Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 697 lines (602 sloc) 23.1 KB
#!/bin/bash
###############################setup##################################
#choose y/N
yesno(){ read -p "$question " choice;case "$choice" in y|Y|yes|Yes|YES ) decision=1;; n|N|no|No|NO ) decision=0;; * ) echo "invalid" && yesno; esac; }
#making log location
if [[ -e /usr/local/scan ]];then #then pwd exists
echo -e
else
mkdir -p /usr/local/scan
fi
if [[ -e /usr/local/scan/report ]];then #then pwd exists
echo -e
else
mkdir -p /usr/local/scan/report
fi
reportdir=/usr/local/scan/report
envelope=/usr/local/scan/report/mail
#set sigdir
sigdir=/usr/local/scan/lw-yara
if [[ -e /usr/local/scan/lw-yara/lw.hdb ]]; then #rules installed, run update
cd $sigdir
git pull
echo -e
else git clone https://github.com/Hestat/lw-yara.git $sigdir
echo -e
fi
scandir=/usr/local/scan
if [[ -x $(which maldet) ]]; then #maldet installed adding maldet sigs
sigdir2=/usr/local/maldetect/sigs
else
echo -e #not installed
fi
#create color vars
yell='\e[33m'
gre='\e[32m'
whi='\e[0m'
###################### versioning ########################################
VERSION="[ version 1.5 ]"
#check if blazescan is up to date
UPDATECHECK(){
remoteprogsig=$(curl -sS https://raw.githubusercontent.com/Hestat/blazescan/master/blazescan | md5sum | awk '{print$1}')
localprogsig=$(md5sum /usr/local/scan/blazescan | awk '{print$1}')
if [[ "$remoteprogsig" = "$localprogsig" ]]; then
echo -e "$gre Blazescan is up to date $whi"
sleep 1
else echo -e "$yell Newer version of Blazescan available, would you like to update? [y/n]"
yesno; if [ $decision = 1 ]; then
wget -O /usr/local/scan/blazescan https://raw.githubusercontent.com/Hestat/blazescan/master/blazescan
echo -e "Update complete $whi\n"
else echo -e "Ending update check$whi\n"
fi
fi
}
###################### create formatting #################################
#Creates variable for red color
red='\e[0;31m'
#Creates variable for bold red color
redbold='\e[1;31m'
#Creates variable for green color
green='\e[0;32m'
#Creates variable for yellow color
yellow='\e[1;33m'
#Creates variable for purple color
purple='\e[1;35m'
#Creates variable for no color
whi='\e[0m'
#blue
blue='\e[34m'
div(){
for ((i=0;i<$1;i++)); do printf '='; done;
}
header(){
echo -e "\n$(div 80)\n"
}
header2=$(echo -e "$(div 3)")
title(){
echo -e " __________________"
echo -e " \ \ "
echo -e " \ \ "
echo -e " \ ) \ "
echo -e " \ ).( \ "
echo -e " /-------------------------).(.(------"
echo -e " //---------------// ( ).(. // |"
echo -e " // // (.) ).(. // __|"
echo -e " // // ) .( .( ).)) // ||"
echo -e " // // ).( .( .) .(.).// ||"
echo -e " //_______________// ^^^^^^^^^^^^^^// ||"
echo -e "------------------------------------/ ------ |"
echo -e "| Blazescan | | Another | |"
echo -e "| AMS Software| | Malware | |"
echo -e "|-------------- | Scanner | |"
echo -e "| ------------| |"
echo -e "----------------------------------------------"
echo -e "Sometimes you need to burn it down and start fresh"
}
scanout(){
echo -e "$redbold Scan output file can be found here: $whi"
}
maldetandyara(){
echo -e "$blue maldet detected, using maldet and lw-yara signatures $whi"
}
headtimestamp(){
echo -e "Change timestamps on malicious files flagged in the scan"
}
######################### help menu #####################################
helpmenu(){
header
echo -e "Blazescan $redbold $VERSION $whi is a malware scanning and incident response tool"
echo -e "that uses clamav and custom malware databases\n"
echo -e "If you run blazescan without any arguments it will present a simple scanning menu\n"
echo -e " -a will scan all cpanel accounts\n"
echo -e " -A will use Agressive mode to scan all cpanel accounts"
echo -e " uses clamd to run multicore scans, can increase load\n"
echo -e " -u will scan the specified cpanel user\n"
echo -e " -l will show the results of the last scan\n"
echo -e " -t will display ctime of the hits in the last scan\n"
echo -e " -d scan a directory of your choosing\n"
echo -e " -w will run a scan on the directory of your choosing with wordpress checks included\n"
echo -e " -f will run search for all files in the directory given and record ctime of all files\n"
echo -e " -i provide a file to pull vital stats about the file\n"
echo -e " -m will email the list of hits from the last malware scan\n"
echo -e " -n will provide an overview of logged in users and network traffic\n"
echo -e " -N will run a tcpdump for a specified time period and write the data to a file for later analysis\n"
echo -e " -U will check for updates, and allow you to perform any available updates\n"
echo -e " -R will allow you to report a malicious file back to add a signature"
echo -e " use this if you encounter new malicious code that is not detected\n"
echo -e " -h will display the help menu\n"
echo -e "By default the scanner will use the rules at https://github.com/Hestat/lw-yara\n"
echo -e "It will also use the maldet rules if installed http://www.rfxn.com/projects/linux-malware-detect/\n"
header
}
########################### scan functions ################################
enumcpaneldocrootall(){
find /var/cpanel/userdata/ -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $3}'
}
clamdcpanelallscan(){
for FILE in $( enumcpaneldocrootall ); do echo -e "$yellow Scan location:\t$FILE\n $whi" | tee -a $OP1
clamdscan --config-file=/usr/local/scan/blazescand.conf $FILE | tee -a $OP1; echo -e "\n" | tee -a $OP1 ; done; scanout; echo -e "$OP1\n"
headtimestamp >> $OP1
header >> $OP1
timestamps >> $OP1
}
cpanelallscan1(){
for FILE in $( enumcpaneldocrootall ); do echo -e "$yellow Scan location:\t$FILE\n $whi" | tee -a $OP1
clamscan -ir -d /usr/local/scan/lw-yara/ $FILE | tee -a $OP1; echo -e "\n" | tee -a $OP1 ; done; scanout;echo -e "$OP1\n"
headtimestamp >> $OP1
header >> $OP1
timestamps >> $OP1
}
cpanelallscan2(){
for FILE in $( enumcpaneldocrootall ); do echo -e "$yellow Scan location:\t$FILE\n $whi" | tee -a $OP1
clamscan -ir --no-summary -d /usr/local/maldetect/sigs -d /usr/local/scan/lw-yara/ $FILE | tee -a $OP1; echo -e "\n" | tee -a $OP1 ; done; scanout; echo -e "$OP1\n"
headtimestamp >> $OP1
header >> $OP1
timestamps >> $OP1
}
singlecpanelscan1a(){
for FILE2 in $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $2}'); do echo -e "$yellow Scan location:\t$FILE2\n $whi" | tee -a $OP2
clamscan -ir --no-summary -d /usr/local/scan/lw-yara/ $FILE2 | tee -a $OP2; echo -e "\n" | tee -a $OP2;done; scanout; echo -e "$OP2\n"
headtimestamp >> $OP2
header >> $OP2
timestamps >> $OP2
}
singlecpanelscan2a(){
for FILE2 in $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $2}'); do echo -e "$yellow Scan location:\t$FILE2\n $whi" | tee -a $OP2
clamscan -ir --no-summary -d /usr/local/maldetect/sigs -d /usr/local/scan/lw-yara/ $FILE2 | tee -a $OP2; echo -e "\n" | tee -a $OP2;done; scanout; echo -e "$OP2\n"
headtimestamp >> $OP2
header >> $OP2
timestamps >> $OP2
}
singlecpanelscan1b(){
for FILE2 in $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $3}'); do echo -e "$yellow Scan location:\t$FILE2\n $whi" | tee -a $OP2
clamscan -ir --no-summary -d /usr/local/scan/lw-yara/ $FILE2 | tee -a $OP2; echo -e "\n" | tee -a $OP2;done; scanout; echo -e "$OP2\n"
headtimestamp >> $OP2
header >> $OP2
timestamps >> $OP2
}
singlecpanelscan2b(){
for FILE2 in $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $3}'); do echo -e "$yellow Scan location:\t$FILE2\n $whi" | tee -a $OP2
clamscan -ir --no-summary -d /usr/local/maldetect/sigs -d /usr/local/scan/lw-yara/ $FILE2 | tee -a $OP2; echo -e "\n" | tee -a $OP2;done; scanout;echo -e "$OP2\n"
headtimestamp >> $OP2
header >> $OP2
timestamps >> $OP2
}
directoryscanM(){
clamscan -ir --no-summary -d /usr/local/maldetect/sigs -d /usr/local/scan/lw-yara/ $direct | tee -a $OP3; echo -e "\n" | tee -a $OP3; scanout; echo -e "$OP3\n"
headtimestamp >> $OP3
header >> $OP3
timestamps >> $OP3
}
directoryscan(){
clamscan -ir --no-summary -d /usr/local/scan/lw-yara/ $direct | tee -a $OP3; echo -e "\n" | tee -a $OP3; scanout; echo -e " $OP3\n"
headtimestamp >> $OP3
header >> $OP3
timestamps >> $OP3
}
clamddirectoryscan(){
clamdscan --config-file=/usr/local/scan/blazescand.conf $direct | tee -a $OP3; echo -e "\n" | tee -a $OP3 scanout; echo -e "$OP3\n"
headtimestamp >> $OP3
header >> $OP3
timestamps >> $OP3
}
wpclicheck(){
#wpuser=$(find $wpdirect -name wp-config.php | xargs stat -t --format=%U)
echo -e " Wordpress path: $wpdirect" | tee -a $OP3
runuser -l $wpuser -s /bin/bash -c "wp checksum core --path=$wpdirect" 2>&1 | tee -a $OP3
echo -e "\n Wordpress Administrative users, review to confirm no malicious users" | tee -a $OP3
runuser -l $wpuser -s /bin/bash -c "wp user list --role=administrator --path=$wpdirect --format=csv" 2>&1 | tee -a $OP3
echo -e "\n"
}
############################# network information #############################
listening(){
header
echo -e "$red $header2 Listening services $header2 $whi\n"
if [[ -e /etc/systemd ]]; then #systemd os using ss
ss -tulpn
else #init using netstat
netstat -tulpn
fi
}
active(){
header
echo -e "$red $header2 Active connections $header2 $whi\n"
if [[ -e /etc/systemd ]]; then #systemd os using ss
ss -tupn
else #init using netstat
netstat -tupn
fi
header
}
users(){
header
echo -e "$red $header2 Connected users $header2 $whi\n"
w
echo -e
header
echo -e "$red $header2 Last 10 logins $header2 $whi\n"
last -Faixw | head
}
livecapture(){
PORT=""
HOST=""
NP1=/usr/local/scan/nettraffic$(date +%F-%H%M).pcap
echo -e "How long would you like to capture traffic? (measured in seconds)"
read TIME
echo -e "\nWould you like to set a host ip address? [y/n]"
yesno; if [ $decision = 1 ];then
echo -e "Enter ip address:"
read HOST
else
sleep 0
fi
echo -e "\nWould you like to set a port to watch? [y/n]"
yesno; if [ $decision = 1 ];then
echo -e "Enter port number:"
read PORT
else
sleep 0
fi
if [[ $(echo $HOST| wc -c) > 1 ]] && [[ $(echo $PORT|wc -c) > 1 ]];then
timeout $TIME tcpdump -vvv host $HOST and port $PORT -w $NP1
elif [[ $(echo $HOST| wc -c) > 1 ]]; then
timeout $TIME tcpdump -vvv host $HOST -w $NP1
elif [[ $(echo $PORT|wc -c) > 1 ]];then
timeout $TIME tcpdump -vvv port $PORT -w $NP1
else
timeout $TIME tcpdump -vvv -w $NP1
fi
echo -e "\nPacket capture stored in $NP1"
echo -e "\n\nIf you would like to review this data now run the following command"
echo -e "\ntcpdump -nr $NP1\n"
}
############################# time stamps and other things ###################
list(){
if [[ $(grep UNOFFICIAL $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | wc -l) -ge "1" ]]; then
grep UNOFFICIAL $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}')
else echo -e " not hits found\n"
fi
}
wlist(){
if [[ $(grep "Warning:" $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | wc -l) -ge "1" ]]; then
grep "Warning:" $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}')
else echo -e " Wordpress core files match\n"
fi
}
timestamps(){
if [[ $(grep UNOFFICIAL $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | cut -d : -f1 | xargs stat -t --format=%z,%n 2> /dev/null | wc -l) -ge "1" ]]; then
grep UNOFFICIAL $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | cut -d : -f1 | xargs stat -t --format=%z,%n
else echo -e " no hits found\n"
fi
}
forensic(){
find $direct -type f | xargs stat -t --format=%y:%n 2> /dev/null 1>> $OP4
}
filebasic(){
echo -e "File Stats:"
header
stat $fileid
header
echo -e "\n\nFile type:"
header
file $fileid
header
echo -e "\n\nFile SHA1 hash:"
header
sha1sum $fileid
header
}
vtcheck(){
echo -e "\n VirusTotal results"
header
curl -s -X POST 'https://www.virustotal.com/vtapi/v2/file/report' --form apikey="$vtkey" --form resource="$vthash" | json_pp | egrep "permalink|scan_date|verbose_msg|positives|total"
header
}
############################# reporting ################################
objectName=suspectfile$(date +%y%m%d-%H%M).zip
bucket=blazescan-signatures
resource="/${bucket}/${objectName}"
contentType="application/zip"
dateValue=`date -R`
acl="x-amz-acl:public-read"
stringToSign="PUT\n\n${contentType}\n${dateValue}\n${resource}"
s3put(){
curl -i -X PUT -T "${upload}" \
-H "Host: ${bucket}.s3.amazonaws.com" \
-H "Date: ${dateValue}" \
-H "Content-Type: ${contentType}" \
-H "$acl" \
https://${bucket}.s3-us-west-2.amazonaws.com/${objectName}
}
############################# flags for running ###############################
while getopts ":ahltu:d:w:UARfi:mnN" opt; do
case ${opt} in
h ) # process option h to display help menu
helpmenu
exit 0
;;
u ) # process option u for individual cpanel account
user=$OPTARG
OP2=/usr/local/scan/$user-$(date +%F-%H%M.txt)
echo -e "\n"|tee -a $OP2
if [[ -x $(which maldet) ]];then
#echo -e "maldet detected, using maldet and lw-yara signatures"
maldetandyara
if [[ $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot |awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | wc -l) -eq "1" ]]; then
singlecpanelscan2a
else
singlecpanelscan2b
fi;
else
echo -e "using only lw-yara signatures"
if [[ $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot |awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | wc -l) -eq "1" ]]; then
singlecpanelscan1a
else
singlecpanelscan1b
fi
fi
exit 0;;
A ) # -A agressive mode
if [[ -x $(which clamdscan 2>/dev/null) ]]; then
echo -e "Multiple CPU cores detected, would you like to use Blazescan in Aggressive mode? [y/n]"
echo -e "Warning if the server is under load, this is not recommended as it will create additional heavy load on the system"
yesno; if [ $decision = 1 ]; then
OP1=/usr/local/scan/scan-$(date +%F-%H%M.txt)
echo -e "\n"|tee -a $OP1
clamdcpanelallscan
exit 0
else
exit 0
fi
else "install clamd first"
fi
exit 0;;
a ) # -a option to scan all cpanel accounts
#creating log file
OP1=/usr/local/scan/scan-$(date +%F-%H%M.txt)
echo -e "\n"|tee -a $OP1
if [[ -x $(which maldet) ]]; then
#echo -e "maldet detected, using maldet and lw-yara signatures"
maldetandyara
#elif [ $(nproc) >= "2" ]; then
# echo -e "Multiple CPU cores detected, would you like to use Blazescan in Aggressive mode? [y/n]"
# echo -e "Warning if the server is under load, this is not recommended as it will create additional heavy load on the system"
# yesno; if [ $decision = 1 ]; then
# clamdcpanelallscan
#else
cpanelallscan2
else
echo -e "using only lw-yara signatures"
cpanelallscan1
fi
exit 0;;
l ) #list results
list
if [[ $(grep "Warning:" $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | wc -l) -ge "1" ]]; then
echo -e "\nWordpress checks"
wlist
echo -e
else
exit 0
fi
exit 0;;
t ) timestamps
exit 0;;
d ) #scan specified directory
direct=$OPTARG
#creating log file
OP3=/usr/local/scan/scan-$(date +%F-%H%M.txt)
echo -e "\n"|tee -a $OP3
#if [[ $(nproc) = 2 ]]; then
# echo -e "Multiple CPU cores detected, would you like to use Blazescan in Aggressive mode? [y/n]"
# echo -e "Warning if the server is under load, this is not recommended as it will create additional heavy load on the system"
# yesno; if [ $decision = 1 ]; then
# clamddirectoryscan
# exit 0
# else #continue
# fi
if [[ -x $(which maldet) ]];then
#echo -e "maldet detected, using maldet and lw-yara signatures"
maldetandyara
directoryscanM
else
echo -e "using only lw-yara signatures"
directoryscan
fi
exit 0;;
w ) #perform wordpress based scanning
wpdirect=$OPTARG
direct=$wpdirect
wpuser=$(find $wpdirect -name wp-config.php | xargs stat -t --format=%U)
OP3=/usr/local/scan/$wpuser-$(date +%F-%H%M.txt)
echo -e "$yellow Performing wordpress checks... $whi"
echo -e "\n" | tee -a $OP3
wpclicheck
echo -e "\n" | tee -a $OP3
if [[ -x $(which maldet) ]];then
#echo -e "maldet detected, using maldet and lw-yara signatures"
maldetandyara
directoryscanM
else
echo -e "using only lw-yara signatures"
directoryscan
fi
exit 0;;
f ) #perform a forensic capture of all ctimes on files recursively via the path given
echo -e "What path would you like to collect forensic change timestamps?"
read direct
echo -e "Provide your username:"
read USER
OP4=/usr/local/scan/forensic-$USER-$(date +%F-%H%M).log
forensic
echo -e "$red Log can be found here: $whi"
echo -e "$OP4"
exit 0;;
U ) #perform update checks
UPDATECHECK
exit 0;;
R ) #report a malicous file that was not found
echo -e "$yellow Provide the full path file you would like to send"
echo -e " EX: /home/test/example.php $whi"
read file
cp $file $reportdir
tempup=$(find $reportdir -maxdepth 1 -type f -exec stat -c "%y %n" {} + | sort -r | head -n1|awk '{print$4}' | cut -d / -f 6)
pushd /usr/local/scan/report/
zip -P "malware" report.zip $tempup
popd
upload=$(find $reportdir -maxdepth 1 -name '*.zip' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1|awk '{print$4}')
s3put
#rm $tempup
rm $upload 2> /dev/null
echo -e "$green Upload complete, thank you for reporting the file $whi"
exit 0;;
i ) #perform file analysis
fileid=$OPTARG
OPFILE=/usr/local/scan/filecheck-$(date +%F-%H%M.log)
echo -e "$yellow Collecting information on file...\n $whi"
filebasic >> $OPFILE
filebasic
echo -e "\n Would you like to view file strings? [y/n]"
yesno; if [ $decision = 1 ]; then
strings $fileid | less
else
echo -e
fi
echo -e "\n Would you like to check hash against Virustotal? [y/n]"
yesno; if [ $decision = 1 ]; then
vtkey=$(grep "#VTapikey=" /usr/local/scan/blazescand.conf| cut -d = -f2)
vthash=$(sha1sum $fileid| awk '{print$1}')
if [ $(echo $vtkey| wc -c) = 1 ]; then #no api key
echo -e "$yellow No Virustotal API key found, please add to /usr/local/scan/blazescand.conf $whi"
else
vtcheck
vtcheck >> $OPFILE
fi
echo -e "\n"
else
echo -e
fi
echo -e "$red basic file info recorded in $whi $OPFILE"
exit 0;;
m ) #mail-to function
addr=$(grep Mailtoaddress /usr/local/scan/blazescand.conf | cut -d = -f2)
if [ $(echo $addr| wc -c) = 1 ]; then
echo -e "$yellow No Email address specified, please set up in /usr/local/scan/blazescand.conf $whi"
else
echo -e "Subject: Blazescan malware hits report" > $envelope
list >> $envelope
echo -e "Sending report to $addr\n\n"
cat $envelope | sendmail $addr
rm $envelope
fi
exit 0;;
n ) #network checks
users
listening
active
exit 0;;
N ) #network capture
livecapture
exit 0;;
\? ) echo "Usage: cmd [-d directory path to scan] [-w path to wordpress homedir to scan] [-u cpanel user] [ -a scan all cpanel account] [-l list last scan results] [-t list create time of hits] [ -h Use to get a full list of the features and flags]"
exit 0;;
esac
done
shift "$((OPTIND -1))"
#subcommand=$1; shift
#case "$subcommand" in
# mail)
# address=$1;
# echo -e "I'm running!"
# shift
# exit 0;;
#esac
############################# begin main ##################################
if [[ -x $(which whmapi1) ]]; then #cpanel
#begin menu for cpanel options
while true
do
clear
header
helpmenu
header
echo -e
#title
echo -e
echo -e "Please select scan you would like to run\n"
echo -e "Select [1] to scan all Cpanel accounts and Docroots\n"
echo -e "Select [2] to scan individual account\n"
echo -e "Select [3] to exit\n"
header
read answer
case "$answer" in
1) if [[ -x $(which clamscan) ]]; then #clamav installed
#creating log file
OP1=/usr/local/scan/scan-$(date +%F-%H%M.txt)
echo -e "\n"|tee -a $OP1
if [[ -x $(which maldet) ]]; then
#echo -e "maldet detected, using maldet and lw-yara signatures"
maldetandyara
cpanelallscan2
else
echo -e "using only lw-yara signatures"
cpanelallscan1
fi
else echo -e "trying to link to existing clamscan binary"
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam
if [[ -x $(which clamscan) ]]; then
echo -e "success, please restart to scan"
else echo -e "clamav not installed please install"
fi
fi;;
2) echo "What is the cpanel user?"
read user
#creating log file
OP2=/usr/local/scan/$user-$(date +%F-%H%M.txt)
echo -e "\n"|tee -a $OP2
if [[ -x $(which maldet) ]];then
#echo -e "maldet detected, using maldet and lw-yara signatures"
maldetandyara
if [[ $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot |awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | wc -l) -eq "1" ]]; then
singlecpanelscan2a
else
singlecpanelscan2b
fi;
else
echo -e "using only lw-yara signatures"
if [[ $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot |awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | wc -l) -eq "1" ]]; then
singlecpanelscan1a
else
singlecpanelscan1b
fi;
fi;;
3) exit;;
esac
echo -e "Press Enter to return to menu"
read input
done
else
echo -e "not cpanel, please use the -d flag to set the directory you want to scan\n"
echo -e "use the -h flag to see the flags that can be used"
fi