) rep_attack_type="EXPLOIT" ;;
+        DDOS) rep_attack_type="DDOS" ;;
+        BOT) rep_attack_type="BOT" ;;
+        *) rep_attack_type="SCANNER" ;;
+    esac
+    flag_ip_attack "$ip" "$rep_attack_type" 0 "$attack_type: $details" >/dev/null 2>&1 &
+
+    # Log to feed
+    log_event "$ip" "$attack_type" "$(get_threat_color "$threat_level")" "$details"
+}
+
+log_event() {
+    local ip="$1"
+    local attack_type="$2"
+    local color="$3"
+    local details="$4"
+
+    local timestamp=$(date '+%H:%M:%S')
+    local icon=$(get_attack_icon "$attack_type")
+    local hits="${IP_COUNTER[$ip]:-1}"
+
+    # Truncate details if too long
+    details=$(echo "$details" | cut -c1-60)
+
+    # Format: [TIME] ICON IP (hits) - TYPE - details
+    printf "${color}[%s] %s %-15s (%3d) %-20s %s${NC}\n" \
+        "$timestamp" "$icon" "$ip" "$hits" "$attack_type" "$details" \
+        >> "$TEMP_DIR/recent_events"
+}
+
+################################################################################
+# Main Monitoring Loop
+################################################################################
+
+main() {
+    print_banner "Live Network Security Monitor"
+
+    echo ""
+    echo "Starting multi-source threat monitoring..."
+    echo "  • SSH brute force detection"
+    echo "  • Web attack detection (SQL, XSS, etc.)"
+    echo "  • Firewall block monitoring"
+    echo "  • cPHulk activity monitoring"
+    echo ""
+    echo "Press Ctrl+C to stop..."
+    sleep 3
+
+    # Start all monitoring processes
+    monitor_ssh_attacks
+    monitor_web_attacks
+    monitor_firewall_blocks
+    monitor_cphulk_blocks
+
+    # Main display loop
+    while true; do
+        draw_header
+        draw_statistics_panel
+        draw_live_feed
+        draw_action_suggestions
+
+        sleep "$REFRESH_INTERVAL"
+    done
+}
+
+# Run main
+main
@@ -0,0 +1,856 @@
+#!/bin/bash
+
+################################################################################
+# CT_LIMIT Optimizer - Intelligent Connection Limit Calculator
+################################################################################
+# Purpose: Analyze real traffic patterns to recommend optimal CT_LIMIT
+# Method:
+#   1. Analyze Apache logs for legitimate concurrent connection patterns
+#   2. Check current active connections per IP
+#   3. Identify CDNs, bots, and legitimate high-traffic sources
+#   4. Calculate safe CT_LIMIT that won't block real users
+#   5. Provide CSF configuration recommendations
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+source "$SCRIPT_DIR/lib/bot-signatures.sh"
+source "$SCRIPT_DIR/lib/reference-db.sh"
+
+# Require root
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+# Analysis configuration
+ANALYSIS_HOURS=${1:-24}  # Default: analyze last 24 hours
+TEMP_ANALYSIS="/tmp/ct-limit-analysis-$$"
+mkdir -p "$TEMP_ANALYSIS"
+
+# Color definitions
+BOLD='\033[1m'
+DIM='\033[2m'
+NC='\033[0m'
+
+################################################################################
+# Functions
+################################################################################
+
+cleanup() {
+    rm -rf "$TEMP_ANALYSIS" 2>/dev/null
+}
+trap cleanup EXIT
+
+get_current_ct_limit() {
+    if [ -f "/etc/csf/csf.conf" ]; then
+        grep "^CT_LIMIT" /etc/csf/csf.conf | cut -d'=' -f2 | tr -d '"' | tr -d ' '
+    else
+        echo "Not configured"
+    fi
+}
+
+detect_cdn_usage() {
+    local domain="$1"
+
+    # Check DNS for CDN providers
+    local dns_result=$(dig +short "$domain" 2>/dev/null | head -5)
+
+    # Check for common CDN patterns
+    if echo "$dns_result" | grep -qiE "(cloudflare|cdn77|akamai|fastly|cloudfront|sucuri)"; then
+        echo "yes"
+        return
+    fi
+
+    # Check nameservers
+    local ns=$(dig +short NS "$domain" 2>/dev/null)
+    if echo "$ns" | grep -qiE "(cloudflare|cdn|akamai)"; then
+        echo "yes"
+        return
+    fi
+
+    echo "no"
+}
+
+detect_caching() {
+    local doc_root="$1"
+    local caching_score=0
+
+    # Check for Redis
+    if systemctl is-active redis &>/dev/null || pgrep redis-server &>/dev/null; then
+        ((caching_score+=3))
+    fi
+
+    # Check for Memcached
+    if systemctl is-active memcached &>/dev/null || pgrep memcached &>/dev/null; then
+        ((caching_score+=3))
+    fi
+
+    # Check for WordPress caching plugins
+    if [ -d "$doc_root/wp-content/plugins" ]; then
+        local cache_plugins=0
+        [ -d "$doc_root/wp-content/plugins/wp-rocket" ] && ((cache_plugins++))
+        [ -d "$doc_root/wp-content/plugins/w3-total-cache" ] && ((cache_plugins++))
+        [ -d "$doc_root/wp-content/plugins/wp-super-cache" ] && ((cache_plugins++))
+        [ -d "$doc_root/wp-content/plugins/litespeed-cache" ] && ((cache_plugins++))
+        [ -d "$doc_root/wp-content/plugins/wp-fastest-cache" ] && ((cache_plugins++))
+
+        ((caching_score+=cache_plugins))
+    fi
+
+    # Check for .htaccess caching rules
+    if [ -f "$doc_root/.htaccess" ]; then
+        if grep -q "mod_expires\|mod_cache\|Cache-Control" "$doc_root/.htaccess"; then
+            ((caching_score++))
+        fi
+    fi
+
+    echo "$caching_score"
+}
+
+detect_site_type() {
+    local domain="$1"
+    local doc_root="$2"
+
+    # Check if WordPress
+    if grep -q "^WP|$domain|" "$SYSREF_DB" 2>/dev/null; then
+        echo "wordpress"
+        return
+    fi
+
+    # Check for ecommerce indicators
+    if [ -d "$doc_root" ]; then
+        if [ -f "$doc_root/wp-content/plugins/woocommerce/woocommerce.php" ] || \
+           [ -d "$doc_root/skin/frontend" ] || \
+           [ -f "$doc_root/app/Mage.php" ] || \
+           [ -d "$doc_root/catalog" ]; then
+            echo "ecommerce"
+            return
+        fi
+
+        # Check for frameworks
+        if [ -f "$doc_root/composer.json" ] || [ -d "$doc_root/vendor" ]; then
+            echo "framework"
+            return
+        fi
+
+        # Count PHP files to determine complexity
+        local php_count=$(find "$doc_root" -maxdepth 3 -name "*.php" 2>/dev/null | wc -l)
+        if [ "$php_count" -gt 50 ]; then
+            echo "dynamic"
+        elif [ "$php_count" -gt 5 ]; then
+            echo "moderate"
+        else
+            echo "static"
+        fi
+    else
+        echo "unknown"
+    fi
+}
+
+calculate_site_complexity() {
+    local domain="$1"
+    local doc_root="$2"
+    local site_type="$3"
+
+    # Base complexity score (1-10)
+    local complexity=1
+
+    # WordPress adds complexity
+    if [ "$site_type" = "wordpress" ]; then
+        # Check plugin count
+        local wp_data=$(grep "^WP|$domain|" "$SYSREF_DB" 2>/dev/null)
+        if [ -n "$wp_data" ]; then
+            local plugin_count=$(echo "$wp_data" | cut -d'|' -f6)
+            # More plugins = more concurrent connections needed
+            complexity=$((complexity + (plugin_count / 5)))
+        fi
+        complexity=$((complexity + 3))  # WordPress admin/ajax
+    fi
+
+    # Ecommerce needs higher limits
+    if [ "$site_type" = "ecommerce" ]; then
+        complexity=$((complexity + 5))  # Shopping cart, checkout, etc.
+    fi
+
+    # Framework/dynamic sites
+    if [ "$site_type" = "framework" ] || [ "$site_type" = "dynamic" ]; then
+        complexity=$((complexity + 2))
+    fi
+
+    # Check for Ajax-heavy sites (lots of .js files)
+    if [ -d "$doc_root" ]; then
+        local js_count=$(find "$doc_root" -maxdepth 2 -name "*.js" 2>/dev/null | wc -l)
+        if [ "$js_count" -gt 20 ]; then
+            complexity=$((complexity + 2))  # Ajax-heavy = more concurrent
+        fi
+    fi
+
+    # REDUCE complexity if good caching in place
+    local caching_score=$(detect_caching "$doc_root")
+    if [ "$caching_score" -gt 0 ]; then
+        # Good caching reduces connection needs
+        local cache_reduction=$((caching_score / 2))
+        complexity=$((complexity - cache_reduction))
+        [ "$complexity" -lt 1 ] && complexity=1
+    fi
+
+    # REDUCE complexity if CDN is in use
+    local has_cdn=$(detect_cdn_usage "$domain")
+    if [ "$has_cdn" = "yes" ]; then
+        # CDN handles static assets, reduces direct connections
+        complexity=$((complexity - 2))
+        [ "$complexity" -lt 1 ] && complexity=1
+    fi
+
+    # Cap at 10
+    [ "$complexity" -gt 10 ] && complexity=10
+
+    echo "$complexity"
+}
+
+analyze_per_site_traffic() {
+    print_status "Analyzing per-site traffic patterns..."
+
+    # Create per-site analysis file
+    echo "DOMAIN|SITE_TYPE|COMPLEXITY|MAX_CONN|AVG_CONN|UNIQUE_IPS|TOTAL_REQUESTS" > "$TEMP_ANALYSIS/per_site_analysis.txt"
+
+    # Get all active domains from sysref
+    grep "^DOMAIN|" "$SYSREF_DB" 2>/dev/null | while IFS='|' read -r _ domain owner doc_root log_path php_ver is_primary relation target status_code status_text health; do
+
+        # Skip aliases and unknowns
+        [ "$owner" = "unknown" ] && continue
+        [ "$is_primary" = "no" ] && continue
+        [ -z "$log_path" ] && continue
+        [ ! -f "$log_path" ] && continue
+
+        # Detect site type
+        local site_type=$(detect_site_type "$domain" "$doc_root")
+        local complexity=$(calculate_site_complexity "$domain" "$doc_root" "$site_type")
+
+        # Analyze traffic for this specific domain
+        local max_conn=0
+        local total_ips=0
+        local total_requests=0
+
+        if [ -f "$TEMP_ANALYSIS/connections_by_ip.txt" ]; then
+            # Get stats for this domain
+            local domain_data=$(grep "|$domain|" "$TEMP_ANALYSIS/connections_by_ip.txt")
+
+            if [ -n "$domain_data" ]; then
+                max_conn=$(echo "$domain_data" | cut -d'|' -f3 | sort -rn | head -1)
+                total_ips=$(echo "$domain_data" | cut -d'|' -f1 | sort -u | wc -l)
+                total_requests=$(echo "$domain_data" | cut -d'|' -f4 | awk '{s+=$1} END {print s}')
+            fi
+        fi
+
+        # Calculate average connections
+        local avg_conn=0
+        if [ "$total_ips" -gt 0 ]; then
+            avg_conn=$((total_requests / total_ips))
+        fi
+
+        echo "$domain|$site_type|$complexity|${max_conn:-0}|${avg_conn:-0}|${total_ips:-0}|${total_requests:-0}" >> "$TEMP_ANALYSIS/per_site_analysis.txt"
+    done
+
+    print_success "Per-site analysis complete"
+}
+
+check_server_resources() {
+    print_status "Checking server resources..."
+
+    # Get total RAM
+    local total_ram_mb=$(free -m | awk '/^Mem:/{print $2}')
+
+    # Get CPU cores
+    local cpu_cores=$(nproc 2>/dev/null || echo "2")
+
+    # Calculate max safe connections based on resources
+    # Rule of thumb: ~1MB RAM per connection, reserve 50% for other processes
+    local max_conn_by_ram=$((total_ram_mb / 2))
+
+    # Also factor in CPU (roughly 50 connections per core max)
+    local max_conn_by_cpu=$((cpu_cores * 50))
+
+    # Take the lower of the two
+    local max_safe_conn=$max_conn_by_ram
+    [ "$max_conn_by_cpu" -lt "$max_safe_conn" ] && max_safe_conn=$max_conn_by_cpu
+
+    echo "$total_ram_mb|$cpu_cores|$max_safe_conn" > "$TEMP_ANALYSIS/server_resources.txt"
+
+    print_success "Server: ${total_ram_mb}MB RAM, ${cpu_cores} cores, max safe connections: ${max_safe_conn}"
+}
+
+analyze_apache_logs() {
+    local hours="$1"
+    local cutoff_time=$(date -d "$hours hours ago" "+%d/%b/%Y:%H:%M:%S" 2>/dev/null)
+
+    print_status "Analyzing Apache access logs (last $hours hours)..."
+
+    # Use system-detected log directory (no fallback - rely on system-detect.sh)
+    local log_dir="${SYS_LOG_DIR}"
+    local total_logs=0
+
+    if [ -z "$log_dir" ] || [ ! -d "$log_dir" ]; then
+        print_warning "Apache log directory not found or not detected: $log_dir"
+        print_warning "System detection may have failed. Check SYS_LOG_DIR."
+        return 1
+    fi
+
+    # Analyze each domain's access patterns
+    echo "IP|DOMAIN|MAX_CONCURRENT|TOTAL_REQUESTS|USER_AGENT" > "$TEMP_ANALYSIS/connections_by_ip.txt"
+
+    # Track hourly patterns
+    > "$TEMP_ANALYSIS/hourly_traffic.txt"
+
+    find "$log_dir" -type f \( -name "*.com" -o -name "*.net" -o -name "*.org" -o -name "*.dev" \) 2>/dev/null | while read -r logfile; do
+        local domain=$(basename "$logfile")
+        ((total_logs++))
+
+        # Extract IP, timestamp, user agent
+        awk -v domain="$domain" '{
+            # Parse: IP - - [timestamp] "METHOD URL" status bytes "ref" "UA"
+            match($0, /^([0-9.]+).*\[([^\]]+)\].*"([^"]*)".*"([^"]*)"$/, arr)
+            if (arr[1] != "") {
+                ip = arr[1]
+                timestamp = arr[2]
+                ua = arr[4]
+
+                # Extract hour for time-of-day analysis
+                match(timestamp, /([0-9]{2}):([0-9]{2}):/, time_arr)
+                hour = time_arr[1]
+                if (hour != "") {
+                    hourly_count[hour]++
+                }
+
+                # Track requests per second per IP
+                gsub(/:.*/, "", timestamp)  # Remove time, keep date
+                key = ip "|" domain "|" timestamp
+                count[key]++
+                user_agent[ip] = ua
+            }
+        }
+        END {
+            # Output hourly traffic patterns
+            for (h in hourly_count) {
+                print h "|" hourly_count[h] >> "/tmp/ct-limit-analysis-$$/hourly_traffic.txt"
+            }
+
+            for (key in count) {
+                split(key, parts, "|")
+                ip = parts[1]
+                dom = parts[2]
+
+                # Track max concurrent requests
+                if (count[key] > max_concurrent[ip "|" dom]) {
+                    max_concurrent[ip "|" dom] = count[key]
+                }
+                total_requests[ip "|" dom] += count[key]
+            }
+
+            for (key in max_concurrent) {
+                split(key, parts, "|")
+                ip = parts[1]
+                dom = parts[2]
+                print ip "|" dom "|" max_concurrent[key] "|" total_requests[key] "|" user_agent[ip]
+            }
+        }' "$logfile" >> "$TEMP_ANALYSIS/connections_by_ip.txt" 2>/dev/null
+    done
+
+    print_success "Analyzed logs from $log_dir"
+}
+
+analyze_current_connections() {
+    print_status "Analyzing current active connections..."
+
+    if command -v ss &>/dev/null; then
+        # Count current connections per IP
+        ss -tn state established 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rn > "$TEMP_ANALYSIS/current_connections.txt"
+    elif command -v netstat &>/dev/null; then
+        netstat -tn | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn > "$TEMP_ANALYSIS/current_connections.txt"
+    else
+        print_warning "Neither ss nor netstat available"
+        return 1
+    fi
+
+    print_success "Current connection analysis complete"
+}
+
+classify_ip_behavior() {
+    local ip="$1"
+    local user_agent="$2"
+    local max_concurrent="$3"
+    local total_requests="$4"
+
+    # Classify using bot signatures
+    local bot_type=$(classify_bot_type "$user_agent")
+
+    # Additional classification
+    local classification="unknown"
+
+    # Known good sources
+    if [ "$bot_type" = "legit" ]; then
+        classification="legitimate_bot"
+    elif [ "$bot_type" = "ai" ]; then
+        classification="ai_crawler"
+    elif [ "$bot_type" = "monitor" ]; then
+        classification="monitoring_service"
+    # CDN detection
+    elif [[ "$user_agent" =~ (Cloudflare|CloudFront|Akamai|Fastly|Sucuri) ]]; then
+        classification="cdn"
+    # High request rate but legitimate
+    elif [ "$max_concurrent" -gt 50 ] && [ "$total_requests" -gt 1000 ]; then
+        if [[ "$user_agent" =~ (Chrome|Firefox|Safari|Edge) ]]; then
+            classification="high_traffic_user"
+        else
+            classification="potential_scraper"
+        fi
+    # Normal user
+    elif [ "$max_concurrent" -lt 20 ]; then
+        classification="normal_user"
+    else
+        classification="moderate_user"
+    fi
+
+    echo "$classification"
+}
+
+calculate_percentile() {
+    local percentile="$1"
+    local data_file="$2"
+
+    # Sort data and get Nth percentile
+    local count=$(wc -l < "$data_file")
+    local position=$(awk -v p="$percentile" -v c="$count" 'BEGIN {printf "%.0f", (p/100) * c}')
+
+    [ "$position" -lt 1 ] && position=1
+
+    sort -n "$data_file" | sed -n "${position}p"
+}
+
+generate_recommendation() {
+    print_banner "CT_LIMIT Optimizer - Analysis Results"
+    echo ""
+
+    # Parse analysis data
+    local max_legitimate=0
+    local max_bot=0
+    local max_cdn=0
+    local total_ips=0
+
+    echo "Analyzing connection patterns..."
+    echo ""
+
+    # Create summary files
+    > "$TEMP_ANALYSIS/legitimate_connections.txt"
+    > "$TEMP_ANALYSIS/bot_connections.txt"
+    > "$TEMP_ANALYSIS/all_connections.txt"
+
+    # Skip header
+    tail -n +2 "$TEMP_ANALYSIS/connections_by_ip.txt" | while IFS='|' read -r ip domain max_concurrent total_requests user_agent; do
+        [ -z "$ip" ] && continue
+
+        local classification=$(classify_ip_behavior "$ip" "$user_agent" "$max_concurrent" "$total_requests")
+
+        ((total_ips++))
+
+        # Track max connections by type
+        case "$classification" in
+            legitimate_bot|ai_crawler|monitoring_service|cdn)
+                echo "$max_concurrent" >> "$TEMP_ANALYSIS/bot_connections.txt"
+                [ "$max_concurrent" -gt "$max_bot" ] && max_bot=$max_concurrent
+                ;;
+            normal_user|moderate_user|high_traffic_user)
+                echo "$max_concurrent" >> "$TEMP_ANALYSIS/legitimate_connections.txt"
+                [ "$max_concurrent" -gt "$max_legitimate" ] && max_legitimate=$max_concurrent
+                ;;
+        esac
+
+        echo "$max_concurrent" >> "$TEMP_ANALYSIS/all_connections.txt"
+    done
+
+    # Calculate statistics
+    local legit_count=$(wc -l < "$TEMP_ANALYSIS/legitimate_connections.txt" 2>/dev/null || echo "0")
+    local bot_count=$(wc -l < "$TEMP_ANALYSIS/bot_connections.txt" 2>/dev/null || echo "0")
+
+    echo -e "${BOLD}Connection Analysis Summary:${NC}"
+    echo "──────────────────────────────────────────────────────────────"
+    echo "  Total unique IPs analyzed: $total_ips"
+    echo "  Legitimate users: $legit_count"
+    echo "  Bots/CDNs/Crawlers: $bot_count"
+    echo ""
+
+    # Show per-site analysis
+    if [ -f "$TEMP_ANALYSIS/per_site_analysis.txt" ]; then
+        local site_count=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | wc -l)
+        if [ "$site_count" -gt 0 ]; then
+            echo -e "${BOLD}Per-Site Analysis (All $site_count Sites Checked):${NC}"
+            echo "──────────────────────────────────────────────────────────────"
+            printf "  %-30s %-12s %5s %8s %8s\n" "DOMAIN" "TYPE" "CMPLX" "MAX_CONN" "UNIQ_IPs"
+            echo "  $(printf '─%.0s' {1..70})"
+
+            tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | sort -t'|' -k4 -rn | head -15 | while IFS='|' read -r domain site_type complexity max_conn avg_conn unique_ips total_requests; do
+                # Truncate long domain names
+                local short_domain=$(echo "$domain" | cut -c1-28)
+                [ ${#domain} -gt 28 ] && short_domain="${short_domain}.."
+
+                # Color code by complexity
+                local color="${NC}"
+                if [ "$complexity" -ge 7 ]; then
+                    color="${HIGH_COLOR}"
+                elif [ "$complexity" -ge 4 ]; then
+                    color="${MEDIUM_COLOR}"
+                fi
+
+                printf "  ${color}%-30s %-12s %5s %8s %8s${NC}\n" \
+                    "$short_domain" "$site_type" "$complexity" "$max_conn" "$unique_ips"
+            done
+
+            local remaining=$((site_count - 15))
+            if [ "$remaining" -gt 0 ]; then
+                echo "  ... and $remaining more sites analyzed"
+            fi
+            echo ""
+
+            # Identify high-complexity sites that need extra headroom
+            local high_complexity_sites=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | awk -F'|' '$3 >= 7 {print $1}' | wc -l)
+            if [ "$high_complexity_sites" -gt 0 ]; then
+                echo -e "${MEDIUM_COLOR}  ⚠️  $high_complexity_sites high-complexity sites detected${NC}"
+                echo "     (WordPress/Ecommerce/Framework - need higher CT_LIMIT)"
+                echo ""
+            fi
+        fi
+    fi
+
+    # Calculate percentiles for legitimate traffic
+    if [ -s "$TEMP_ANALYSIS/legitimate_connections.txt" ]; then
+        local p95=$(calculate_percentile 95 "$TEMP_ANALYSIS/legitimate_connections.txt")
+        local p99=$(calculate_percentile 99 "$TEMP_ANALYSIS/legitimate_connections.txt")
+
+        echo -e "${BOLD}Legitimate User Connection Patterns:${NC}"
+        echo "  Max concurrent from single IP: $max_legitimate"
+        echo "  95th percentile: $p95 concurrent connections"
+        echo "  99th percentile: $p99 concurrent connections"
+        echo ""
+    fi
+
+    # Check current connections
+    if [ -s "$TEMP_ANALYSIS/current_connections.txt" ]; then
+        local current_max=$(head -1 "$TEMP_ANALYSIS/current_connections.txt" | awk '{print $1}')
+        local current_max_ip=$(head -1 "$TEMP_ANALYSIS/current_connections.txt" | awk '{print $2}')
+
+        echo -e "${BOLD}Current Active Connections:${NC}"
+        echo "  Highest right now: $current_max connections from $current_max_ip"
+        echo ""
+    fi
+
+    # Server resource limits
+    if [ -f "$TEMP_ANALYSIS/server_resources.txt" ]; then
+        IFS='|' read -r total_ram cpu_cores max_safe_conn < "$TEMP_ANALYSIS/server_resources.txt"
+
+        echo -e "${BOLD}Server Resource Limits:${NC}"
+        echo "  RAM: ${total_ram}MB | CPU: ${cpu_cores} cores"
+        echo "  Max safe connections (hardware): $max_safe_conn"
+        echo ""
+    fi
+
+    # Time-of-day patterns
+    if [ -f "$TEMP_ANALYSIS/hourly_traffic.txt" ]; then
+        local peak_hour=$(awk -F'|' '{if($2>max){max=$2; hour=$1}} END{print hour}' "$TEMP_ANALYSIS/hourly_traffic.txt")
+        local peak_requests=$(awk -F'|' '{if($2>max){max=$2}} END{print max}' "$TEMP_ANALYSIS/hourly_traffic.txt")
+        local avg_requests=$(awk -F'|' '{sum+=$2; count++} END{if(count>0) print int(sum/count)}' "$TEMP_ANALYSIS/hourly_traffic.txt")
+
+        if [ -n "$peak_hour" ] && [ "$peak_requests" -gt "$((avg_requests * 2))" ]; then
+            echo -e "${BOLD}Traffic Patterns:${NC}"
+            echo "  Peak hour: ${peak_hour}:00 (${peak_requests} requests)"
+            echo "  Average: ${avg_requests} requests/hour"
+            echo "  Peak is ${MEDIUM_COLOR}$((peak_requests * 100 / avg_requests))% above average${NC}"
+            echo "  ${DIM}→ CT_LIMIT should handle peak, not average${NC}"
+            echo ""
+        fi
+    fi
+
+    # Optimization opportunities
+    local opt_count=0
+    echo -e "${BOLD}Optimization Opportunities:${NC}"
+
+    # Check for sites without CDN
+    local no_cdn=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" 2>/dev/null | while IFS='|' read -r domain site_type complexity max_conn avg_conn unique_ips total_requests; do
+        if [ "$complexity" -ge 6 ]; then
+            local has_cdn=$(detect_cdn_usage "$domain" 2>/dev/null)
+            if [ "$has_cdn" = "no" ]; then
+                echo "$domain"
+                ((opt_count++))
+            fi
+        fi
+    done | head -3)
+
+    if [ -n "$no_cdn" ]; then
+        echo "  📦 CDN Recommended for:"
+        echo "$no_cdn" | while read -r domain; do
+            echo "     • $domain (would reduce CT_LIMIT need)"
+        done
+    fi
+
+    # Check for WordPress without caching
+    local no_cache=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" 2>/dev/null | grep "wordpress" | while IFS='|' read -r domain site_type complexity max_conn avg_conn unique_ips total_requests; do
+        # Get doc root from sysref
+        local doc_root=$(grep "^DOMAIN|$domain|" "$SYSREF_DB" 2>/dev/null | cut -d'|' -f4)
+        if [ -n "$doc_root" ]; then
+            local cache_score=$(detect_caching "$doc_root" 2>/dev/null)
+            if [ "$cache_score" -eq 0 ]; then
+                echo "$domain"
+            fi
+        fi
+    done | head -3)
+
+    if [ -n "$no_cache" ]; then
+        echo "  ⚡ Caching Recommended for:"
+        echo "$no_cache" | while read -r domain; do
+            echo "     • $domain (WP Rocket, Redis, or W3 Total Cache)"
+        done
+    fi
+
+    if [ -z "$no_cdn" ] && [ -z "$no_cache" ]; then
+        echo "  ✅ Sites are well-optimized (CDN + caching in place)"
+    fi
+    echo ""
+
+    # Current CSF setting
+    local current_ct=$(get_current_ct_limit)
+    echo -e "${BOLD}Current CSF Configuration:${NC}"
+    echo "  CT_LIMIT = $current_ct"
+    echo ""
+
+    # Generate recommendation
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo -e "${BOLD}📊 RECOMMENDED CT_LIMIT VALUES${NC}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+
+    # Calculate safe recommendations
+    local conservative=$((max_legitimate + 20))
+    local balanced=$((max_legitimate + 10))
+    local aggressive=$((max_legitimate + 5))
+
+    # Factor in site complexity - high-complexity sites need more headroom
+    if [ -f "$TEMP_ANALYSIS/per_site_analysis.txt" ]; then
+        local avg_complexity=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | awk -F'|' '{sum+=$3; count++} END {if(count>0) print int(sum/count); else print 0}')
+        local max_complexity=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | awk -F'|' '{if($3>max) max=$3} END {print max+0}')
+
+        # Add complexity buffer (0-20 based on average complexity)
+        local complexity_buffer=$((avg_complexity * 2))
+        conservative=$((conservative + complexity_buffer))
+        balanced=$((balanced + (complexity_buffer / 2)))
+
+        # If we have ecommerce sites, be extra conservative
+        local has_ecommerce=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | grep -c "ecommerce")
+        if [ "$has_ecommerce" -gt 0 ]; then
+            conservative=$((conservative + 15))
+            balanced=$((balanced + 10))
+        fi
+    fi
+
+    # Minimum safety thresholds
+    [ "$conservative" -lt 100 ] && conservative=100
+    [ "$balanced" -lt 80 ] && balanced=80
+    [ "$aggressive" -lt 50 ] && aggressive=50
+
+    # Cap at server's max safe capacity
+    if [ -f "$TEMP_ANALYSIS/server_resources.txt" ]; then
+        IFS='|' read -r total_ram cpu_cores max_safe_conn < "$TEMP_ANALYSIS/server_resources.txt"
+
+        if [ "$conservative" -gt "$max_safe_conn" ]; then
+            conservative=$max_safe_conn
+            echo "  ${MEDIUM_COLOR}Note: Conservative capped at server max ($max_safe_conn)${NC}" >&2
+        fi
+        if [ "$balanced" -gt "$max_safe_conn" ]; then
+            balanced=$max_safe_conn
+        fi
+    fi
+
+    echo -e "${BOLD}1. CONSERVATIVE${NC} (Recommended for high-traffic sites)"
+    echo "   CT_LIMIT = $conservative"
+    echo "   • Allows headroom for traffic spikes"
+    echo "   • Won't block legitimate users"
+    echo "   • Good protection against moderate attacks"
+    echo ""
+
+    echo -e "${BOLD}2. BALANCED${NC} (Recommended for most servers) ⭐"
+    echo "   CT_LIMIT = $balanced"
+    echo "   • Balances security and usability"
+    echo "   • Based on 99th percentile + buffer"
+    echo "   • Blocks most attack traffic"
+    echo ""
+
+    echo -e "${BOLD}3. AGGRESSIVE${NC} (Only if under active attack)"
+    echo "   CT_LIMIT = $aggressive"
+    echo "   • Tight connection limits"
+    echo "   • May affect some legitimate users"
+    echo "   • Maximum DDoS protection"
+    echo ""
+
+    # Whitelist recommendations
+    if [ "$bot_count" -gt 0 ]; then
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo -e "${BOLD}⚠️  WHITELIST RECOMMENDATIONS${NC}"
+        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        echo ""
+        echo "Found bots/crawlers with high connection counts."
+        echo "Consider whitelisting these IPs to prevent blocking:"
+        echo ""
+
+        # Show top legitimate bots
+        tail -n +2 "$TEMP_ANALYSIS/connections_by_ip.txt" | while IFS='|' read -r ip domain max_concurrent total_requests user_agent; do
+            [ -z "$ip" ] && continue
+            local classification=$(classify_ip_behavior "$ip" "$user_agent" "$max_concurrent" "$total_requests")
+
+            if [[ "$classification" =~ (legitimate_bot|ai_crawler|monitoring_service) ]]; then
+                local bot_name=$(echo "$user_agent" | grep -oE '(Googlebot|Bingbot|Slurp|DuckDuckBot|Baiduspider|YandexBot|SemrushBot|AhrefsBot|facebookexternalhit|Twitterbot|LinkedInBot|UptimeRobot|Pingdom)' | head -1)
+                [ -z "$bot_name" ] && bot_name="Bot"
+
+                if [ "$max_concurrent" -gt "$balanced" ]; then
+                    printf "  • %-15s (%-20s) %3d connections\n" "$ip" "$bot_name" "$max_concurrent"
+                fi
+            fi
+        done | sort -t'(' -k2 -u | head -10
+
+        echo ""
+        echo "To whitelist: Add to /etc/csf/csf.ignore or use: csf -a <IP>"
+    fi
+
+    echo ""
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo -e "${BOLD}🔧 HOW TO APPLY${NC}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    echo "1. Edit CSF configuration:"
+    echo "   ${BOLD}nano /etc/csf/csf.conf${NC}"
+    echo ""
+    echo "2. Find CT_LIMIT line and change to recommended value:"
+    echo "   ${BOLD}CT_LIMIT = \"$balanced\"${NC}"
+    echo ""
+    echo "3. Enable SYNFLOOD protection (if not already):"
+    echo "   ${BOLD}SYNFLOOD = \"1\"${NC}"
+    echo ""
+    echo "4. Apply changes:"
+    echo "   ${BOLD}csf -r${NC}"
+    echo ""
+    echo "5. Monitor effectiveness:"
+    echo "   ${BOLD}watch -n 2 'csf -g | tail -20'${NC}"
+    echo ""
+
+    # Save recommendation to file
+    cat > "$TEMP_ANALYSIS/recommendation.txt" <<EOF
+CT_LIMIT Optimization Report
+Generated: $(date)
+Analysis Period: Last $ANALYSIS_HOURS hours
+
+RECOMMENDED VALUES:
+- Conservative: CT_LIMIT = "$conservative"
+- Balanced: CT_LIMIT = "$balanced" (RECOMMENDED)
+- Aggressive: CT_LIMIT = "$aggressive"
+
+ANALYSIS DATA:
+- Total IPs analyzed: $total_ips
+- Legitimate users: $legit_count
+- Bots/Crawlers: $bot_count
+- Max legitimate connections: $max_legitimate
+- Current CT_LIMIT: $current_ct
+
+To apply balanced recommendation:
+1. Edit /etc/csf/csf.conf
+2. Set: CT_LIMIT = "$balanced"
+3. Run: csf -r
+EOF
+
+    echo "Full report saved to: $TEMP_ANALYSIS/recommendation.txt"
+    echo ""
+}
+
+apply_recommendation() {
+    local new_limit="$1"
+
+    if [ ! -f "/etc/csf/csf.conf" ]; then
+        print_error "CSF not installed or config not found"
+        return 1
+    fi
+
+    print_status "Backing up CSF configuration..."
+    cp /etc/csf/csf.conf "/etc/csf/csf.conf.backup.$(date +%Y%m%d_%H%M%S)"
+
+    print_status "Setting CT_LIMIT = $new_limit..."
+    sed -i "s/^CT_LIMIT = .*/CT_LIMIT = \"$new_limit\"/" /etc/csf/csf.conf
+
+    # Also ensure SYNFLOOD is enabled
+    if grep -q "^SYNFLOOD = \"0\"" /etc/csf/csf.conf; then
+        print_status "Enabling SYNFLOOD protection..."
+        sed -i 's/^SYNFLOOD = "0"/SYNFLOOD = "1"/' /etc/csf/csf.conf
+    fi
+
+    print_status "Restarting CSF..."
+    csf -r >/dev/null 2>&1
+
+    print_success "CT_LIMIT updated to $new_limit and CSF restarted!"
+    echo ""
+    echo "Monitor effectiveness with: csf -g | tail -20"
+}
+
+################################################################################
+# Main
+################################################################################
+
+main() {
+    clear
+    print_banner "CT_LIMIT Optimizer - Intelligent Connection Limit Calculator"
+    echo ""
+    echo "This tool analyzes your actual traffic patterns to recommend"
+    echo "an optimal CT_LIMIT that protects against DDoS without blocking"
+    echo "legitimate users, bots, and CDNs."
+    echo ""
+    echo "Analysis period: Last $ANALYSIS_HOURS hours"
+    echo ""
+
+    read -p "Press Enter to start analysis or Ctrl+C to cancel..."
+    echo ""
+
+    # Check if sysref database exists, build if needed
+    if [ ! -f "$SYSREF_DB" ] || [ ! -s "$SYSREF_DB" ]; then
+        print_status "Building system reference database (first run)..."
+        build_reference_database >/dev/null 2>&1
+    fi
+
+    # Run analysis
+    check_server_resources
+    analyze_apache_logs "$ANALYSIS_HOURS"
+    analyze_per_site_traffic
+    analyze_current_connections
+
+    # Generate and show recommendations
+    generate_recommendation
+
+    # Offer to apply
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    read -p "Would you like to apply the BALANCED recommendation automatically? (y/n): " apply
+
+    if [[ "$apply" =~ ^[Yy] ]]; then
+        # Extract balanced value from recommendation
+        local balanced=$(grep "2. BALANCED" -A1 "$TEMP_ANALYSIS/recommendation.txt" | grep "CT_LIMIT" | grep -oE '[0-9]+')
+
+        if [ -n "$balanced" ]; then
+            apply_recommendation "$balanced"
+        else
+            print_error "Could not determine balanced recommendation value"
+        fi
+    else
+        echo ""
+        echo "No changes made. You can apply manually using the commands above."
+    fi
+
+    echo ""
+    print_success "Analysis complete!"
+}
+
+main
@@ -1,8 +1,33 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
-print_banner "Apache Access Log"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+print_banner "Apache Access Log - Multi-Panel Support"
 echo "Tailing Apache access logs..."
+echo "Control Panel: ${SYS_CONTROL_PANEL}"
 echo "Press Ctrl+C to exit"
 echo ""
-[ -d "/var/log/apache2/domlogs" ] && tail -f /var/log/apache2/domlogs/* || echo "No access logs found"
+
+# Multi-panel log discovery
+if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
+    # InterWorx: Per-domain logs in user home
+    log_files=$(find /home/*/var/*/logs -type f -name "access_log" 2>/dev/null)
+elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
+    # Plesk: System logs
+    log_files=$(find /var/www/vhosts/system/*/logs -type f -name "access_log" -o -name "access_ssl_log" 2>/dev/null)
+elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
+    # cPanel: Use detected log directory
+    log_files=$(find "$SYS_LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*error_log" 2>/dev/null)
+else
+    # Standalone: Try common locations
+    log_files="/var/log/httpd/access_log /var/log/apache2/access.log"
+fi
+
+if [ -n "$log_files" ]; then
+    tail -f $log_files 2>/dev/null
+else
+    print_error "No access logs found"
+    echo "Searched: $SYS_LOG_DIR (control panel: $SYS_CONTROL_PANEL)"
+    exit 1
+fi
@@ -1,8 +1,36 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
-print_banner "Apache Error Log"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+print_banner "Apache Error Log - Multi-Panel Support"
 echo "Tailing Apache error logs..."
+echo "Control Panel: ${SYS_CONTROL_PANEL}"
 echo "Press Ctrl+C to exit"
 echo ""
-tail -f /var/log/apache2/error_log 2>/dev/null || tail -f /var/log/httpd/error_log 2>/dev/null || echo "No error logs found"
+
+# Multi-panel error log discovery
+if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
+    # InterWorx: Per-domain error logs in user home
+    log_files=$(find /home/*/var/*/logs -type f -name "error_log" 2>/dev/null)
+elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
+    # Plesk: System logs
+    log_files=$(find /var/www/vhosts/system/*/logs -type f -name "error_log" 2>/dev/null)
+elif [ "$SYS_CONTROL_PANEL" = "cpanel" ]; then
+    # cPanel: Per-domain error logs in domlogs
+    log_files=$(find "$SYS_LOG_DIR" -type f -name "*-error_log" 2>/dev/null)
+else
+    # Standalone: Try common main error log locations
+    log_files=""
+    [ -f "/var/log/apache2/error_log" ] && log_files="/var/log/apache2/error_log"
+    [ -f "/var/log/httpd/error_log" ] && log_files="$log_files /var/log/httpd/error_log"
+    [ -f "/var/log/apache2/error.log" ] && log_files="$log_files /var/log/apache2/error.log"
+fi
+
+if [ -n "$log_files" ]; then
+    tail -f $log_files 2>/dev/null
+else
+    print_error "No error logs found"
+    echo "Searched for logs in control panel: $SYS_CONTROL_PANEL"
+    exit 1
+fi
@@ -1,16 +1,34 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"

-print_banner "Web Traffic Monitor"
+print_banner "Web Traffic Monitor - Multi-Panel Support"
 echo ""
 echo "Monitoring Apache access logs in real-time..."
+echo "Control Panel: ${SYS_CONTROL_PANEL}"
 echo "Press Ctrl+C to exit"
 echo ""

-# Find apache log directory
-if [ -d "/var/log/apache2/domlogs" ]; then
-    tail -f /var/log/apache2/domlogs/* 2>/dev/null | while read line; do
+# Multi-panel log discovery
+log_files=""
+if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
+    # InterWorx: Monitor recent access logs (limit for performance)
+    log_files=$(find /home/*/var/*/logs -type f -name "access_log" -mmin -60 2>/dev/null | head -10)
+elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
+    # Plesk: System logs
+    log_files=$(find /var/www/vhosts/system/*/logs -type f -name "access_log" -o -name "access_ssl_log" 2>/dev/null | head -10)
+elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
+    # cPanel: Use detected log directory
+    log_files=$(find "$SYS_LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*error_log" 2>/dev/null)
+else
+    # Standalone: Try common locations
+    [ -f "/var/log/httpd/access_log" ] && log_files="/var/log/httpd/access_log"
+    [ -f "/var/log/apache2/access.log" ] && log_files="$log_files /var/log/apache2/access.log"
+fi
+
+if [ -n "$log_files" ]; then
+    tail -f $log_files 2>/dev/null | while read line; do
        ip=$(echo "$line" | awk '{print $1}')
        request=$(echo "$line" | awk '{print $6, $7}' | tr -d '"')
        status=$(echo "$line" | awk '{print $9}')
@@ -29,5 +47,8 @@ if [ -d "/var/log/apache2/domlogs" ]; then
        printf "${color}%-15s %s %s\033[0m\n" "$ip" "$status" "$request"
    done
 else
-    print_error "Apache domlogs directory not found"
+    print_error "No Apache access logs found"
+    echo "Control panel: $SYS_CONTROL_PANEL"
+    echo "Log directory: $SYS_LOG_DIR"
+    exit 1
 fi
@@ -0,0 +1,846 @@
+#!/bin/bash
+
+################################################################################
+# Fast 500 Error Tracker
+################################################################################
+# Purpose: ONLY track 500 errors - find them fast and show WHY
+# No menus, no options - just find 500s and diagnose the root cause
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/ip-reputation.sh"
+
+# Ensure color variables are set
+DIM='\033[2m'
+BOLD='\033[1m'
+
+print_banner "Fast 500 Error Tracker"
+
+echo ""
+echo "Scanning for 500 errors and diagnosing root causes..."
+echo ""
+
+# Ask for time range
+echo -e "${CYAN}How far back to scan?${NC}"
+echo "  1) Last 24 hours (default)"
+echo "  2) Last 7 days"
+echo "  3) Last 30 days"
+echo "  0) Cancel and return to menu"
+echo ""
+read -p "Select option [1]: " time_choice
+time_choice=${time_choice:-1}
+
+case $time_choice in
+    0)
+        echo ""
+        echo "Scan cancelled."
+        echo ""
+        exit 0
+        ;;
+    1) HOURS_TO_SCAN=24 ;;
+    2) HOURS_TO_SCAN=168 ;;
+    3) HOURS_TO_SCAN=720 ;;
+    *) HOURS_TO_SCAN=24 ;;
+esac
+
+echo ""
+echo "→ Scanning last $HOURS_TO_SCAN hours of access logs..."
+echo ""
+
+# Temporary files
+TEMP_DIR="/tmp/500-tracker-$$"
+mkdir -p "$TEMP_DIR"
+trap "rm -rf $TEMP_DIR" EXIT
+
+ERRORS_500="$TEMP_DIR/errors_500.txt"
+ERROR_DETAILS="$TEMP_DIR/error_details.txt"
+
+# Configuration
+DOMLOGS_DIR="/var/log/apache2/domlogs"
+
+# Get cutoff time
+cutoff_time=$(date -d "$HOURS_TO_SCAN hours ago" +%s 2>/dev/null || echo "0")
+
+declare -A domain_count
+declare -A domain_user
+total_500s=0
+filtered_bots=0
+
+# Scan all domain access logs for 500 errors (including subdirectories)
+while IFS= read -r log; do
+    [ -f "$log" ] || continue
+    [[ "$log" =~ (bytes_log|offset|error_log|ftpxferlog|-ssl_log)$ ]] && continue
+
+    # Extract domain from log filename
+    domain="${log##*/}"
+    domain="${domain%%-*}"
+
+    # Skip non-domain system logs (proxy, localhost, etc.)
+    [[ "$domain" =~ ^(proxy|localhost|default|cpanel|webmail|whm|cpcalendars|cpcontacts|webdisk)$ ]] && continue
+
+    # Find cPanel user for this domain
+    user=$(grep -l "DNS.*$domain" /var/cpanel/users/* 2>/dev/null | head -1 | xargs basename 2>/dev/null)
+    [ -z "$user" ] && user="unknown"
+
+    domain_user["$domain"]="$user"
+    
+    # Scan for 500 errors in this log
+    while IFS= read -r line; do
+        # Check for 500 status code
+        if [[ "$line" =~ '"'[[:space:]](5[0-9]{2})[[:space:]] ]]; then
+            status="${BASH_REMATCH[1]}"
+
+            # Time filtering
+            if [ "$cutoff_time" != "0" ]; then
+                if [[ "$line" =~ \[([0-9]{2}/[A-Z][a-z]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2}) ]]; then
+                    log_date="${BASH_REMATCH[1]}"
+                    log_time=$(date -d "${log_date/:/ }" +%s 2>/dev/null || echo "0")
+                    [ "$log_time" != "0" ] && [ "$log_time" -lt "$cutoff_time" ] && continue
+                fi
+            fi
+
+            # Parse log line to get IP first
+            read -r ip _ _ timestamp _ request _ _ <<< "$line"
+
+            # IP-based filtering - skip non-relevant IPs
+            # Skip localhost/internal IPs
+            if [[ "$ip" =~ ^(127\.|::1|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.) ]]; then
+                ((filtered_bots++))
+                continue
+            fi
+
+            # Skip common cloud scanner IPs and known bot networks
+            # AWS, GCP, Azure scanner ranges, security scanners
+            if [[ "$ip" =~ ^(3\.|13\.|18\.|34\.|35\.|52\.|54\.) ]] || \
+               [[ "$ip" =~ ^(104\.196\.|104\.154\.|130\.211\.|35\.184\.|35\.185\.|35\.186\.|35\.187\.|35\.188\.|35\.189\.|35\.19) ]] || \
+               [[ "$ip" =~ ^(20\.|40\.|51\.|52\.|13\.64\.|13\.65\.|13\.66\.|13\.67\.|13\.68\.) ]]; then
+                # Check if it's actually a bot by examining user agent
+                line_lower="${line,,}"
+                if [[ "$line_lower" =~ (bot|crawler|spider|scanner|monitor|cloud|amazon|google|microsoft|azure) ]]; then
+                    ((filtered_bots++))
+                    # Track bot IP with BOT flag
+                    flag_ip_attack "$ip" "BOT" 0 "500 error - filtered as bot/scanner" >/dev/null 2>&1 &
+                    continue
+                fi
+            fi
+
+            # Bot/Scanner filtering - skip noise
+            line_lower="${line,,}"
+            if [[ "$line_lower" =~ (bot|crawler|spider|scraper|scanner|check|monitor|uptime|pingdom|newrelic|datadog|nagios|zabbix|prtg|gomez|keynote|catchpoint|dotcom-monitor|site24x7|uptimerobot|statuscake|nodequery|hetrixtools|freshping|uptrendscom|siteuptime|montastic|updown\.io|apex|alertsite|webmon|wormly) ]]; then
+                ((filtered_bots++))
+                # Track monitoring/uptime bot
+                flag_ip_attack "$ip" "BOT" 0 "Monitoring/uptime bot" >/dev/null 2>&1 &
+                continue
+            fi
+            if [[ "$line_lower" =~ (semrush|ahrefs|moz|majestic|serpstat|screaming|screamingfrog|sitebulb|linkchecker|validator|scanner|security|acunetix|nessus|openvas|burp|nikto|skipfish|w3af|sqlmap|metasploit|nmap|masscan|zmap|shodan|censys|binaryedge) ]]; then
+                ((filtered_bots++))
+                # Track scanner with higher score
+                flag_ip_attack "$ip" "SCANNER" 0 "Security scanner detected" >/dev/null 2>&1 &
+                continue
+            fi
+            if [[ "$line_lower" =~ (curl|wget|python|perl|ruby|java|go-http|libwww|axios|node-fetch|http\.client|httpie|postman|insomnia|apachehttp|okhttp|httpclient) ]]; then
+                ((filtered_bots++))
+                # Track programmatic access
+                flag_ip_attack "$ip" "BOT" 0 "HTTP library/tool" >/dev/null 2>&1 &
+                continue
+            fi
+            
+            # Extract URL
+            if [[ "$request" =~ '"'[A-Z]+[[:space:]]([^[:space:]]+) ]]; then
+                url="${BASH_REMATCH[1]:0:80}"
+            else
+                url="/"
+            fi
+            
+            # Extract timestamp
+            if [[ "$line" =~ \[([^]]+)\] ]]; then
+                timestamp="${BASH_REMATCH[1]}"
+            else
+                timestamp="unknown"
+            fi
+            
+            ((domain_count["$domain"]++))
+            ((total_500s++))
+
+            # Track IP in reputation database (500 error = slight increase in score)
+            # Most 500s are due to server issues, not attacks, so low score increase
+            increment_ip_hits "$ip" 1 >/dev/null 2>&1 &
+
+            # Save for analysis
+            echo "$domain|$user|$status|$url|$timestamp|$ip" >> "$ERRORS_500"
+        fi
+    done < <(tail -n 100000 "$log" 2>/dev/null)
+done < <(find "$DOMLOGS_DIR" -type f ! -name "*bytes_log" ! -name "*offset*" ! -name "*error_log" ! -name "*ftpxferlog*" ! -name "*-ssl_log" 2>/dev/null)
+
+if [ "$total_500s" -eq 0 ]; then
+    echo ""
+    echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+    echo -e "${GREEN} ✓ NO 500 ERRORS FOUND IN LAST $HOURS_TO_SCAN HOURS!${NC}"
+    echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
+    echo ""
+    exit 0
+fi
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo " 500 ERRORS DETECTED: $total_500s errors (filtered out $filtered_bots bot/scanner requests)"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+
+echo -e "${RED}${BOLD}TOP AFFECTED DOMAINS:${NC}"
+echo ""
+
+# Sort and display top domains
+for domain in "${!domain_count[@]}"; do
+    echo "${domain_count[$domain]} $domain ${domain_user[$domain]}"
+done | sort -rn | head -10 | while read count domain user; do
+    printf "  ${RED}●${NC} %-40s ${BOLD}%4d errors${NC}  (user: %s)\n" "$domain" "$count" "$user"
+done
+
+echo ""
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo " DIAGNOSING ROOT CAUSES"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+
+# Detailed diagnostic tracking - per URL/file
+DETAILED_DIAGNOSIS="$TEMP_DIR/detailed_diagnosis.txt"
+> "$DETAILED_DIAGNOSIS"
+
+declare -A diagnosed_causes
+declare -A cause_examples
+
+total_to_diagnose=$(wc -l < "$ERRORS_500")
+current_line=0
+
+echo "Analyzing $total_to_diagnose errors for root causes..."
+echo ""
+
+while IFS='|' read -r domain user status url timestamp ip; do
+    [ -z "$domain" ] && continue
+
+    ((current_line++))
+    # Show progress every 500 errors
+    if [ $((current_line % 500)) -eq 0 ]; then
+        echo -ne "\rAnalyzed $current_line / $total_to_diagnose errors..."
+    fi
+
+    diagnosis=""
+    cause="UNKNOWN"
+    specific_file=""
+
+    # Get document root
+    docroot="/home/$user/public_html"
+
+    # Try to determine the actual file being requested
+    if [[ "$url" =~ ^/([^?]+) ]]; then
+        url_path="${BASH_REMATCH[1]}"
+
+        # Handle common patterns
+        if [ -z "$url_path" ] || [ "$url_path" = "/" ]; then
+            possible_files=("$docroot/index.php" "$docroot/index.html")
+        elif [[ "$url_path" =~ \.php$ ]]; then
+            possible_files=("$docroot/$url_path")
+        else
+            possible_files=("$docroot/$url_path" "$docroot/${url_path}.php" "$docroot/$url_path/index.php")
+        fi
+
+        # Find the actual file
+        for pf in "${possible_files[@]}"; do
+            if [ -f "$pf" ]; then
+                specific_file="$pf"
+                break
+            fi
+        done
+    fi
+
+    # Find PHP error log - check multiple locations
+    error_log=""
+    if [ "$user" != "unknown" ]; then
+        for potential_log in \
+            "/home/$user/public_html/error_log" \
+            "/home/$user/logs/error_log" \
+            "/home/$user/error_log" \
+            "/var/log/apache2/domlogs/$domain-error_log" \
+            "/usr/local/apache/domlogs/$domain"; do
+
+            if [ -f "$potential_log" ]; then
+                error_log="$potential_log"
+                break
+            fi
+        done
+    fi
+
+    # Check if error log exists and has recent errors
+    if [ -n "$error_log" ] && [ -f "$error_log" ]; then
+        # Look for errors matching this URL/timestamp
+        recent_error=$(tail -1000 "$error_log" | grep -F "$url" | tail -1)
+
+        # If no URL match, get most recent error
+        [ -z "$recent_error" ] && recent_error=$(tail -500 "$error_log" | grep -E "Fatal error|Parse error|syntax error|memory.*exhausted|database|MySQL|Permission denied|failed to open stream" | tail -1)
+
+        if [ -n "$recent_error" ]; then
+            # Extract file path from error if present
+            if [[ "$recent_error" =~ in[[:space:]](/[^:]+\.php) ]]; then
+                error_file="${BASH_REMATCH[1]}"
+                specific_file="$error_file"
+            fi
+
+            # Determine cause and diagnose
+            if [[ "$recent_error" =~ (memory.*exhausted|Allowed memory size) ]]; then
+                cause="PHP_MEMORY_EXHAUSTED"
+
+                # Check current memory limit
+                mem_limit=$(grep -h "memory_limit" "$docroot/.user.ini" "$docroot/../.php.ini" 2>/dev/null | tail -1 | cut -d'=' -f2 | tr -d ' ')
+                [ -z "$mem_limit" ] && mem_limit=$(php -r "echo ini_get('memory_limit');" 2>/dev/null)
+
+                diagnosis="$domain$url - Memory exhausted (current limit: ${mem_limit:-unknown})"
+                [ -n "$specific_file" ] && diagnosis="$diagnosis - File: $specific_file"
+
+            elif [[ "$recent_error" =~ (failed to open stream|Permission denied) ]]; then
+                cause="PERMISSION_ERROR"
+
+                # Extract the file with permission issue
+                if [[ "$recent_error" =~ failed\ to\ open\ stream.*\'([^\']+)\' ]]; then
+                    perm_file="${BASH_REMATCH[1]}"
+                elif [[ "$recent_error" =~ Permission\ denied.*\'([^\']+)\' ]]; then
+                    perm_file="${BASH_REMATCH[1]}"
+                else
+                    perm_file="$specific_file"
+                fi
+
+                # Check permissions on that specific file
+                if [ -n "$perm_file" ] && [ -e "$perm_file" ]; then
+                    file_perms=$(stat -c "%a" "$perm_file" 2>/dev/null)
+                    file_owner=$(stat -c "%U:%G" "$perm_file" 2>/dev/null)
+                    diagnosis="$domain$url - Permission denied on: $perm_file (perms: $file_perms, owner: $file_owner)"
+
+                    # Check if file is readable by Apache
+                    if [ -f "$perm_file" ]; then
+                        if ! sudo -u nobody test -r "$perm_file" 2>/dev/null; then
+                            diagnosis="$diagnosis - File NOT readable by Apache (nobody user)"
+                        fi
+                    fi
+                else
+                    diagnosis="$domain$url - Permission denied (file in error: $perm_file - does not exist)"
+                fi
+
+            elif [[ "$recent_error" =~ (Fatal error|PHP Fatal error) ]]; then
+                if [[ "$recent_error" =~ (undefined function|Call to undefined function) ]]; then
+                    cause="MISSING_PHP_FUNCTION"
+
+                    # Extract function name
+                    if [[ "$recent_error" =~ Call\ to\ undefined\ function\ ([a-zA-Z0-9_]+) ]]; then
+                        missing_func="${BASH_REMATCH[1]}"
+
+                        # Check which extension provides this function
+                        ext_info=$(php -r "if(function_exists('$missing_func')) echo 'EXISTS'; else echo 'MISSING';" 2>&1)
+
+                        diagnosis="$domain$url - Missing function: $missing_func"
+                        [ -n "$specific_file" ] && diagnosis="$diagnosis - in file: $specific_file"
+                    else
+                        diagnosis="$domain$url - Missing PHP function - $recent_error"
+                    fi
+                else
+                    cause="PHP_FATAL_ERROR"
+                    diagnosis="$domain$url - PHP Fatal Error"
+                    [ -n "$specific_file" ] && diagnosis="$diagnosis - File: $specific_file"
+                    diagnosis="$diagnosis - ${recent_error:0:200}"
+                fi
+
+            elif [[ "$recent_error" =~ (Parse error|syntax error) ]]; then
+                cause="PHP_SYNTAX_ERROR"
+
+                # Extract line number if present
+                if [[ "$recent_error" =~ line\ ([0-9]+) ]]; then
+                    error_line="${BASH_REMATCH[1]}"
+                    diagnosis="$domain$url - PHP Syntax Error at line $error_line"
+                else
+                    diagnosis="$domain$url - PHP Syntax Error"
+                fi
+                [ -n "$specific_file" ] && diagnosis="$diagnosis - File: $specific_file"
+
+            elif [[ "$recent_error" =~ (database|MySQL|Can\'t connect|Access denied for user) ]]; then
+                cause="DATABASE_CONNECTION"
+
+                if [[ "$recent_error" =~ Access\ denied\ for\ user\ \'([^\']+)\' ]]; then
+                    db_user="${BASH_REMATCH[1]}"
+                    diagnosis="$domain$url - Database access denied for user: $db_user"
+                elif [[ "$recent_error" =~ Unknown\ database\ \'([^\']+)\' ]]; then
+                    db_name="${BASH_REMATCH[1]}"
+                    diagnosis="$domain$url - Unknown database: $db_name"
+                else
+                    diagnosis="$domain$url - Database connection error"
+                fi
+                [ -n "$specific_file" ] && diagnosis="$diagnosis - from file: $specific_file"
+            fi
+
+            # Save detailed diagnosis only if we identified a specific cause
+            if [ "$cause" != "UNKNOWN" ] && [ -n "$diagnosis" ]; then
+                echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                ((diagnosed_causes["$cause"]++))
+                [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+            else
+                # No matching error in error_log - run comprehensive checks
+                if [ "$user" != "unknown" ]; then
+                    issue_found=""
+
+                    # Check 1: .htaccess issues
+                    if [ -f "$docroot/.htaccess" ]; then
+                        htaccess_file="$docroot/.htaccess"
+                        htaccess_issues=""
+
+                        # Invalid PHP directives
+                        if grep -qE "^[[:space:]]*(php_value|php_flag|php_admin_value|php_admin_flag)" "$htaccess_file" 2>/dev/null; then
+                            if ! apache2ctl -M 2>/dev/null | grep -q "php.*module"; then
+                                htaccess_issues="PHP directives incompatible with FPM"
+                            fi
+                        fi
+
+                        # Malformed RewriteRule
+                        bad_rewrite=$(grep -nE "RewriteRule.*\[.*[^]]*$" "$htaccess_file" 2>/dev/null | head -1)
+                        [ -n "$bad_rewrite" ] && htaccess_issues="${htaccess_issues:+$htaccess_issues; }Malformed RewriteRule: ${bad_rewrite:0:50}"
+
+                        # Missing RewriteBase with RewriteRule
+                        if grep -q "RewriteRule" "$htaccess_file" 2>/dev/null; then
+                            if ! grep -q "RewriteBase" "$htaccess_file" 2>/dev/null; then
+                                # Check if rules use relative paths
+                                if grep -qE "RewriteRule.*\^[^/]" "$htaccess_file" 2>/dev/null; then
+                                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }Missing RewriteBase with relative paths"
+                                fi
+                            fi
+                        fi
+
+                        if [ -n "$htaccess_issues" ]; then
+                            cause="HTACCESS_ERROR"
+                            diagnosis="$domain$url - $htaccess_issues"
+                            issue_found="yes"
+                        fi
+                    fi
+
+                    # Check 2: PHP file exists and is readable
+                    if [ -z "$issue_found" ] && [ -n "$specific_file" ]; then
+                        if [ ! -f "$specific_file" ]; then
+                            cause="FILE_NOT_FOUND"
+                            diagnosis="$domain$url - File does not exist: $specific_file"
+                            issue_found="yes"
+                        elif [ ! -r "$specific_file" ]; then
+                            file_perms=$(stat -c "%a" "$specific_file" 2>/dev/null)
+                            cause="PERMISSION_ERROR"
+                            diagnosis="$domain$url - File not readable: $specific_file (perms: $file_perms)"
+                            issue_found="yes"
+                        fi
+                    fi
+
+                    # Check 3: Document root permissions
+                    if [ -z "$issue_found" ]; then
+                        if [ ! -d "$docroot" ]; then
+                            cause="DOCROOT_MISSING"
+                            diagnosis="$domain$url - Document root does not exist: $docroot"
+                            issue_found="yes"
+                        else
+                            docroot_perms=$(stat -c "%a" "$docroot" 2>/dev/null)
+                            if [ "$docroot_perms" != "755" ] && [ "$docroot_perms" != "750" ] && [ "$docroot_perms" != "711" ]; then
+                                cause="PERMISSION_ERROR"
+                                diagnosis="$domain$url - Docroot bad perms: $docroot ($docroot_perms, should be 755)"
+                                issue_found="yes"
+                            fi
+                        fi
+                    fi
+
+                    # Check 4: PHP handler/version issues
+                    if [ -z "$issue_found" ] && [ -n "$specific_file" ] && [ -f "$specific_file" ]; then
+                        # Check if PHP is configured for this domain
+                        php_handler=$(grep -i "phpversion\|php_admin_value" /var/cpanel/userdata/$user/$domain 2>/dev/null | head -1)
+                        if [ -z "$php_handler" ]; then
+                            # Check if .htaccess tries to set PHP version but fails
+                            if grep -qE "AddHandler.*php|SetHandler.*php" "$docroot/.htaccess" 2>/dev/null; then
+                                cause="PHP_HANDLER_ERROR"
+                                diagnosis="$domain$url - PHP handler misconfigured (check .htaccess AddHandler/SetHandler)"
+                                issue_found="yes"
+                            fi
+                        fi
+                    fi
+
+                    # Check 5: WordPress-specific issues (if WP detected)
+                    if [ -z "$issue_found" ] && [ -f "$docroot/wp-config.php" ]; then
+                        # Check if wp-config.php is readable
+                        if [ ! -r "$docroot/wp-config.php" ]; then
+                            cause="PERMISSION_ERROR"
+                            diagnosis="$domain$url - wp-config.php not readable"
+                            issue_found="yes"
+                        else
+                            # Check for WP_DEBUG causing issues
+                            if grep -q "define.*WP_DEBUG.*true" "$docroot/wp-config.php" 2>/dev/null; then
+                                # Check if WP_DEBUG_DISPLAY is also true (can cause 500s with some errors)
+                                if grep -q "define.*WP_DEBUG_DISPLAY.*true" "$docroot/wp-config.php" 2>/dev/null; then
+                                    cause="WP_DEBUG_ERROR"
+                                    diagnosis="$domain$url - WP_DEBUG_DISPLAY enabled (may cause 500 on warnings)"
+                                    issue_found="yes"
+                                fi
+                            fi
+                        fi
+                    fi
+
+                    # Save diagnosis if we found an issue
+                    if [ -n "$issue_found" ] && [ -n "$diagnosis" ]; then
+                        echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                        ((diagnosed_causes["$cause"]++))
+                        [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+                    else
+                        ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
+                    fi
+                else
+                    ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
+                fi
+            fi
+        else
+            # No error in error_log at all - check .htaccess
+            if [ "$user" != "unknown" ] && [ -f "$docroot/.htaccess" ]; then
+                htaccess_file="$docroot/.htaccess"
+                htaccess_issues=""
+
+                # Check for invalid PHP directives
+                if grep -qE "^[[:space:]]*(php_value|php_flag|php_admin_value|php_admin_flag)" "$htaccess_file" 2>/dev/null; then
+                    if ! apache2ctl -M 2>/dev/null | grep -q "php.*module"; then
+                        htaccess_issues="PHP directives (php_value/php_flag) incompatible with current PHP handler (not mod_php)"
+                    fi
+                fi
+
+                # Check for malformed RewriteRule
+                bad_rewrite=$(grep -nE "RewriteRule.*\[.*[^]]*$" "$htaccess_file" 2>/dev/null | head -1)
+                if [ -n "$bad_rewrite" ]; then
+                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }Malformed RewriteRule: $bad_rewrite"
+                fi
+
+                if [ -n "$htaccess_issues" ]; then
+                    cause="HTACCESS_ERROR"
+                    diagnosis="$domain$url - .htaccess error: $htaccess_issues"
+                    echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                    ((diagnosed_causes["$cause"]++))
+                    [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+                else
+                    ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
+                fi
+            else
+                ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
+            fi
+        fi
+    else
+        # No error log found - check .htaccess and permissions thoroughly
+        if [ "$user" != "unknown" ]; then
+            htaccess_file="$docroot/.htaccess"
+
+            if [ -f "$htaccess_file" ]; then
+                # Check .htaccess file permissions first
+                htaccess_perms=$(stat -c "%a" "$htaccess_file" 2>/dev/null)
+                htaccess_owner=$(stat -c "%U:%G" "$htaccess_file" 2>/dev/null)
+
+                # Check if readable by Apache
+                htaccess_readable="yes"
+                if ! sudo -u nobody test -r "$htaccess_file" 2>/dev/null; then
+                    htaccess_readable="no"
+                fi
+
+                # Actually validate .htaccess syntax
+                htaccess_test=$(apache2ctl -t 2>&1)
+                htaccess_issues=""
+
+                # Check for invalid directives
+                if grep -qE "^[[:space:]]*(php_value|php_flag|php_admin_value|php_admin_flag)" "$htaccess_file" 2>/dev/null; then
+                    if ! apache2ctl -M 2>/dev/null | grep -q "php.*module"; then
+                        htaccess_issues="PHP directives (php_value/php_flag) incompatible with current PHP handler (not mod_php)"
+                    fi
+                fi
+
+                # Check for malformed RewriteRule
+                bad_rewrite=$(grep -nE "RewriteRule.*\[.*[^]]*$" "$htaccess_file" 2>/dev/null | head -1)
+                if [ -n "$bad_rewrite" ]; then
+                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }Malformed RewriteRule: $bad_rewrite"
+                fi
+
+                # Check for RewriteCond without following RewriteRule
+                orphan_cond=$(grep -n "RewriteCond" "$htaccess_file" | while read line; do
+                    linenum=$(echo "$line" | cut -d: -f1)
+                    nextline=$((linenum + 1))
+                    next=$(sed -n "${nextline}p" "$htaccess_file")
+                    if [[ ! "$next" =~ RewriteRule|RewriteCond ]]; then
+                        echo "Line $linenum: RewriteCond without RewriteRule"
+                    fi
+                done | head -1)
+
+                if [ -n "$orphan_cond" ]; then
+                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }$orphan_cond"
+                fi
+
+                # Check for syntax errors in .htaccess
+                if echo "$htaccess_test" | grep -qi "syntax error"; then
+                    syntax_err=$(echo "$htaccess_test" | grep -i "syntax error" | head -1)
+                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }Apache syntax error: $syntax_err"
+                fi
+
+                if [ "$htaccess_readable" = "no" ]; then
+                    cause="PERMISSION_ERROR"
+                    diagnosis="$domain$url - .htaccess not readable by Apache (perms: $htaccess_perms, owner: $htaccess_owner)"
+                    echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                    ((diagnosed_causes["$cause"]++))
+                    [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+                elif [ -n "$htaccess_issues" ]; then
+                    cause="HTACCESS_ERROR"
+                    diagnosis="$domain$url - .htaccess error: $htaccess_issues"
+                    echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                    ((diagnosed_causes["$cause"]++))
+                    [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+                else
+                    # .htaccess appears valid - check document root and file permissions
+                    docroot_perms=$(stat -c "%a" "$docroot" 2>/dev/null)
+                    docroot_owner=$(stat -c "%U:%G" "$docroot" 2>/dev/null)
+
+                    if [ "$docroot_perms" != "755" ] && [ "$docroot_perms" != "750" ]; then
+                        cause="PERMISSION_ERROR"
+                        diagnosis="$domain$url - Document root incorrect permissions (perms: $docroot_perms, owner: $docroot_owner, should be 755)"
+                        echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                        ((diagnosed_causes["$cause"]++))
+                        [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+                    elif [ -n "$specific_file" ] && [ -f "$specific_file" ]; then
+                        # Check the specific PHP file permissions
+                        file_perms=$(stat -c "%a" "$specific_file" 2>/dev/null)
+                        file_owner=$(stat -c "%U:%G" "$specific_file" 2>/dev/null)
+                        file_readable="yes"
+
+                        if ! sudo -u nobody test -r "$specific_file" 2>/dev/null; then
+                            file_readable="no"
+                        fi
+
+                        if [ "$file_readable" = "no" ]; then
+                            cause="PERMISSION_ERROR"
+                            diagnosis="$domain$url - File not readable by Apache: $specific_file (perms: $file_perms, owner: $file_owner)"
+                            echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                            ((diagnosed_causes["$cause"]++))
+                            [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+                        else
+                            ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
+                        fi
+                    else
+                        ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
+                    fi
+                fi
+            else
+                # No .htaccess - check document root and file permissions
+                docroot_perms=$(stat -c "%a" "$docroot" 2>/dev/null)
+                docroot_owner=$(stat -c "%U:%G" "$docroot" 2>/dev/null)
+
+                if [ "$docroot_perms" != "755" ] && [ "$docroot_perms" != "750" ]; then
+                    cause="PERMISSION_ERROR"
+                    diagnosis="$domain$url - Document root incorrect permissions (perms: $docroot_perms, owner: $docroot_owner, should be 755)"
+                    echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                    ((diagnosed_causes["$cause"]++))
+                    [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+                elif [ -n "$specific_file" ] && [ -f "$specific_file" ]; then
+                    # Check the specific PHP file
+                    file_perms=$(stat -c "%a" "$specific_file" 2>/dev/null)
+                    file_owner=$(stat -c "%U:%G" "$specific_file" 2>/dev/null)
+
+                    if ! sudo -u nobody test -r "$specific_file" 2>/dev/null; then
+                        cause="PERMISSION_ERROR"
+                        diagnosis="$domain$url - File not readable: $specific_file (perms: $file_perms, owner: $file_owner)"
+                        echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
+                        ((diagnosed_causes["$cause"]++))
+                        [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
+                    else
+                        ((diagnosed_causes["NO_ERROR_LOG_FILE"]++))
+                    fi
+                else
+                    ((diagnosed_causes["NO_ERROR_LOG_FILE"]++))
+                fi
+            fi
+        else
+            ((diagnosed_causes["NO_ERROR_LOG_FILE"]++))
+        fi
+    fi
+done < "$ERRORS_500"
+
+echo -e "\rAnalyzed $total_to_diagnose / $total_to_diagnose errors - Complete!     "
+echo ""
+
+# Display diagnosed causes
+echo -e "${CYAN}${BOLD}ROOT CAUSES IDENTIFIED:${NC}"
+echo ""
+
+for cause in "${!diagnosed_causes[@]}"; do
+    count="${diagnosed_causes[$cause]}"
+    echo "$count|$cause"
+done | sort -rn | while IFS='|' read count cause; do
+    clean_cause=$(echo "$cause" | tr '_' ' ')
+    
+    case "$cause" in
+        PHP_MEMORY_EXHAUSTED)
+            echo -e "${RED}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} Increase memory_limit in /home/USER/public_html/.user.ini"
+            echo -e "   ${YELLOW}Set:${NC} memory_limit = 512M"
+            ;;
+        PHP_FATAL_ERROR)
+            echo -e "${RED}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} Review recent code/plugin changes"
+            ;;
+        PHP_SYNTAX_ERROR)
+            echo -e "${RED}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} Check for PHP syntax errors in recent file edits"
+            ;;
+        MISSING_PHP_FUNCTION)
+            echo -e "${RED}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} Install missing PHP extension (check error for which one)"
+            ;;
+        DATABASE_CONNECTION)
+            echo -e "${RED}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} Check database credentials or MySQL service"
+            ;;
+        HTACCESS_ERROR)
+            echo -e "${RED}.HTACCESS ERROR DETECTED${NC} - $count occurrences"
+            ;;
+        PERMISSION_ERROR)
+            echo -e "${RED}PERMISSION ERROR DETECTED${NC} - $count occurrences"
+            ;;
+        NO_ERROR_LOG_FILE)
+            echo -e "${YELLOW}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Note:${NC} Checked multiple error_log locations - none found"
+            echo -e "   ${YELLOW}Check:${NC} May need to enable PHP error logging"
+            ;;
+        NO_PHP_ERROR_LOGGED)
+            echo -e "${YELLOW}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Note:${NC} 500 error but no PHP error in log - likely .htaccess or Apache config"
+            ;;
+        FILE_NOT_FOUND)
+            echo -e "${RED}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} Requested file does not exist - check URL or restore missing files"
+            ;;
+        PHP_HANDLER_ERROR)
+            echo -e "${RED}PHP HANDLER ERROR${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} PHP handler misconfigured - check cPanel PHP version or .htaccess AddHandler"
+            ;;
+        WP_DEBUG_ERROR)
+            echo -e "${YELLOW}WORDPRESS DEBUG ERROR${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} Disable WP_DEBUG_DISPLAY in wp-config.php or fix underlying warnings"
+            ;;
+        DOCROOT_MISSING)
+            echo -e "${RED}$clean_cause${NC} - $count occurrences"
+            echo -e "   ${YELLOW}Fix:${NC} Document root directory missing - restore from backup or check domain configuration"
+            ;;
+        UNKNOWN)
+            # Skip - these are errors we couldn't diagnose
+            ;;
+        *)
+            echo -e "${INFO_COLOR}$clean_cause${NC} - $count occurrences"
+            ;;
+    esac
+    
+    # Show example if we have one
+    if [ -n "${cause_examples[$cause]}" ]; then
+        example="${cause_examples[$cause]}"
+        echo -e "   ${DIM}Example: ${example:0:120}...${NC}"
+    fi
+    echo ""
+done
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo " DETAILED 500 ERROR LIST"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+
+# Show most frequent URLs getting 500s
+echo "Most Frequent 500 Error URLs:"
+echo ""
+cut -d'|' -f1,4 "$ERRORS_500" | sort | uniq -c | sort -rn | head -15 | while read count domain_url; do
+    domain=$(echo "$domain_url" | cut -d'|' -f1)
+    url=$(echo "$domain_url" | cut -d'|' -f2)
+    user="${domain_user[$domain]}"
+    printf "  ${RED}%4d×${NC} %s%s ${DIM}(user: %s)${NC}\n" "$count" "$domain" "$url" "$user"
+done
+
+echo ""
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo " SPECIFIC DIAGNOSTICS (per URL/file)"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+
+# Show detailed diagnostics grouped by cause and issue pattern
+if [ -f "$DETAILED_DIAGNOSIS" ] && [ -s "$DETAILED_DIAGNOSIS" ]; then
+    for cause_type in PHP_MEMORY_EXHAUSTED PERMISSION_ERROR HTACCESS_ERROR PHP_FATAL_ERROR PHP_SYNTAX_ERROR MISSING_PHP_FUNCTION DATABASE_CONNECTION FILE_NOT_FOUND PHP_HANDLER_ERROR WP_DEBUG_ERROR DOCROOT_MISSING; do
+
+        cause_count=$(grep "^${cause_type}|" "$DETAILED_DIAGNOSIS" 2>/dev/null | wc -l)
+        cause_count=${cause_count//[^0-9]/}  # Remove any non-numeric characters
+        cause_count=${cause_count:-0}  # Default to 0 if empty
+
+        if [ "$cause_count" -gt 0 ]; then
+            cause_display=$(echo "$cause_type" | tr '_' ' ')
+            echo -e "${RED}${BOLD}$cause_display ($cause_count occurrences)${NC}"
+            echo ""
+
+            # Group by unique error pattern (not domain)
+            declare -A issue_domains
+
+            # First pass: collect all domains per issue pattern
+            declare -A pattern_domains_temp
+
+            while IFS='|' read -r ctype full_diag; do
+                # Extract just the error part (after domain/)
+                issue_pattern=$(echo "$full_diag" | sed 's/^[^ ]* - //')
+                domain_part=$(echo "$full_diag" | grep -oP '^[^/]+')
+
+                # Append to temporary storage
+                pattern_domains_temp[$issue_pattern]+="$domain_part"$'\n'
+            done < <(grep "^${cause_type}|" "$DETAILED_DIAGNOSIS" 2>/dev/null)
+
+            # Second pass: deduplicate and limit to 5 unique domains per pattern
+            for pattern in "${!pattern_domains_temp[@]}"; do
+                # Get unique domains, limit to 5
+                unique_list=$(echo "${pattern_domains_temp[$pattern]}" | sort -u | head -5 | tr '\n' ',')
+                # Remove trailing comma
+                unique_list=${unique_list%,}
+
+                # Count total unique domains
+                total_unique=$(echo "${pattern_domains_temp[$pattern]}" | sort -u | wc -l)
+
+                # Add "..." if there are more than 5
+                if [ "$total_unique" -gt 5 ]; then
+                    unique_list="$unique_list,..."
+                fi
+
+                issue_domains[$pattern]="$unique_list"
+            done
+
+            unset pattern_domains_temp
+
+            # Display grouped issues
+            shown=0
+            for pattern in "${!issue_domains[@]}"; do
+                [ $shown -ge 10 ] && break
+                ((shown++))
+
+                domains="${issue_domains[$pattern]}"
+                domain_count=$(echo "$domains" | tr ',' '\n' | grep -v '^\.\.\.$' | wc -l)
+
+                echo -e "  ${YELLOW}Issue:${NC} $pattern"
+                echo -e "  ${DIM}Affected ($domain_count):${NC} ${domains//,/, }"
+                echo ""
+            done
+
+            if [ "${#issue_domains[@]}" -gt 10 ]; then
+                remaining=$((${#issue_domains[@]} - 10))
+                echo -e "  ${DIM}... and $remaining more issue patterns${NC}"
+                echo ""
+            fi
+
+            unset issue_domains
+        fi
+    done
+else
+    echo "No detailed diagnostics available."
+    echo ""
+fi
+
+echo "Full error list saved to: $ERRORS_500"
+echo "Detailed diagnostics saved to: $DETAILED_DIAGNOSIS"
+echo ""
+
+press_enter
@@ -12,6 +12,7 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/user-manager.sh"
+source "$SCRIPT_DIR/lib/ip-reputation.sh"

 # Configuration
 APACHE_ERROR_LOG="/var/log/apache2/error_log"
@@ -46,26 +47,42 @@ echo -e "${CYAN}Analysis Scope:${NC}"
 echo "  1) All users/domains (default)"
 echo "  2) Specific cPanel user"
 echo "  3) Specific domain"
+echo "  0) Cancel and return to menu"
 echo ""
 read -p "Select option [1]: " scope_choice
 scope_choice=${scope_choice:-1}

 case $scope_choice in
+    0)
+        echo ""
+        echo "Analysis cancelled."
+        echo ""
+        exit 0
+        ;;
    2)
        # Select specific user
        select_user_interactive "Select cPanel user to analyze"
        if [ -n "$SELECTED_USER" ]; then
            FILTER_USER="$SELECTED_USER"
            echo "→ Filtering for user: $FILTER_USER"
+        else
+            echo ""
+            echo "No user selected. Analysis cancelled."
+            echo ""
+            exit 0
        fi
        ;;
    3)
        # Enter specific domain
        echo ""
-        read -p "Enter domain name (e.g., example.com): " FILTER_DOMAIN
-        if [ -n "$FILTER_DOMAIN" ]; then
-            echo "→ Filtering for domain: $FILTER_DOMAIN"
+        read -p "Enter domain name (e.g., example.com) or 0 to cancel: " FILTER_DOMAIN
+        if [ "$FILTER_DOMAIN" = "0" ] || [ -z "$FILTER_DOMAIN" ]; then
+            echo ""
+            echo "Analysis cancelled."
+            echo ""
+            exit 0
        fi
+        echo "→ Filtering for domain: $FILTER_DOMAIN"
        ;;
    *)
        echo "→ Analyzing all users/domains"
@@ -81,11 +98,18 @@ echo "  2) Last 6 hours"
 echo "  3) Last 24 hours (default)"
 echo "  4) Last 7 days"
 echo "  5) Last 30 days"
+echo "  0) Cancel and return to menu"
 echo ""
 read -p "Select option [3]: " time_choice
 time_choice=${time_choice:-3}

 case $time_choice in
+    0)
+        echo ""
+        echo "Analysis cancelled."
+        echo ""
+        exit 0
+        ;;
    1) HOURS_TO_ANALYZE=1 ;;
    2) HOURS_TO_ANALYZE=6 ;;
    3) HOURS_TO_ANALYZE=24 ;;
@@ -190,127 +214,200 @@ echo ""

 is_noise() {
    local line="$1"
+    local line_lower="${line,,}"  # Convert to lowercase once

    # Bot/Scanner patterns
-    if echo "$line" | grep -qiE "bot|crawler|spider|scanner|nikto|nmap|masscan|sqlmap|nessus|acunetix|burp|shodan|censys|zgrab|nuclei|semrush|ahrefs|mj12"; then
-        return 0
-    fi
+    [[ "$line_lower" =~ (bot|crawler|spider|scanner|nikto|nmap|masscan|sqlmap|nessus|acunetix|burp|shodan|censys|zgrab|nuclei|semrush|ahrefs|mj12) ]] && return 0

    # Known scanner IPs
-    if echo "$line" | grep -qE "45\.148\.|185\.220\.|89\.248\.165\."; then
-        return 0
-    fi
+    [[ "$line" =~ (45\.148\.|185\.220\.|89\.248\.165\.) ]] && return 0

    # WordPress plugin deprecation warnings (not user-facing)
-    if echo "$line" | grep -qiE "PHP Deprecated|Deprecated.*plugin|call_user_func_array.*deprecated"; then
-        return 0
-    fi
+    [[ "$line" =~ (PHP\ Deprecated|Deprecated.*plugin|call_user_func_array.*deprecated) ]] && return 0

-    # Non-critical PHP notices
-    if echo "$line" | grep -qiE "PHP Notice.*Undefined (variable|index|offset)" && \
-       ! echo "$line" | grep -qiE "fatal|error 500|white screen"; then
+    # Non-critical PHP notices (unless critical indicators present)
+    if [[ "$line" =~ PHP\ Notice.*Undefined\ (variable|index|offset) ]] && ! [[ "$line_lower" =~ (fatal|error\ 500|white\ screen) ]]; then
        return 0
    fi

    # Missing favicon/common assets (not real errors)
-    if echo "$line" | grep -qiE "favicon\.ico|apple-touch-icon|robots\.txt|sitemap\.xml.*404"; then
-        return 0
-    fi
+    [[ "$line_lower" =~ (favicon\.ico|apple-touch-icon|robots\.txt|sitemap\.xml.*404) ]] && return 0

    # Security probes
-    if echo "$line" | grep -qiE "wp-admin|wp-login|phpMyAdmin|phpmyadmin|\.env|\.git|config\.php|xmlrpc|eval-stdin|shell\.php|c99\.php|r57\.php|adminer\.php" && \
-       echo "$line" | grep -qiE "404|403|not found"; then
+    if [[ "$line_lower" =~ (wp-admin|wp-login|phpmyadmin|\.env|\.git|config\.php|xmlrpc|eval-stdin|shell\.php|c99\.php|r57\.php|adminer\.php) ]] && \
+       [[ "$line" =~ (404|403|not\ found) ]]; then
        return 0
    fi

    # WordPress auto-updates and cron (normal operations)
-    if echo "$line" | grep -qiE "wp-cron\.php|doing_cron|auto.*update"; then
-        return 0
-    fi
+    [[ "$line_lower" =~ (wp-cron\.php|doing_cron|auto.*update) ]] && return 0

    # Common plugin update checks (not errors)
-    if echo "$line" | grep -qiE "update-check|version-check|api\.wordpress\.org"; then
-        return 0
-    fi
+    [[ "$line_lower" =~ (update-check|version-check|api\.wordpress\.org) ]] && return 0

    return 1
 }

 is_critical_user_facing() {
    local line="$1"
+    local line_lower="${line,,}"

    # 500 Internal Server Error (users see white page)
-    if echo "$line" | grep -qiE " 500 |Internal Server Error"; then
-        return 0
-    fi
+    [[ "$line" =~ (\ 500\ |Internal\ Server\ Error) ]] && return 0

    # PHP Fatal Errors (breaks functionality)
-    if echo "$line" | grep -qiE "PHP Fatal error|Fatal error:.*in /"; then
-        return 0
-    fi
+    [[ "$line" =~ (PHP\ Fatal\ error|Fatal\ error:.*in\ /) ]] && return 0

    # PHP Parse Errors (site completely broken)
-    if echo "$line" | grep -qiE "PHP Parse error|syntax error"; then
-        return 0
-    fi
+    [[ "$line" =~ (PHP\ Parse\ error|syntax\ error) ]] && return 0

    # Database connection failures (site down)
-    if echo "$line" | grep -qiE "Error establishing.*database|Can't connect.*MySQL|Access denied for user.*database|Too many connections|MySQL server has gone away"; then
-        return 0
-    fi
+    [[ "$line" =~ (Error\ establishing.*database|Can\'t\ connect.*MySQL|Access\ denied\ for\ user.*database|Too\ many\ connections|MySQL\ server\ has\ gone\ away) ]] && return 0

    # Memory exhaustion (white screen/incomplete pages)
-    if echo "$line" | grep -qiE "Allowed memory size.*exhausted|Out of memory|Fatal.*memory"; then
-        return 0
-    fi
+    [[ "$line" =~ (Allowed\ memory\ size.*exhausted|Out\ of\ memory|Fatal.*memory) ]] && return 0

    # Segmentation fault (complete crash)
-    if echo "$line" | grep -qiE "Segmentation fault|signal 11"; then
-        return 0
-    fi
+    [[ "$line" =~ (Segmentation\ fault|signal\ 11) ]] && return 0

    # Permission denied on critical files
-    if echo "$line" | grep -qiE "Permission denied" && \
-       echo "$line" | grep -qE "index\.php|wp-config\.php|\.htaccess|config\.php"; then
+    if [[ "$line" =~ Permission\ denied ]] && [[ "$line" =~ (index\.php|wp-config\.php|\.htaccess|config\.php) ]]; then
        return 0
    fi

    # File not found for MAIN page (404 on homepage/index)
-    if echo "$line" | grep -qiE "File does not exist.*index\.(php|html)" || \
-       echo "$line" | grep -qE " 404 .*\" \"GET / "; then
-        return 0
-    fi
+    [[ "$line" =~ (File\ does\ not\ exist.*index\.(php|html)|\ 404\ .*\"\ \"GET\ /) ]] && return 0

    return 1
 }

 extract_useful_info() {
    local line="$1"
+    local domain="unknown"
+    local file_path=""
+    local error_msg

-    # Extract domain
-    domain=$(echo "$line" | grep -oE '\[vhost [^:]+' | sed 's/\[vhost //' || \
-             echo "$line" | grep -oE '[a-zA-Z0-9.-]+\.(com|net|org|io|co|uk|us|dev)' | head -1 || \
-             echo "$line" | grep -oE '/home/[^/]+' | sed 's|/home/||' || echo "unknown")
-
-    # Extract file path if PHP error
-    file_path=$(echo "$line" | grep -oE "in /[^ ]+\.php" | sed 's/in //' || echo "")
-
-    # Extract error message (clean up ModSec noise, timestamps, etc.)
-    error_msg=$(echo "$line" | \
-                sed 's/^\[.*\] //' | \
-                sed 's/\[client [^]]*\] //' | \
-                sed 's/\[unique_id "[^"]*"\]//g' | \
-                sed 's/\[pid [^]]*\]//g' | \
-                sed 's/\[tid [^]]*\]//g' | \
-                grep -v "^$" | \
-                cut -c1-150)
-
-    # Skip if error message is empty or just whitespace
-    if [ -z "$(echo "$error_msg" | tr -d '[:space:]')" ]; then
-        return 1
+    # Extract domain using bash regex (faster than grep|sed pipeline)
+    if [[ "$line" =~ \[vhost\ ([^:]+) ]]; then
+        domain="${BASH_REMATCH[1]}"
+    elif [[ "$line" =~ ([a-zA-Z0-9.-]+\.(com|net|org|io|co|uk|us|dev)) ]]; then
+        domain="${BASH_REMATCH[1]}"
+    elif [[ "$line" =~ /home/([^/]+) ]]; then
+        domain="${BASH_REMATCH[1]}"
    fi

-    echo "$domain|$file_path|$error_msg"
+    # Extract file path if PHP error
+    if [[ "$line" =~ in\ (/[^ ]+\.php) ]]; then
+        file_path="${BASH_REMATCH[1]}"
+    fi
+
+    # Extract error message (clean up ModSec noise, timestamps, etc.)
+    # Use single sed command instead of pipeline
+    error_msg=$(echo "$line" | sed -E 's/^\[.*\] //; s/\[client [^]]*\] //; s/\[unique_id "[^"]*"\]//g; s/\[pid [^]]*\]//g; s/\[tid [^]]*\]//g' | cut -c1-150)
+
+    # Skip if error message is empty or just whitespace
+    error_msg="${error_msg#"${error_msg%%[![:space:]]*}"}"  # ltrim
+    error_msg="${error_msg%"${error_msg##*[![:space:]]}"}"  # rtrim
+    [ -z "$error_msg" ] && return 1
+
+    # Correlate to root cause
+    local root_cause=$(correlate_root_cause "$line" "$error_msg" "$domain")
+
+    echo "$domain|$file_path|$error_msg|$root_cause"
+}
+
+correlate_root_cause() {
+    local line="$1"
+    local error_msg="$2"
+    local domain="$3"
+    local cause="UNKNOWN"
+    local line_lower="${line,,}"
+    local error_lower="${error_msg,,}"
+
+    # .htaccess issues
+    if [[ "$line_lower" =~ (\.htaccess|invalid\ command|rewriterule|rewritecond) ]]; then
+        cause="HTACCESS"
+
+    # ModSecurity blocks
+    elif [[ "$line_lower" =~ (modsecurity|mod_security|waf) ]]; then
+        cause="MODSECURITY"
+
+    # PHP memory limit
+    elif [[ "$error_lower" =~ (memory.*exhausted|allowed\ memory\ size) ]]; then
+        # Get current memory limit for this domain/user
+        if [ -n "$domain" ] && [ "$domain" != "unknown" ]; then
+            user=$(grep -l "DNS.*$domain" /var/cpanel/users/* 2>/dev/null | head -1 | xargs basename 2>/dev/null)
+            if [ -n "$user" ]; then
+                mem_limit=$(grep -h "memory_limit" /home/$user/public_html/.user.ini /home/$user/.php.ini 2>/dev/null | tail -1 | cut -d'=' -f2 | tr -d ' ')
+                [ -n "$mem_limit" ] && cause="PHP_MEMORY:$mem_limit" || cause="PHP_MEMORY:default"
+            else
+                cause="PHP_MEMORY"
+            fi
+        else
+            cause="PHP_MEMORY"
+        fi
+
+    # PHP max execution time
+    elif [[ "$error_lower" =~ (max_execution_time|maximum\ execution\ time) ]]; then
+        cause="PHP_TIMEOUT"
+
+    # PHP upload/post size limits
+    elif [[ "$error_lower" =~ (upload_max_filesize|post_max_size) ]]; then
+        cause="PHP_UPLOAD_LIMIT"
+
+    # File permissions
+    elif [[ "$error_lower" =~ (permission\ denied|failed\ to\ open\ stream.*permission) ]]; then
+        cause="FILE_PERMISSIONS"
+
+    # Missing PHP modules/extensions
+    elif [[ "$error_lower" =~ (undefined\ function|call\ to\ undefined\ function|class\ .*\ not\ found) ]]; then
+        # Try to identify which module
+        if [[ "$error_lower" =~ (imagecreate|imagefilter|gd_) ]]; then
+            cause="MISSING_PHP_GD"
+        elif [[ "$error_msg" =~ (curl_|CURL) ]]; then
+            cause="MISSING_PHP_CURL"
+        elif [[ "$error_msg" =~ (json_|JSON) ]]; then
+            cause="MISSING_PHP_JSON"
+        elif [[ "$error_lower" =~ (mysqli|mysql_connect) ]]; then
+            cause="MISSING_PHP_MYSQLI"
+        else
+            cause="MISSING_PHP_MODULE"
+        fi
+
+    # Database issues
+    elif [[ "$error_lower" =~ (database|mysql|mysqli) ]]; then
+        if [[ "$error_lower" =~ (too\ many\ connections|max_connections) ]]; then
+            cause="DB_MAX_CONNECTIONS"
+        elif [[ "$error_lower" =~ (access\ denied|authentication) ]]; then
+            cause="DB_AUTH_FAILED"
+        elif [[ "$error_lower" =~ (gone\ away|lost\ connection) ]]; then
+            cause="DB_TIMEOUT"
+        else
+            cause="DB_ERROR"
+        fi
+
+    # Apache configuration
+    elif [[ "$error_lower" =~ (invalid\ uri|request\ exceeded\ the\ limit|limitrequestline) ]]; then
+        cause="APACHE_CONFIG"
+
+    # PHP parse/syntax errors (code issues)
+    elif [[ "$error_lower" =~ (parse\ error|syntax\ error|unexpected) ]]; then
+        cause="PHP_SYNTAX_ERROR"
+
+    # File not found (may indicate bad symlinks or missing files)
+    elif [[ "$error_lower" =~ (no\ such\ file|failed\ to\ open\ stream) ]]; then
+        cause="MISSING_FILE"
+
+    # Generic PHP fatal error
+    elif [[ "$error_lower" =~ fatal\ error ]]; then
+        cause="PHP_FATAL_ERROR"
+
+    # 500 errors without specific cause
+    elif [[ "$error_msg" =~ (500|Internal\ Server) ]]; then
+        cause="SERVER_ERROR_500"
+    fi
+
+    echo "$cause"
 }

 ################################################################################
@@ -356,41 +453,93 @@ while IFS='|' read -r log_path log_type; do
                uri=$(echo "$line" | grep -oE "uri: [^ ]+" | sed 's/uri: //' || echo "")
                domain=$(echo "$line" | grep -oE "hostname: [^ ]+" | sed 's/hostname: //' || echo "unknown")

-                echo "$domain||ModSecurity blocked: $attack_type $uri" >> "$CRITICAL_ERRORS"
+                # Extract rule ID if available
+                rule_id=$(echo "$line" | grep -oE "id \"[0-9]+\"" | grep -oE "[0-9]+" || echo "")
+                root_cause="MODSECURITY"
+                [ -n "$rule_id" ] && root_cause="MODSECURITY:rule_$rule_id"
+
+                echo "$domain||ModSecurity blocked: $attack_type $uri|$root_cause" >> "$CRITICAL_ERRORS"
            fi

        done < <(tail -n 5000 "$log_path" 2>/dev/null)

    elif $is_access_log; then
        # Access log - look for 5xx status codes
+        # Use time-based filtering if possible, otherwise last 50k lines
+        cutoff_time=$(date -d "$HOURS_TO_ANALYZE hours ago" +%s 2>/dev/null || echo "0")
+
        while IFS= read -r line; do
            ((total_lines++))

            # Skip if bot/scanner
            if is_noise "$line"; then
                ((filtered_out++))
+                # Track bot/scanner IPs
+                read -r ip _ _ _ _ _ _ _ <<< "$line"
+                if [[ "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+                    flag_ip_attack "$ip" "BOT" 0 "Bot/scanner filtered in error analysis" >/dev/null 2>&1 &
+                fi
                continue
            fi

-            # Extract status code and URL
-            if echo "$line" | grep -qE '" 5[0-9]{2} '; then
-                status=$(echo "$line" | grep -oE '" 5[0-9]{2} ' | tr -d '" ')
-                url=$(echo "$line" | awk '{print $7}' | cut -c1-80)
-                ip=$(echo "$line" | awk '{print $1}')
-                domain=$(basename "$log_path" | sed 's/-.*//')
+            # Time filtering (Apache format: [DD/Mon/YYYY:HH:MM:SS +ZONE])
+            if [ "$cutoff_time" != "0" ]; then
+                if [[ "$line" =~ \[([0-9]{2}/[A-Z][a-z]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2}) ]]; then
+                    log_date="${BASH_REMATCH[1]}"
+                    log_time=$(date -d "${log_date/:/ }" +%s 2>/dev/null || echo "0")
+                    [ "$log_time" != "0" ] && [ "$log_time" -lt "$cutoff_time" ] && continue
+                fi
+            fi
+
+            # Extract status code and URL using bash regex and read
+            if [[ "$line" =~ '"'[[:space:]](5[0-9]{2})[[:space:]] ]]; then
+                status="${BASH_REMATCH[1]}"
+
+                # Parse Apache log format: IP - - [timestamp] "METHOD URL PROTOCOL" STATUS SIZE
+                read -r ip _ _ timestamp _ request status_check _ <<< "$line"
+
+                # Extract URL from request (format: "GET /path HTTP/1.1")
+                if [[ "$request" =~ '"'[A-Z]+[[:space:]]([^[:space:]]+) ]]; then
+                    url="${BASH_REMATCH[1]:0:80}"
+                else
+                    url="/"
+                fi
+
+                # Extract timestamp
+                if [[ "$line" =~ \[([^]]+)\] ]]; then
+                    timestamp="${BASH_REMATCH[1]}"
+                else
+                    timestamp=""
+                fi
+
+                # Get domain from log filename
+                domain="${log_path##*/}"  # basename
+                domain="${domain%%-*}"    # remove everything after first dash

                # Apply domain filter if set
                if [ -n "$FILTER_DOMAIN" ] && [ "$domain" != "$FILTER_DOMAIN" ]; then
                    continue
                fi

+                # Determine root cause from status code
+                case $status in
+                    500) root_cause="SERVER_ERROR_500" ;;
+                    502) root_cause="APACHE_CONFIG:bad_gateway" ;;
+                    503) root_cause="APACHE_CONFIG:service_unavailable" ;;
+                    504) root_cause="APACHE_CONFIG:gateway_timeout" ;;
+                    *) root_cause="SERVER_ERROR_5XX" ;;
+                esac
+
                ((critical_found++))
-                echo "$domain||HTTP $status - $url (from $ip)" >> "$CRITICAL_ERRORS"
+                echo "$domain||[$timestamp] HTTP $status - $url (from $ip)|$root_cause" >> "$CRITICAL_ERRORS"
            fi

-        done < <(tail -n 5000 "$log_path" 2>/dev/null)
+        done < <(tail -n 50000 "$log_path" 2>/dev/null)
    else
        # Error log - look for critical errors
+        # Use time-based filtering if possible, otherwise last 50k lines
+        cutoff_time=$(date -d "$HOURS_TO_ANALYZE hours ago" +%s 2>/dev/null || echo "0")
+
        while IFS= read -r line; do
            ((total_lines++))

@@ -400,12 +549,21 @@ while IFS='|' read -r log_path log_type; do
                continue
            fi

+            # Time filtering (Apache/PHP error log format: [Day Mon DD HH:MM:SS YYYY])
+            if [ "$cutoff_time" != "0" ]; then
+                if [[ "$line" =~ \[([A-Z][a-z]{2}\ [A-Z][a-z]{2}\ [0-9]{2}\ [0-9]{2}:[0-9]{2}:[0-9]{2}\ [0-9]{4})\] ]]; then
+                    log_date="${BASH_REMATCH[1]}"
+                    log_time=$(date -d "$log_date" +%s 2>/dev/null || echo "0")
+                    [ "$log_time" != "0" ] && [ "$log_time" -lt "$cutoff_time" ] && continue
+                fi
+            fi
+
            # Apply user/domain filter if set
            if [ -n "$FILTER_USER" ]; then
-                echo "$line" | grep -q "/home/$FILTER_USER" || continue
+                [[ "$line" =~ /home/$FILTER_USER ]] || continue
            fi
            if [ -n "$FILTER_DOMAIN" ]; then
-                echo "$line" | grep -q "$FILTER_DOMAIN" || continue
+                [[ "$line" =~ $FILTER_DOMAIN ]] || continue
            fi

            # Check if it's critical and user-facing
@@ -414,7 +572,7 @@ while IFS='|' read -r log_path log_type; do
                extract_useful_info "$line" >> "$CRITICAL_ERRORS"
            fi

-        done < <(tail -n 10000 "$log_path" 2>/dev/null)
+        done < <(tail -n 50000 "$log_path" 2>/dev/null)
    fi

 done < "$LOG_FILES_LIST"
@@ -462,8 +620,8 @@ echo ""

 # Group identical errors and count them
 awk -F'|' '{
-    key = $1 "|" $3  # domain|error_msg (skip file_path for grouping)
-    file[$1"|"$3] = $2  # Store file path
+    key = $1 "|" $3 "|" $4  # domain|error_msg|root_cause
+    file[$1"|"$3"|"$4] = $2  # Store file path
    count[key]++
 }
 END {
@@ -471,14 +629,15 @@ END {
        split(key, parts, "|")
        domain = parts[1]
        error = parts[2]
+        root_cause = parts[3]
        file_path = file[key]

        # Skip empty errors
-        if (length(error) == 0) next
-
-        print count[key] "|" domain "|" file_path "|" error
+        if (length(error) > 0) {
+            print count[key] "|" domain "|" file_path "|" error "|" root_cause
+        }
    }
-}' "$CRITICAL_ERRORS" | sort -t'|' -k1 -rn | head -20 | while IFS='|' read -r count domain file_path error_msg; do
+}' "$CRITICAL_ERRORS" | sort -t'|' -k1 -rn | head -20 | while IFS='|' read -r count domain file_path error_msg root_cause; do

    # Color code by frequency
    if [ "$count" -ge 10 ]; then
@@ -496,14 +655,150 @@ END {
    [ -n "$domain" ] && [ "$domain" != "unknown" ] && echo "  Domain: $domain"
    [ -n "$file_path" ] && echo "  File: $file_path"
    echo "  Error: $error_msg"
+
+    # Display root cause with color coding and actionable fix
+    if [ -n "$root_cause" ] && [ "$root_cause" != "UNKNOWN" ]; then
+        echo -ne "  ${CYAN}Root Cause: ${BOLD}"
+
+        case "$root_cause" in
+            HTACCESS)
+                echo -e "${YELLOW}⚙️  .htaccess Configuration${NC}"
+                echo "  → Check .htaccess syntax in domain root"
+                echo "  → Look for invalid RewriteRule or directives"
+                ;;
+            MODSECURITY*)
+                rule=$(echo "$root_cause" | cut -d':' -f2)
+                echo -e "${YELLOW}🛡️  ModSecurity WAF Block${NC}"
+                [ -n "$rule" ] && echo "  → Rule ID: $rule"
+                echo "  → Check if this is a false positive"
+                echo "  → Review: /usr/local/apache/logs/modsec_audit.log"
+                ;;
+            PHP_MEMORY*)
+                limit=$(echo "$root_cause" | cut -d':' -f2)
+                echo -e "${RED}💾 PHP Memory Exhausted${NC}"
+                [ -n "$limit" ] && echo "  → Current limit: $limit"
+                echo "  → Increase memory_limit in .user.ini or php.ini"
+                echo "  → Recommended: 256M minimum, 512M for WooCommerce"
+                ;;
+            PHP_TIMEOUT)
+                echo -e "${YELLOW}⏱️  PHP Execution Timeout${NC}"
+                echo "  → Increase max_execution_time in php.ini"
+                echo "  → Recommended: 300 for imports/backups"
+                ;;
+            PHP_UPLOAD_LIMIT)
+                echo -e "${YELLOW}📤 PHP Upload Size Limit${NC}"
+                echo "  → Increase upload_max_filesize and post_max_size"
+                echo "  → Match both values (e.g., 64M)"
+                ;;
+            FILE_PERMISSIONS)
+                echo -e "${RED}🔒 File Permission Denied${NC}"
+                echo "  → Check file ownership and permissions"
+                echo "  → Files should be 644, directories 755"
+                echo "  → Owner should match cPanel user"
+                ;;
+            MISSING_PHP_GD)
+                echo -e "${RED}📦 Missing PHP GD Extension${NC}"
+                echo "  → Install: yum install ea-phpXX-php-gd"
+                echo "  → Required for image processing"
+                ;;
+            MISSING_PHP_CURL)
+                echo -e "${RED}📦 Missing PHP cURL Extension${NC}"
+                echo "  → Install: yum install ea-phpXX-php-curl"
+                ;;
+            MISSING_PHP_*)
+                module=$(echo "$root_cause" | sed 's/MISSING_PHP_//' | tr '[:upper:]' '[:lower:]')
+                echo -e "${RED}📦 Missing PHP Extension: $module${NC}"
+                echo "  → Install: yum install ea-phpXX-php-$module"
+                ;;
+            DB_MAX_CONNECTIONS)
+                echo -e "${RED}🗄️  Database Max Connections Reached${NC}"
+                echo "  → Check: mysql -e 'SHOW VARIABLES LIKE \"max_connections\"'"
+                echo "  → Increase max_connections in my.cnf"
+                echo "  → Or optimize slow queries reducing connection time"
+                ;;
+            DB_AUTH_FAILED)
+                echo -e "${RED}🗄️  Database Authentication Failed${NC}"
+                echo "  → Verify credentials in wp-config.php / config files"
+                echo "  → Check database user permissions"
+                ;;
+            DB_TIMEOUT)
+                echo -e "${YELLOW}🗄️  Database Connection Timeout${NC}"
+                echo "  → MySQL server may be overloaded"
+                echo "  → Check slow query log"
+                ;;
+            DB_ERROR)
+                echo -e "${RED}🗄️  Database Error${NC}"
+                echo "  → Check MySQL error log for details"
+                ;;
+            APACHE_CONFIG*)
+                issue=$(echo "$root_cause" | cut -d':' -f2)
+                echo -e "${YELLOW}⚙️  Apache Configuration${NC}"
+                [ -n "$issue" ] && echo "  → Issue: $issue"
+                echo "  → Check Apache config and vhost settings"
+                ;;
+            PHP_SYNTAX_ERROR)
+                echo -e "${RED}⚠️  PHP Syntax Error in Code${NC}"
+                echo "  → Review recent code changes"
+                echo "  → Check for missing semicolons, brackets, quotes"
+                ;;
+            MISSING_FILE)
+                echo -e "${YELLOW}📄 File Not Found${NC}"
+                echo "  → File may have been deleted or moved"
+                echo "  → Check for broken symlinks"
+                ;;
+            PHP_FATAL_ERROR)
+                echo -e "${RED}⚠️  PHP Fatal Error${NC}"
+                echo "  → Review PHP error logs for details"
+                echo "  → May be compatibility issue or code bug"
+                ;;
+            SERVER_ERROR_500)
+                echo -e "${RED}🔥 Generic 500 Internal Server Error${NC}"
+                echo "  → Check PHP/Apache error logs for specifics"
+                ;;
+            *)
+                echo -e "${NC}$root_cause"
+                ;;
+        esac
+    fi
+
    echo ""
 done

+################################################################################
+# Root Cause Summary
+################################################################################
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo " 📊 ROOT CAUSE BREAKDOWN"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+
+# Count errors by root cause
+cut -d'|' -f4 "$CRITICAL_ERRORS" | grep -v "^$" | sort | uniq -c | sort -rn | while read -r count cause; do
+    # Clean up cause display
+    clean_cause=$(echo "$cause" | sed 's/:.*//; s/_/ /g')
+
+    # Color code by severity
+    case "$cause" in
+        PHP_MEMORY*|DB_MAX_CONNECTIONS|PHP_FATAL_ERROR|SERVER_ERROR_500)
+            color="${RED}"; icon="🔥" ;;
+        HTACCESS|MODSECURITY*|PHP_TIMEOUT|DB_*)
+            color="${YELLOW}"; icon="⚠️ " ;;
+        MISSING_PHP*|FILE_PERMISSIONS)
+            color="${YELLOW}"; icon="📦" ;;
+        *)
+            color="${INFO_COLOR}"; icon="•" ;;
+    esac
+
+    printf "  ${color}${icon} %-35s %4d errors${NC}\n" "$clean_cause" "$count"
+done
+
+echo ""
+
 ################################################################################
 # Intelligent Recommendations
 ################################################################################

-echo ""
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo " 🔧 RECOMMENDED ACTIONS"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+################################################################################
+# WordPress Management Menu
+################################################################################
+# Purpose: Submenu for WordPress-specific management tools
+# Features:
+# - WordPress cron management
+# - (Future: plugin updates, theme management, security hardening, etc.)
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This menu must be run as root"
+    exit 1
+fi
+
+# Main menu loop
+while true; do
+    clear
+    print_banner "WordPress Management"
+
+    echo ""
+    echo -e "${BOLD}Available WordPress Tools${NC}"
+    echo ""
+    echo "  1) WordPress Cron Manager"
+    echo "     └─ Convert WordPress sites from wp-cron to system cron"
+    echo ""
+    echo "  ${DIM}2) WordPress Plugin Manager (Coming Soon)"
+    echo "     └─ Bulk update, scan vulnerabilities, manage plugins${NC}"
+    echo ""
+    echo "  ${DIM}3) WordPress Security Hardening (Coming Soon)"
+    echo "     └─ Apply security best practices, file permissions${NC}"
+    echo ""
+    echo "  ${DIM}4) WordPress Theme Manager (Coming Soon)"
+    echo "     └─ Update themes, check compatibility${NC}"
+    echo ""
+    echo "  0) Return to Website Diagnostics Menu"
+    echo ""
+    echo -n "Select option: "
+    read -r choice
+
+    case "$choice" in
+        1)
+            bash "$SCRIPT_DIR/modules/website/wordpress/wordpress-cron-manager.sh"
+            ;;
+        2|3|4)
+            echo ""
+            print_warning "This feature is coming soon!"
+            echo ""
+            press_enter
+            ;;
+        0)
+            exit 0
+            ;;
+        *)
+            print_error "Invalid option"
+            sleep 1
+            ;;
+    esac
+done
@@ -0,0 +1,830 @@
+#!/bin/bash
+
+################################################################################
+# WordPress Cron Manager
+################################################################################
+# Purpose: Disable wp-cron and convert to real system cron jobs
+# Features:
+# - Detect all WordPress installations
+# - Disable DISABLE_WP_CRON in wp-config.php
+# - Add proper cron jobs for scheduled tasks
+# - Server-wide, per-user, or per-domain operations
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
+source "$SCRIPT_DIR/lib/common-functions.sh"
+source "$SCRIPT_DIR/lib/system-detect.sh"
+
+if [ "$EUID" -ne 0 ]; then
+    print_error "This script must be run as root"
+    exit 1
+fi
+
+# Global counter for staggering cron times
+CRON_OFFSET=0
+
+# Function to generate staggered cron time
+# Distributes jobs across 15 minutes to avoid load spikes
+generate_staggered_cron() {
+    local minute=$((CRON_OFFSET % 15))
+
+    # Create pattern: 0,15,30,45 but offset by the calculated minute
+    local minutes=""
+    for base in 0 15 30 45; do
+        local actual_minute=$(( (base + minute) % 60 ))
+        if [ -z "$minutes" ]; then
+            minutes="$actual_minute"
+        else
+            minutes="$minutes,$actual_minute"
+        fi
+    done
+
+    # Increment offset for next site (wraps at 15)
+    CRON_OFFSET=$((CRON_OFFSET + 1))
+
+    echo "$minutes * * * *"
+}
+
+# Function to safely modify wp-config.php to disable wp-cron
+# Returns 0 on success, 1 on failure
+disable_wpcron_in_config() {
+    local wp_config="$1"
+
+    # Check if file exists and is writable
+    if [ ! -f "$wp_config" ] || [ ! -w "$wp_config" ]; then
+        return 1
+    fi
+
+    # First, remove any existing DISABLE_WP_CRON lines (anywhere in file)
+    # This ensures clean placement even if previously added in wrong location
+    if grep -q "DISABLE_WP_CRON" "$wp_config" 2>/dev/null; then
+        sed -i.wpbak "/define\s*(\s*['\"]DISABLE_WP_CRON['\"]/d" "$wp_config"
+    else
+        # Create backup even if no existing line
+        cp "$wp_config" "${wp_config}.wpbak"
+    fi
+
+    # Now add it in the proper location - before "stop editing" comment
+    if grep -q "stop editing" "$wp_config" 2>/dev/null; then
+        # Add before "stop editing" line (proper WordPress convention)
+        sed -i "/stop editing/i \\
+define('DISABLE_WP_CRON', true);" "$wp_config"
+    elif grep -q "<?php" "$wp_config"; then
+        # Fallback: if no "stop editing" found, add after opening PHP tag
+        sed -i "/<?php/a \\
+define('DISABLE_WP_CRON', true);" "$wp_config"
+    else
+        # Restore backup if file format is unexpected
+        if [ -f "${wp_config}.wpbak" ]; then
+            mv "${wp_config}.wpbak" "$wp_config"
+        fi
+        return 1
+    fi
+
+    # Verify the change was successful
+    if grep -E "^[^/]*define\s*\(\s*['\"]DISABLE_WP_CRON['\"]\s*,\s*true\s*\)" "$wp_config" >/dev/null 2>&1; then
+        # Remove backup if successful
+        rm -f "${wp_config}.wpbak"
+        return 0
+    else
+        # Restore backup if verification failed
+        if [ -f "${wp_config}.wpbak" ]; then
+            mv "${wp_config}.wpbak" "$wp_config"
+        fi
+        return 1
+    fi
+}
+
+# Function to safely re-enable wp-cron (revert changes)
+# Returns 0 on success, 1 on failure
+enable_wpcron_in_config() {
+    local wp_config="$1"
+
+    # Check if file exists and is writable
+    if [ ! -f "$wp_config" ] || [ ! -w "$wp_config" ]; then
+        return 1
+    fi
+
+    # Check if DISABLE_WP_CRON exists and is set to true
+    if grep -E "^[^/]*define\s*\(\s*['\"]DISABLE_WP_CRON['\"]\s*,\s*true\s*\)" "$wp_config" >/dev/null 2>&1; then
+        # Remove or comment out the line
+        sed -i.wpbak "/^[^/]*define\s*(\s*['\"]DISABLE_WP_CRON['\"]\s*,\s*true\s*)/d" "$wp_config"
+
+        # Verify removal was successful
+        if ! grep -E "^[^/]*define\s*\(\s*['\"]DISABLE_WP_CRON['\"]\s*,\s*true\s*\)" "$wp_config" >/dev/null 2>&1; then
+            rm -f "${wp_config}.wpbak"
+            return 0
+        else
+            # Restore backup if removal failed
+            if [ -f "${wp_config}.wpbak" ]; then
+                mv "${wp_config}.wpbak" "$wp_config"
+            fi
+            return 1
+        fi
+    else
+        # DISABLE_WP_CRON not found or already disabled
+        return 0
+    fi
+}
+
+clear
+print_banner "WordPress Cron Manager"
+
+echo ""
+echo -e "${BOLD}What would you like to do?${NC}"
+echo ""
+echo -e "${GREEN}Enable System Cron:${NC}"
+echo "  1) Scan for WordPress installations"
+echo "  2) Disable wp-cron for specific domain"
+echo "  3) Disable wp-cron for specific user (all their WP sites)"
+echo "  4) Disable wp-cron server-wide (all WordPress sites)"
+echo ""
+echo -e "${YELLOW}Revert to WP-Cron:${NC}"
+echo "  6) Re-enable wp-cron for specific domain"
+echo "  7) Re-enable wp-cron for specific user (all their WP sites)"
+echo "  8) Re-enable wp-cron server-wide (all WordPress sites)"
+echo ""
+echo -e "${CYAN}Status & Information:${NC}"
+echo "  5) Check wp-cron status for domain/user"
+echo ""
+echo "  0) Return to menu"
+echo ""
+echo -n "Select option [0]: "
+read -r choice
+choice="${choice:-0}"
+
+case "$choice" in
+    1)
+        # Scan for WordPress installations
+        echo ""
+        print_banner "WordPress Installation Scanner"
+        echo ""
+
+        echo "Scanning for WordPress installations..."
+        echo ""
+
+        # Find all wp-config.php files in home directories
+        wp_sites=$(find /home/*/public_html -name "wp-config.php" -type f 2>/dev/null)
+
+        if [ -z "$wp_sites" ]; then
+            echo -e "${YELLOW}No WordPress installations found${NC}"
+        else
+            count=0
+            echo -e "${BOLD}Found WordPress Installations:${NC}"
+            echo ""
+
+            while IFS= read -r config_file; do
+                count=$((count + 1))
+
+                # Extract info
+                site_path=$(dirname "$config_file")
+                user=$(echo "$site_path" | cut -d'/' -f3)
+
+                # Try to find domain
+                domain="(unknown domain)"
+                if [ -f "/var/cpanel/userdata/$user/main" ]; then
+                    domain=$(grep -m1 "^servername:" "/var/cpanel/userdata/$user/main" 2>/dev/null | awk '{print $2}')
+                fi
+
+                # Check if wp-cron is disabled
+                if grep -q "define.*DISABLE_WP_CRON.*true" "$config_file" 2>/dev/null; then
+                    status="${GREEN}✓ Disabled (using system cron)${NC}"
+                else
+                    status="${YELLOW}⚠ Enabled (default wp-cron)${NC}"
+                fi
+
+                echo -e "${count}. ${BOLD}$domain${NC}"
+                echo "   Path: $site_path"
+                echo "   User: $user"
+                echo "   Status: $status"
+                echo ""
+            done <<< "$wp_sites"
+
+            echo -e "${CYAN}Total WordPress installations: $count${NC}"
+        fi
+        ;;
+
+    2)
+        # Disable wp-cron for specific domain
+        echo ""
+        echo -n "Enter domain name (or 0 to cancel): "
+        read -r domain
+
+        if [ -z "$domain" ] || [ "$domain" = "0" ]; then
+            echo "Operation cancelled."
+            press_enter
+            exit 0
+        fi
+
+        # Find WordPress installation for this domain
+        echo ""
+        echo "Searching for WordPress installation for $domain..."
+
+        # Try to find via cPanel user data
+        # Search both main_domain (in main files) and servername (in domain files)
+        wp_config=""
+
+        # Method 1: Check main_domain in /var/cpanel/userdata/*/main files
+        for userdata_file in /var/cpanel/userdata/*/main; do
+            if grep -q "^main_domain: $domain" "$userdata_file" 2>/dev/null; then
+                user=$(basename "$(dirname "$userdata_file")")
+                potential_config="/home/$user/public_html/wp-config.php"
+                if [ -f "$potential_config" ]; then
+                    wp_config="$potential_config"
+                    break
+                fi
+            fi
+        done
+
+        # Method 2: If not found, search all domain-specific files for servername
+        if [ -z "$wp_config" ]; then
+            for userdata_file in /var/cpanel/userdata/*/*; do
+                # Skip cache files and main files
+                [[ "$userdata_file" == *.cache ]] && continue
+                [[ "$userdata_file" == */main ]] && continue
+                [[ "$userdata_file" == */cache ]] && continue
+                [[ "$userdata_file" == */cache.json ]] && continue
+
+                if grep -q "^servername: $domain" "$userdata_file" 2>/dev/null; then
+                    user=$(basename "$(dirname "$userdata_file")")
+                    potential_config="/home/$user/public_html/wp-config.php"
+                    if [ -f "$potential_config" ]; then
+                        wp_config="$potential_config"
+                        break
+                    fi
+                fi
+            done
+        fi
+
+        if [ -z "$wp_config" ]; then
+            print_error "WordPress installation not found for $domain"
+            press_enter
+            exit 1
+        fi
+
+        echo -e "${GREEN}Found WordPress:${NC} $wp_config"
+        echo ""
+
+        # Check if already disabled
+        if grep -q "define.*DISABLE_WP_CRON.*true" "$wp_config" 2>/dev/null; then
+            echo -e "${YELLOW}wp-cron is already disabled for this site${NC}"
+            echo ""
+            echo -n "Re-configure anyway? (y/n) [n]: "
+            read -r confirm
+            if [ "$confirm" != "y" ] && [ "$confirm" != "Y" ]; then
+                press_enter
+                exit 0
+            fi
+        fi
+
+        # Backup wp-config.php
+        cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)"
+        echo -e "${GREEN}✓${NC} Backed up wp-config.php"
+
+        # Safely disable wp-cron in wp-config.php
+        if disable_wpcron_in_config "$wp_config"; then
+            echo -e "${GREEN}✓${NC} Set DISABLE_WP_CRON to true in wp-config.php"
+        else
+            print_error "Failed to modify wp-config.php"
+            echo "  Please check file permissions and syntax"
+            press_enter
+            exit 1
+        fi
+
+        # Add cron job with staggered timing
+        site_path=$(dirname "$wp_config")
+        cron_cmd="cd $site_path && /usr/bin/php -q wp-cron.php >/dev/null 2>&1"
+
+        # Add to user's crontab
+        user=$(echo "$site_path" | cut -d'/' -f3)
+
+        # Check if cron job already exists
+        if crontab -u "$user" -l 2>/dev/null | grep -q "$site_path.*wp-cron.php"; then
+            echo -e "${YELLOW}⚠${NC} Cron job already exists for this site"
+        else
+            # Generate staggered cron time
+            cron_time=$(generate_staggered_cron)
+            (crontab -u "$user" -l 2>/dev/null; echo "$cron_time $cron_cmd") | crontab -u "$user" -
+            echo -e "${GREEN}✓${NC} Added cron job ($cron_time)"
+        fi
+
+        echo ""
+        print_success "WordPress cron converted to system cron for $domain"
+        echo ""
+        echo "Changes made:"
+        echo "  • DISABLE_WP_CRON set to true in wp-config.php"
+        echo "  • System cron job added (every 15 minutes)"
+        echo "  • Backup saved: ${wp_config}.backup-*"
+        ;;
+
+    3)
+        # Disable wp-cron for specific user
+        echo ""
+        echo -n "Enter cPanel username (or 0 to cancel): "
+        read -r target_user
+
+        if [ -z "$target_user" ] || [ "$target_user" = "0" ]; then
+            echo "Operation cancelled."
+            press_enter
+            exit 0
+        fi
+
+        if [ ! -d "/home/$target_user" ]; then
+            print_error "User $target_user does not exist"
+            press_enter
+            exit 1
+        fi
+
+        echo ""
+        echo "Searching for WordPress installations for user: $target_user"
+        echo ""
+
+        wp_configs=$(find "/home/$target_user" -name "wp-config.php" -type f 2>/dev/null)
+
+        if [ -z "$wp_configs" ]; then
+            print_error "No WordPress installations found for $target_user"
+            press_enter
+            exit 1
+        fi
+
+        count=0
+        echo "$wp_configs" | while IFS= read -r wp_config; do
+            count=$((count + 1))
+            site_path=$(dirname "$wp_config")
+
+            echo -e "${BOLD}Site $count:${NC} $site_path"
+
+            # Backup
+            cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)" 2>/dev/null
+            echo "  • Backed up wp-config.php"
+
+            # Safely disable wp-cron
+            if disable_wpcron_in_config "$wp_config"; then
+                echo "  • Set DISABLE_WP_CRON to true"
+            else
+                echo "  • ${YELLOW}Warning: Could not modify wp-config.php${NC}"
+                echo ""
+                continue
+            fi
+
+            # Add cron job with staggered timing
+            cron_cmd="cd $site_path && /usr/bin/php -q wp-cron.php >/dev/null 2>&1"
+
+            if ! crontab -u "$target_user" -l 2>/dev/null | grep -q "$site_path.*wp-cron.php"; then
+                cron_time=$(generate_staggered_cron)
+                (crontab -u "$target_user" -l 2>/dev/null; echo "$cron_time $cron_cmd") | crontab -u "$target_user" -
+                echo "  • Added cron job ($cron_time)"
+            else
+                echo "  • Cron job already exists"
+            fi
+
+            echo ""
+        done
+
+        print_success "All WordPress sites for $target_user converted to system cron"
+        ;;
+
+    4)
+        # Server-wide conversion
+        echo ""
+        echo -e "${RED}${BOLD}WARNING: Server-Wide wp-cron Conversion${NC}"
+        echo ""
+        echo "This will:"
+        echo "  • Find ALL WordPress installations on the server"
+        echo "  • Disable wp-cron in each wp-config.php"
+        echo "  • Add system cron jobs for each user"
+        echo ""
+        echo -n "Are you sure? Type 'yes' to confirm: "
+        read -r confirm
+
+        if [ "$confirm" != "yes" ]; then
+            echo "Cancelled"
+            press_enter
+            exit 0
+        fi
+
+        echo ""
+        echo "Scanning entire server for WordPress installations..."
+        echo ""
+
+        total=0
+        converted=0
+
+        wp_configs=$(find /home/*/public_html -name "wp-config.php" -type f 2>/dev/null)
+
+        if [ -z "$wp_configs" ]; then
+            echo -e "${YELLOW}No WordPress installations found${NC}"
+            press_enter
+            exit 0
+        fi
+
+        while IFS= read -r wp_config; do
+            total=$((total + 1))
+            site_path=$(dirname "$wp_config")
+            user=$(echo "$site_path" | cut -d'/' -f3)
+
+            echo -e "${BOLD}Processing:${NC} $site_path (user: $user)"
+
+            # Backup
+            cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)" 2>/dev/null
+
+            # Safely disable wp-cron
+            if ! disable_wpcron_in_config "$wp_config"; then
+                echo -e "${YELLOW}⚠ Failed to modify wp-config.php${NC}"
+                echo ""
+                continue
+            fi
+
+            # Add cron job with staggered timing
+            cron_cmd="cd $site_path && /usr/bin/php -q wp-cron.php >/dev/null 2>&1"
+
+            if ! crontab -u "$user" -l 2>/dev/null | grep -q "$site_path.*wp-cron.php"; then
+                cron_time=$(generate_staggered_cron)
+                (crontab -u "$user" -l 2>/dev/null; echo "$cron_time $cron_cmd") | crontab -u "$user" - 2>/dev/null
+                echo "  Cron: $cron_time"
+            fi
+
+            converted=$((converted + 1))
+            echo -e "${GREEN}✓${NC} Converted"
+            echo ""
+        done <<< "$wp_configs"
+
+        echo ""
+        print_success "Server-wide conversion complete"
+        echo ""
+        echo "Summary:"
+        echo "  • Total WordPress sites found: $total"
+        echo "  • Successfully converted: $converted"
+        ;;
+
+    5)
+        # Check status
+        echo ""
+        echo "Check wp-cron status for:"
+        echo "  1) Specific domain"
+        echo "  2) Specific user"
+        echo "  0) Cancel"
+        echo ""
+        echo -n "Select [1]: "
+        read -r check_choice
+        check_choice="${check_choice:-1}"
+
+        if [ "$check_choice" = "0" ]; then
+            echo "Operation cancelled."
+            press_enter
+            exit 0
+        elif [ "$check_choice" = "1" ]; then
+            echo ""
+            echo -n "Enter domain name (or 0 to cancel): "
+            read -r domain
+
+            if [ -z "$domain" ] || [ "$domain" = "0" ]; then
+                echo "Operation cancelled."
+                press_enter
+                exit 0
+            fi
+
+            # Find WordPress for domain
+            wp_config=""
+
+            # Method 1: Check main_domain in main files
+            for userdata_file in /var/cpanel/userdata/*/main; do
+                if grep -q "^main_domain: $domain" "$userdata_file" 2>/dev/null; then
+                    user=$(basename "$(dirname "$userdata_file")")
+                    potential_config="/home/$user/public_html/wp-config.php"
+                    if [ -f "$potential_config" ]; then
+                        wp_config="$potential_config"
+                        break
+                    fi
+                fi
+            done
+
+            # Method 2: Search domain-specific files for servername
+            if [ -z "$wp_config" ]; then
+                for userdata_file in /var/cpanel/userdata/*/*; do
+                    [[ "$userdata_file" == *.cache ]] && continue
+                    [[ "$userdata_file" == */main ]] && continue
+                    [[ "$userdata_file" == */cache ]] && continue
+                    [[ "$userdata_file" == */cache.json ]] && continue
+
+                    if grep -q "^servername: $domain" "$userdata_file" 2>/dev/null; then
+                        user=$(basename "$(dirname "$userdata_file")")
+                        potential_config="/home/$user/public_html/wp-config.php"
+                        if [ -f "$potential_config" ]; then
+                            wp_config="$potential_config"
+                            break
+                        fi
+                    fi
+                done
+            fi
+
+            if [ -z "$wp_config" ]; then
+                print_error "WordPress not found for $domain"
+                press_enter
+                exit 1
+            fi
+
+            echo ""
+            echo -e "${BOLD}WordPress Cron Status for $domain${NC}"
+            echo ""
+            echo "Config file: $wp_config"
+            echo ""
+
+            if grep -q "define.*DISABLE_WP_CRON.*true" "$wp_config" 2>/dev/null; then
+                echo -e "wp-cron: ${GREEN}DISABLED${NC} (using system cron)"
+
+                # Check for cron job
+                site_path=$(dirname "$wp_config")
+                user=$(echo "$site_path" | cut -d'/' -f3)
+
+                if crontab -u "$user" -l 2>/dev/null | grep -q "wp-cron.php"; then
+                    echo -e "System cron: ${GREEN}CONFIGURED${NC}"
+                    echo ""
+                    echo "Cron jobs:"
+                    crontab -u "$user" -l 2>/dev/null | grep "wp-cron.php"
+                else
+                    echo -e "System cron: ${RED}NOT CONFIGURED${NC}"
+                fi
+            else
+                echo -e "wp-cron: ${YELLOW}ENABLED${NC} (default WordPress cron)"
+                echo ""
+                echo "Recommendation: Disable wp-cron and use system cron for better performance"
+            fi
+
+        else
+            echo ""
+            echo -n "Enter cPanel username (or 0 to cancel): "
+            read -r check_user
+
+            if [ -z "$check_user" ] || [ "$check_user" = "0" ]; then
+                echo "Operation cancelled."
+                press_enter
+                exit 0
+            fi
+
+            if [ ! -d "/home/$check_user" ]; then
+                print_error "User $check_user does not exist"
+                press_enter
+                exit 1
+            fi
+
+            echo ""
+            echo -e "${BOLD}WordPress Cron Status for user: $check_user${NC}"
+            echo ""
+
+            wp_configs=$(find "/home/$check_user" -name "wp-config.php" -type f 2>/dev/null)
+
+            if [ -z "$wp_configs" ]; then
+                echo "No WordPress installations found"
+            else
+                count=0
+                while IFS= read -r wp_config; do
+                    count=$((count + 1))
+                    site_path=$(dirname "$wp_config")
+
+                    echo -e "${count}. ${BOLD}$site_path${NC}"
+
+                    if grep -q "define.*DISABLE_WP_CRON.*true" "$wp_config" 2>/dev/null; then
+                        echo "   wp-cron: ${GREEN}DISABLED${NC}"
+                    else
+                        echo "   wp-cron: ${YELLOW}ENABLED${NC}"
+                    fi
+                    echo ""
+                done <<< "$wp_configs"
+
+                # Show cron jobs
+                echo -e "${BOLD}Cron Jobs:${NC}"
+                if crontab -u "$check_user" -l 2>/dev/null | grep -q "wp-cron.php"; then
+                    crontab -u "$check_user" -l 2>/dev/null | grep "wp-cron.php"
+                else
+                    echo "  No wp-cron jobs found"
+                fi
+            fi
+        fi
+        ;;
+
+    6)
+        # Re-enable wp-cron for specific domain
+        echo ""
+        echo -n "Enter domain name (or 0 to cancel): "
+        read -r domain
+
+        if [ -z "$domain" ] || [ "$domain" = "0" ]; then
+            echo "Operation cancelled."
+            press_enter
+            exit 0
+        fi
+
+        # Find WordPress installation
+        wp_config=""
+
+        # Method 1: Check main_domain in main files
+        for userdata_file in /var/cpanel/userdata/*/main; do
+            if grep -q "^main_domain: $domain" "$userdata_file" 2>/dev/null; then
+                user=$(basename "$(dirname "$userdata_file")")
+                potential_config="/home/$user/public_html/wp-config.php"
+                if [ -f "$potential_config" ]; then
+                    wp_config="$potential_config"
+                    break
+                fi
+            fi
+        done
+
+        # Method 2: Search domain-specific files for servername
+        if [ -z "$wp_config" ]; then
+            for userdata_file in /var/cpanel/userdata/*/*; do
+                [[ "$userdata_file" == *.cache ]] && continue
+                [[ "$userdata_file" == */main ]] && continue
+                [[ "$userdata_file" == */cache ]] && continue
+                [[ "$userdata_file" == */cache.json ]] && continue
+
+                if grep -q "^servername: $domain" "$userdata_file" 2>/dev/null; then
+                    user=$(basename "$(dirname "$userdata_file")")
+                    potential_config="/home/$user/public_html/wp-config.php"
+                    if [ -f "$potential_config" ]; then
+                        wp_config="$potential_config"
+                        break
+                    fi
+                fi
+            done
+        fi
+
+        if [ -z "$wp_config" ]; then
+            print_error "WordPress installation not found for $domain"
+            press_enter
+            exit 1
+        fi
+
+        echo -e "${GREEN}Found WordPress:${NC} $wp_config"
+        echo ""
+
+        # Backup wp-config.php
+        cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)"
+        echo -e "${GREEN}✓${NC} Backed up wp-config.php"
+
+        # Re-enable wp-cron
+        if enable_wpcron_in_config "$wp_config"; then
+            echo -e "${GREEN}✓${NC} Removed DISABLE_WP_CRON from wp-config.php"
+        else
+            echo -e "${YELLOW}⚠${NC} DISABLE_WP_CRON not found or already enabled"
+        fi
+
+        # Remove cron job
+        site_path=$(dirname "$wp_config")
+        user=$(echo "$site_path" | cut -d'/' -f3)
+
+        if crontab -u "$user" -l 2>/dev/null | grep -q "$site_path.*wp-cron.php"; then
+            crontab -u "$user" -l 2>/dev/null | grep -v "$site_path.*wp-cron.php" | crontab -u "$user" -
+            echo -e "${GREEN}✓${NC} Removed cron job from user crontab"
+        else
+            echo -e "${YELLOW}⚠${NC} No cron job found for this site"
+        fi
+
+        echo ""
+        print_success "WordPress cron reverted to default for $domain"
+        ;;
+
+    7)
+        # Re-enable wp-cron for specific user
+        echo ""
+        echo -n "Enter cPanel username (or 0 to cancel): "
+        read -r target_user
+
+        if [ -z "$target_user" ] || [ "$target_user" = "0" ]; then
+            echo "Operation cancelled."
+            press_enter
+            exit 0
+        fi
+
+        if [ ! -d "/home/$target_user" ]; then
+            print_error "User $target_user does not exist"
+            press_enter
+            exit 1
+        fi
+
+        echo ""
+        echo "Reverting WordPress installations for user: $target_user"
+        echo ""
+
+        wp_configs=$(find "/home/$target_user" -name "wp-config.php" -type f 2>/dev/null)
+
+        if [ -z "$wp_configs" ]; then
+            print_error "No WordPress installations found for $target_user"
+            press_enter
+            exit 1
+        fi
+
+        count=0
+        echo "$wp_configs" | while IFS= read -r wp_config; do
+            count=$((count + 1))
+            site_path=$(dirname "$wp_config")
+
+            echo -e "${BOLD}Site $count:${NC} $site_path"
+
+            # Backup
+            cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)" 2>/dev/null
+            echo "  • Backed up wp-config.php"
+
+            # Re-enable wp-cron
+            if enable_wpcron_in_config "$wp_config"; then
+                echo "  • Removed DISABLE_WP_CRON"
+            else
+                echo "  • Already using default wp-cron"
+            fi
+
+            echo ""
+        done
+
+        # Remove all wp-cron jobs for this user
+        if crontab -u "$target_user" -l 2>/dev/null | grep -q "wp-cron.php"; then
+            crontab -u "$target_user" -l 2>/dev/null | grep -v "wp-cron.php" | crontab -u "$target_user" -
+            echo -e "${GREEN}✓${NC} Removed all wp-cron jobs from user crontab"
+        fi
+
+        print_success "All WordPress sites for $target_user reverted to default wp-cron"
+        ;;
+
+    8)
+        # Server-wide revert
+        echo ""
+        echo -e "${RED}${BOLD}WARNING: Server-Wide Revert${NC}"
+        echo ""
+        echo "This will:"
+        echo "  • Find ALL WordPress installations on the server"
+        echo "  • Remove DISABLE_WP_CRON from each wp-config.php"
+        echo "  • Remove all wp-cron system cron jobs"
+        echo ""
+        echo -n "Are you sure? Type 'yes' to confirm: "
+        read -r confirm
+
+        if [ "$confirm" != "yes" ]; then
+            echo "Cancelled"
+            press_enter
+            exit 0
+        fi
+
+        echo ""
+        echo "Scanning entire server for WordPress installations..."
+        echo ""
+
+        total=0
+        reverted=0
+
+        wp_configs=$(find /home/*/public_html -name "wp-config.php" -type f 2>/dev/null)
+
+        if [ -z "$wp_configs" ]; then
+            echo -e "${YELLOW}No WordPress installations found${NC}"
+            press_enter
+            exit 0
+        fi
+
+        while IFS= read -r wp_config; do
+            total=$((total + 1))
+            site_path=$(dirname "$wp_config")
+            user=$(echo "$site_path" | cut -d'/' -f3)
+
+            echo -e "${BOLD}Processing:${NC} $site_path (user: $user)"
+
+            # Backup
+            cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)" 2>/dev/null
+
+            # Re-enable wp-cron
+            if enable_wpcron_in_config "$wp_config"; then
+                reverted=$((reverted + 1))
+                echo -e "${GREEN}✓${NC} Reverted"
+            else
+                echo -e "${YELLOW}⚠${NC} Already using default wp-cron"
+            fi
+            echo ""
+        done <<< "$wp_configs"
+
+        # Remove all wp-cron jobs from all users
+        echo ""
+        echo "Removing wp-cron jobs from user crontabs..."
+        for user_home in /home/*; do
+            user=$(basename "$user_home")
+            if crontab -u "$user" -l 2>/dev/null | grep -q "wp-cron.php"; then
+                crontab -u "$user" -l 2>/dev/null | grep -v "wp-cron.php" | crontab -u "$user" - 2>/dev/null
+                echo "  • Removed cron jobs for user: $user"
+            fi
+        done
+
+        echo ""
+        print_success "Server-wide revert complete"
+        echo ""
+        echo "Summary:"
+        echo "  • Total WordPress sites found: $total"
+        echo "  • Successfully reverted: $reverted"
+        ;;
+
+    0)
+        exit 0
+        ;;
+
+    *)
+        print_error "Invalid option"
+        ;;
+esac
+
+echo ""
+press_enter
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+################################################################################
+# Wrapper script for Server Toolkit
+################################################################################
+# This wrapper allows proper history cleanup by running in the current shell
+################################################################################
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Fix HISTFILE if set to non-existent path (prevents crashes on sourcing)
+if [ -n "$HISTFILE" ]; then
+    HISTFILE_DIR="$(dirname "$HISTFILE" 2>/dev/null)"
+    if [ ! -d "$HISTFILE_DIR" ] 2>/dev/null; then
+        # Fallback to default history location
+        export HISTFILE="$HOME/.bash_history"
+    fi
+fi
+
+# Check if being sourced or executed
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    echo "ERROR: This script must be sourced, not executed."
+    echo ""
+    echo "Run it like this:"
+    echo "  source $0"
+    echo ""
+    echo "Or use the alias:"
+    echo "  . $0"
+    exit 1
+fi
+
+# Run the launcher
+bash "$SCRIPT_DIR/launcher.sh"
+
+# Check if cleanup is requested
+if [ -f /tmp/.cleanup_requested ]; then
+    rm -f /tmp/.cleanup_requested
+
+    # Clean history in current shell
+    GREP_PATTERN="git\.mull\.lol|linux-server-management-toolkit|server-toolkit|launcher\.sh|erase-toolkit-traces|run\.sh"
+
+    if [ -f ~/.bash_history ]; then
+        cp ~/.bash_history ~/.bash_history.bak.$$
+        grep -Ev "$GREP_PATTERN" ~/.bash_history.bak.$$ > ~/.bash_history 2>/dev/null || true
+        rm -f ~/.bash_history.bak.$$
+    fi
+
+    # Clear current shell's history
+    history -c
+    history -r ~/.bash_history
+    unset HISTFILE
+    set +o history
+
+    # Remove toolkit directory
+    cd /root 2>/dev/null
+    rm -rf "$SCRIPT_DIR" 2>/dev/null
+
+    clear
+    echo ""
+    echo "✓ All traces removed"
+    echo ""
+    echo "Type 'exit' and start a new shell."
+    echo ""
+fi
@@ -12,25 +12,31 @@ source "$SCRIPT_DIR/lib/common-functions.sh" 2>/dev/null || true

 print_banner "Toolkit Trace Eraser"

-echo ""
-echo "This will remove all traces of the Server Toolkit from:"
-echo "  • Bash history (all toolkit-related commands)"
-echo "  • System logs (toolkit operations)"
-echo "  • Download records"
-echo "  • Temporary files"
-echo ""
-echo -e "${RED}WARNING: This cannot be undone!${NC}"
-echo ""
-read -p "Are you sure you want to proceed? (yes/no): " confirm
+# Check if running in auto mode (from launcher exit)
+if [ "$TRACE_ERASER_AUTO" != "yes" ]; then
+    echo ""
+    echo "This will remove all traces of the Server Toolkit from:"
+    echo "  • Bash history (all toolkit-related commands)"
+    echo "  • System logs (toolkit operations)"
+    echo "  • Download records"
+    echo "  • Temporary files"
+    echo ""
+    echo -e "${RED}WARNING: This cannot be undone!${NC}"
+    echo ""
+    read -p "Are you sure you want to proceed? (yes/no): " confirm

-if [ "$confirm" != "yes" ]; then
-    echo "Cancelled."
-    exit 0
+    if [ "$confirm" != "yes" ]; then
+        echo "Cancelled."
+        exit 0
+    fi
 fi

-echo ""
-echo "Removing traces..."
-echo ""
+# Only show progress if not in auto mode
+if [ "$TRACE_ERASER_AUTO" != "yes" ]; then
+    echo ""
+    echo "Removing traces..."
+    echo ""
+fi

 # Patterns to remove from history
 PATTERNS=(
@@ -50,51 +56,24 @@ PATTERNS=(
    "erase-toolkit-traces"
 )

-# Clean bash history for root
-if [ -f ~/.bash_history ]; then
-    echo "→ Cleaning root bash history..."
-    cp ~/.bash_history ~/.bash_history.bak
+# Clean bash history for root (will be done at the end to avoid re-adding entries)
+CLEAN_HISTORY=true

-    for pattern in "${PATTERNS[@]}"; do
-        sed -i "/$pattern/d" ~/.bash_history
-    done
+# Skip user bash histories - only clean root
+# (User histories are not touched to avoid affecting normal user operations)

-    # Also clean in-memory history
-    for pattern in "${PATTERNS[@]}"; do
-        history | grep -i "$pattern" | awk '{print $1}' | while read -r num; do
-            history -d "$num" 2>/dev/null
-        done
-    done
-
-    echo "  ✓ Root history cleaned"
-fi
-
-# Clean bash history for all users
-echo "→ Checking user histories..."
-for user_home in /home/*; do
-    if [ -f "$user_home/.bash_history" ]; then
-        username=$(basename "$user_home")
-        echo "  → Cleaning history for $username..."
-
-        for pattern in "${PATTERNS[@]}"; do
-            sed -i "/$pattern/d" "$user_home/.bash_history"
-        done
-
-        echo "    ✓ Cleaned"
-    fi
-done
-
-# Clean system logs
+# Clean system logs (pattern-based for logs, not history)
 echo "→ Cleaning system logs..."
 if [ -f /var/log/messages ]; then
    for pattern in "${PATTERNS[@]}"; do
-        sed -i "/$pattern/d" /var/log/messages 2>/dev/null
+        # Use grep -v instead of sed to avoid regex issues
+        grep -v "$pattern" /var/log/messages > /var/log/messages.tmp 2>/dev/null && mv /var/log/messages.tmp /var/log/messages || true
    done
 fi

 if [ -f /var/log/secure ]; then
    for pattern in "${PATTERNS[@]}"; do
-        sed -i "/$pattern/d" /var/log/secure 2>/dev/null
+        grep -v "$pattern" /var/log/secure > /var/log/secure.tmp 2>/dev/null && mv /var/log/secure.tmp /var/log/secure || true
    done
 fi

@@ -103,9 +82,9 @@ echo "  ✓ System logs cleaned"
 # Clean auth logs
 echo "→ Cleaning auth logs..."
 for log in /var/log/auth.log* /var/log/secure*; do
-    if [ -f "$log" ]; then
+    if [ -f "$log" ] && [ ! -L "$log" ]; then
        for pattern in "${PATTERNS[@]}"; do
-            sed -i "/$pattern/d" "$log" 2>/dev/null
+            grep -v "$pattern" "$log" > "${log}.tmp" 2>/dev/null && mv "${log}.tmp" "$log" || true
        done
    fi
 done
@@ -142,32 +121,81 @@ rm -f "$SCRIPT_DIR/.sysref" 2>/dev/null
 rm -f "$SCRIPT_DIR/.sysref.timestamp" 2>/dev/null
 echo "  ✓ Reference database removed"

-# Offer to remove the entire toolkit
-echo ""
-echo -e "${YELLOW}Final step: Remove toolkit directory?${NC}"
-echo "This will delete: $SCRIPT_DIR"
-echo ""
-read -p "Remove entire toolkit directory? (yes/no): " remove_dir
+# Clean bash history BEFORE asking about directory removal
+# (This ensures history is cleaned even if user removes toolkit directory)
+CLEAN_HISTORY=true
+if [ "$CLEAN_HISTORY" = true ] && [ -f ~/.bash_history ]; then
+    echo ""
+    echo "→ Final cleanup: Removing bash history..."

-if [ "$remove_dir" = "yes" ]; then
+    # Disable history recording AND appending for this session
+    set +o history
+    shopt -u histappend 2>/dev/null || true
+
+    echo "  → Cleaning history file..."
+    GREP_PATTERN="git\.mull\.lol|linux-server-management-toolkit|server-toolkit|launcher\.sh|erase-toolkit-traces"
+
+    # Clean the history file directly
+    if [ -f ~/.bash_history ]; then
+        cp ~/.bash_history ~/.bash_history.bak.$$
+        lines_before=$(wc -l < ~/.bash_history.bak.$$ 2>/dev/null || echo 0)
+        grep -Ev "$GREP_PATTERN" ~/.bash_history.bak.$$ > ~/.bash_history 2>/dev/null || true
+        lines_after=$(wc -l < ~/.bash_history 2>/dev/null || echo 0)
+        lines_removed=$((lines_before - lines_after))
+        rm -f ~/.bash_history.bak.$$
+        echo "  ✓ Removed $lines_removed entries from history file"
+    fi
+
+    # Clear current session's history completely to prevent re-adding on exit
+    echo "  → Clearing current session history..."
+    history -c
+
+    # Unset HISTFILE to prevent this session from writing on exit
+    unset HISTFILE
+
+    echo "  ✓ Current session history cleared and disabled"
    echo ""
-    echo "Removing toolkit directory..."
-    cd /root
-    rm -rf "$SCRIPT_DIR"
-    echo ""
-    echo -e "${GREEN}✓ Toolkit completely removed${NC}"
-    echo ""
-    echo "All traces have been erased."
-    exit 0
-else
-    echo ""
-    echo -e "${GREEN}✓ History and logs cleaned${NC}"
-    echo ""
-    echo "Toolkit directory remains at: $SCRIPT_DIR"
-    echo "You can manually remove it later with: rm -rf $SCRIPT_DIR"
+    echo -e "${YELLOW}IMPORTANT: Exit this shell immediately after cleanup${NC}"
+    echo "Type: exit"
+    echo "Then start a fresh shell to see cleaned history."
 fi

-echo ""
-echo "Note: Active shell sessions may still have history in memory."
-echo "Consider logging out and back in for complete cleanup."
-echo ""
+# Offer to remove the entire toolkit (AFTER history cleaning)
+if [ "$TRACE_ERASER_AUTO" = "yes" ]; then
+    # Auto mode: quick cleanup, minimal output
+    cd /root 2>/dev/null
+    rm -rf "$SCRIPT_DIR" 2>/dev/null
+    clear
+    echo ""
+    echo -e "${GREEN}✓ All traces removed${NC}"
+    echo ""
+else
+    # Manual mode: ask user
+    echo ""
+    echo -e "${YELLOW}Final step: Remove toolkit directory?${NC}"
+    echo "This will delete: $SCRIPT_DIR"
+    echo ""
+    read -p "Remove entire toolkit directory? (yes/no): " remove_dir
+
+    if [ "$remove_dir" = "yes" ]; then
+        echo ""
+        echo "Removing toolkit directory..."
+        cd /root
+        rm -rf "$SCRIPT_DIR"
+        echo ""
+        echo -e "${GREEN}✓ Toolkit completely removed${NC}"
+        echo ""
+        echo "All traces have been erased."
+    else
+        echo ""
+        echo -e "${GREEN}✓ History and logs cleaned${NC}"
+        echo ""
+        echo "Toolkit directory remains at: $SCRIPT_DIR"
+        echo "You can manually remove it later with: rm -rf $SCRIPT_DIR"
+    fi
+
+    echo ""
+    echo "All traces removed. The trace eraser commands will also be"
+    echo "removed when you log out or start a new shell session."
+    echo ""
+fi