Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add signature to panel alerts and fix some white spacing issues #426

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add signature to panel alerts and fix some white spacing issues #426

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 26 additions & 18 deletions files/internals/functions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,7 +284,9 @@ get_panel_contacts() {
;;
"interworx")
master_domain=$(/usr/local/interworx/bin/listaccounts.pex | grep "${user}" | awk '{print $2}')
contact_emails=$(/usr/bin/siteworx -un --login_domain ${master_domain} -c Users -a listUsers -o yaml | awk '/email:/{print $2}' | tr '\n' ',' | sed 's/,$//' | sed 's/,/, /')
if [[ -n $master_domain ]]; then
contact_emails=$(/usr/bin/siteworx -un --login_domain "${master_domain}" -c Users -a listUsers -o yaml | awk '/email:/{print $2}' | tr '\n' ',' | sed 's/,$//' | sed 's/,/, /')
fi
;;
esac
}
Expand Down Expand Up @@ -443,7 +445,7 @@ EOF
}

usage_long() {
cat<<EOF
cat <<EOF
signature set: $sig_version
usage $0 [ OPTION ]
-b, --background
Expand Down Expand Up @@ -1497,7 +1499,7 @@ trim_log() {
genalert() {
type="$1"
file="$2"
if [ "$email_alert" == "1" ] || [ "$type" == "digest" ] || [ "$type" == "daily" ]; then
if [ "$email_alert" == "1" ] || [ "$type" == "digest" ] || [ "$type" == "daily" ]; then
if [ "$type" == "file" ] && [ -f "$file" ]; then
if [ -f "$mail" ]; then
cat $file | $mail -s "$email_subj" $email_addr
Expand All @@ -1522,24 +1524,30 @@ genalert() {
fi
fi
elif [ "$type" == "panel" ] && [ -f "$file" ]; then
eout "{panel} Detecting control panel and sending alerts..." 1
eout "{panel} Detecting control panel and sending alerts..." 1
control_panel=""
detect_control_panel
if [ "$control_panel" == "error" ] || [ "$control_panel" == "unknown" ]; then
eout "{panel} Failed to set control panel. Will not send alerts to control panel account contacts." 1
else
# Sort malware hits from $file and map the detected files to their system user owner
file_hits=$(awk '/FILE HIT LIST:/{flag=1;next}/^=======/{flag=0}flag{print $3}' $file)
for hit in $file_hits; do
hit_line=$(grep "$hit" $file)
if [ -f "$hit" ]; then
file_owner=$(stat -c "%U" $hit)
elif ! [ -f "$hit" ] && [ "$quarantine_hits" == "1" ] && [[ "$hit_line" == *"=>"* ]]; then
quarantined_file=$(echo $hit_line | awk '{print $NF}')
while read -r hit; do
local signature hit_file quarantined_file
if [[ $hit =~ (.*)[[:blank:]]:[[:blank:]](.*)[[:blank:]]=\>[[:blank:]](.*) ]]; then
signature=${BASH_REMATCH[1]}
hit_file=${BASH_REMATCH[2]}
quarantined_file=${BASH_REMATCH[3]}
elif [[ $hit =~ (.*)[[:blank:]]:[[:blank:]](.*) ]]; then
signature=${BASH_REMATCH[1]}
hit_file=${BASH_REMATCH[2]}
fi
if [[ -f $hit_file ]]; then
file_owner=$(stat -c "%U" "$hit_file")
elif [[ -n $quarantined_file ]]; then
file_owner=$(awk -F':' '/^[^#]/{print $1}' ${quarantined_file}.info)
fi
echo "$file_owner : $hit" >> $tmpdir/.panel_alert.hits
done
fi
echo "$file_owner : $signature : $hit_file" >> $tmpdir/.panel_alert.hits
done < <(awk '/FILE HIT LIST:/{flag=1;next}/^=======/{flag=0}flag{print $0}' $file)
# Sort cleaned files too
if [ "$quarantine_clean" == "1" ]; then
for clean_file in $(cat $sessdir/clean.$$); do
Expand All @@ -1552,12 +1560,12 @@ genalert() {
# Determine control panel, noop if error or none detected
eout "{panel} Detected control panel $control_panel. Will send alerts to control panel account contacts." 1
user_list=$(awk '{print $1}' $tmpdir/.panel_alert.hits | sort | uniq)
if [ -n "$user_list" ]; then
if [ -n "$user_list" ]; then
for sys_user in $user_list; do
contact_emails=""
get_panel_contacts $control_panel $sys_user

grep "^$sys_user " $tmpdir/.panel_alert.hits | awk '{print $3}' > $tmpdir/.${sys_user}.hits
grep "^$sys_user " $tmpdir/.panel_alert.hits | awk -F' : ' '{print $2" : "$3}' > $tmpdir/.${sys_user}.hits
user_tot_hits=$($wc -l $tmpdir/.${sys_user}.hits | awk '{print$1}')
if [ -f $tmpdir/.panel_alert.clean ]; then
grep "^$sys_user " $tmpdir/.panel_alert.clean | awk '{print $3}' > $tmpdir/.${sys_user}.clean
Expand All @@ -1581,8 +1589,8 @@ genalert() {
eout "{panel} No compatible \$sendmail or \$mail binaries found, control panel account alerts disabled."
fi
done
fi
rm -f $tmpdir/.panel_alert.hits $tmpdir/.panel_alert.clean $tmpdir/.${sys_user}.hits $tmpdir/.${sys_user}.clean $tmpf
fi
rm -f $tmpdir/.panel_alert.hits $tmpdir/.panel_alert.clean $tmpdir/.${sys_user}.hits $tmpdir/.${sys_user}.clean $tmpf
fi
elif [ "$type" == "daily" ] || [ "$type" == "digest" ]; then
inotify_start_time=`ps -p $(ps -A -o 'pid cmd' | grep -E maldetect | grep -E inotifywait | awk '{print$1}' | head -n1) -o lstart= 2> /dev/null`
Expand Down