Send mail to scripts owner (victims)

[bareck]

scan report can mail to upload script owner's (victims's) email
so user can take a look into it.

[peterelsner]

+1 on this. I think it would be great, if cxs would grab the owners email address (from /var/cpanel/users/username file) and send them an email (that we can customize) that says something like:

Our security scanner detected an infection on your site recently and the file has been quarantined. Please scan your computer for infections immediately.. etc...

Right now I'm doing this manually and it's extremely time consuming.

[bendix]

+1 on this too

[chirpy]

We'll add it for consideration to the dev list.

[caisc]

Yes, gr8 suggestion +1 from me too

[ForumAdmin]

This was added some time ago - see documentation for --template [file]

[peterelsner]

This does not appear to be working properly...

I've created the template to look like this:

Code: Select all

From: support@XXXXX.COM
To: [user]
CC: [to]
Subject: Security Scan detected possible infection. (Hits:[hits]) (Viruses:[viruses]) (Fingerprints:[fingerprints])

Time        : [time]
User Contact: [user]

Our security scanner has detected a potential problem with your site.  A file recently
uploaded or installed on your site, may have been quarantined because it triggered one of our
filters.  More information is listed below, however, you can contact us for more details on the 
file(s) in question.

If you did NOT recently upload or make any changes to your site, (see date/time stamp above), 
then please immediately change any and all passwords for your online accounts.  

Please also scan your computer(s) immediately for infections, and remove any you find.  
If you don't already have them, please download and install the following 2 (FREE) programs 
to help you in finding and eradicating any infections.

Spybot S&D (Search & Destroy): www.safer-networking.org/dl/

Malware Bytes Anti-Malware: http://www.malwarebytes.org/lp/malware_lp_form/

Below is for internal use only: 

[text]

Thank you,
SUPPORT

This generates an email that is supposedly sent to the user and CC'd to me.

But the log file does NOT show that the email was actually sent to the user.

Code: Select all

2012-11-20 14:22:53 1TauLN-0000MD-T5 <= root@web22.xxxx.com H=(localhost.localdomain) [127.0.0.1]:49058 I=[127.0.0.1]:25 P=esmtp S=2385 T="Security Scan detected possible infection. (Hits:1) (Viruses:0) (Fingerprints:1)" from <root@web22.xxxx.com> for root@xxxx.com
2012-11-20 14:22:53 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TauLN-0000MD-T5
2012-11-20 14:22:53 1TauLN-0000MD-T5 SMTP connection identification H=localhost A=127.0.0.1 P=49058 M=1TauLN-0000MD-T5 U=root ID=0 S=root B=authenticated_local_user
2012-11-20 14:22:54 1TauLN-0000MD-T5 => root@xxxx.com F=<root@web22.xxxx.com> P=<root@web22.xxxx.com> R=lookuphost T=remote_smtp S=2857 H=smtp.xxxx.com [xxx.xxx.xxx.xxx]:25 X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no DN="/C=US/ST=XXXXX/L=XXXXXXXXXX/O=XXXX.COM, Inc./CN=smtp-a.xxxx.com/emailAddress=nobody@xxxx.com" C="250 Ok: queued as 190361700F7" QT=1s DT=0s
2012-11-20 14:22:54 1TauLN-0000MD-T5 Completed QT=1s

It only shows it going to me at root. So it would appear that the customer is never notified.

[peterelsner]

So, if this is ever going to be fixed... I'd like to also add the suggestion that cPanel/FTP passwords get changed on the suspected account. Then the customer has to contact us for the new password after they have scanned their computers and verified that everything is clean.

In addition, is there a way to only show some info in the template? In other words, the template variable for
"text" shows the following:

Code: Select all

----------- SCAN REPORT -----------
(/usr/sbin/cxs --www --smtp --options mMOLfSGchexdnwZDR --Wstart --filemax 50000 --ignore /etc/cxs/cxs.ignore --sizemax 500000 --xtra /etc/cxs/cxs.xtra --summary --Wrateignore 0 --quarantine /backups/quarantined_by_cxs --Wloglevel 0 --voptions mfhexT --mail cpadmin@xxxx.com --logfile /var/log/cxs.log --quiet --timemax 30 --qoptions mMchv --template cxs.template --doptions Mv --virusscan --Wsleep 3 --report /var/log/cxs.scan --Wmaxchild 3 --allusers --throttle 4 --clamdsock /var/clamd --Wrefresh 7 --exploitscan)

cxswatch Scanning /home/USERNAME/public_html/masrer/media/swf.php:
# (quarantined to /quarantined_by_cxs/scan/USERNAME/swf.php.1356696985_1) ClamAV detected virus = [Trojan.PHP-43]:
'/home/USERNAME/public_html/masrer/media/swf.php'

----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious matches: 1
Viruses found: 1
Fingerprint matches: 0
Data scanned: 0.02 MB
Scan Time: 0.013 sec (including 2 throttle sleeps)

Instead, I would like it to show only the following:

Code: Select all

cxswatch Scanning /home/USERNAME/public_html/masrer/media/swf.php:
# (quarantined to /quarantined_by_cxs/scan/USERNAME/swf.php.1356696985_1) ClamAV detected virus = [Trojan.PHP-43]:
'/home/USERNAME/public_html/masrer/media/swf.php'

----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 1
Ignored items: 0
Suspicious matches: 1
Viruses found: 1
Fingerprint matches: 0
Data scanned: 0.02 MB
Scan Time: 0.013 sec (including 2 throttle sleeps)

The customer/victim does not need to see the options passed to cxs.

[Sarah]

These are community forums. If you are having a problem with a paid product please log a ticket on the helpdesk.

[peterelsner]

Ok, got this to work. Just can't change any of the From: To: CC: lines. They MUST be set as what the default template is set to.

What I would like to know is can the template be modified any further? For example:

----------- SCAN REPORT -----------
(/usr/sbin/cxs --allusers --clamdsock /var/clamd --doptions Mv --exploitscan --filemax 50000 --ignore /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --mail cpadmin@gkg.net --MD5 --options mMOLfSGchexdnwZDR --qoptions mMchv --quarantine /root/quarantined_by_cxs --quiet --report /var/log/cxs.scan --sizemax 500000 --smtp --summary --template cxs.template --throttle 4 --timemax 30 --virusscan --voptions mfhexT --Wloglevel 0 --Wmaxchild 3 --Wrateignore 0 --Wrefresh 7 --Wsleep 3 --Wstart --www --xtra /etc/cxs/cxs.xtra)

cxswatch Scanning /home/username/public_html/silverlightmediaelement.xap:
# (compressed file: SilverlightMediaElement.dll [depth: 1]) MS Windows Binary/Executable [application/x-winexec] (md5sum:2fb1bc1a7f10d1dd54689a79b4cf53ac) (md5sum:5038749d595b7bdb614cd90544e3f674):
'/home/username/public_html/silverlightmediaelement.xap'

Can be remove the portion just under the SCAN REPORT line? I don't want my customers to know what program has
detected the problem. (IE: /usr/sbin/cxs with all the options...) Although doubtful, but not impossible, it might provide enough information to a hacker to find a way around it next time.

Also the cxswatch Scanning line should be removed. Instead, it should just say something like:

Scanned: /home/username/public_html/silverlightmediaelement.xap
This is a: compressed file (MS Windows Binary Executable [application/x-winexec]
Quarantined: Yes (or No).
MD5: 5038749d595b7bdb614cd90544e3f674

----------- SCAN SUMMARY -----------
Scanned directories: 0
Scanned files: 3
Ignored items: 0
Suspicious matches: 1
Viruses found: 0
Fingerprint matches: 0
Data scanned: 0.05 MB
Scan Time: 0.042 sec (including 312 throttle sleeps)

In addition, can we create a separate set of templates? Say something for Core Dump files? If it's a Core Dump file that was found, I would like to tell the customer that it was found and what they can/need to do about it to stop them. These aren't really security issues, but can take up a great deal of space.