Announcement

Collapse
No announcement yet.

Imunify hook to send email to admin on infection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Imunify hook to send email to admin on infection

    Hello all

    Since i could not find any option to notify admins when an infection occurs, i have modified this script to do the job



    I have tested it by uploading infected files with ftp and cpanel file editor and it seems OK

    It sends email to cpanel contact emails with infection path and infection type

    This is the first beta , it has many improve potentials

    Feel free to test

    cd
    mkdir hooks
    cd hooks
    vi hooks.php

    ### php begins###

    #!/usr/local/bin/php -q
    <?php
    $hostname = gethostname();

    stream_set_blocking(STDIN, 0);
    $stdin = fopen(php://stdin, r);
    $data = stream_get_contents($stdin);
    $json = json_decode(trim($data), true);
    $output = null;
    switch ($json[event]) {
    case malware-detected:

    $subtype = $json[subtype];
    $total_malicious = $json[params][total_malicious];
    $report = json_decode(file_get_contents($json[params][tmp_filename]), true);
    $by_users = array();

    foreach ($report as $entry) {
    if (!isset($by_users[$entry[username]]))
    {
    $by_users[$entry[username]] = array();
    }

    $by_users[$entry[username]][] = $entry;
    }

    foreach ($by_users as $user => $user_row)
    {
    $output.=date(Ymd H:i:s)."

    "."Subtype:".$subtype."

    ";
    $output.=User .$user. has .count($user_row). infections;
    foreach ($user_row as $fkey => $user_row_item)
    {
    $output.="
    ".$user_row_item[file]. .$user_row_item[type]. .$user_row_item[scan_type];
    }
    $output.="


    ";
    }

    break;
    }

    if($output)
    {

    $subject = "Imunify on ".$hostname. (Infections:.$total_malicious.);
    $recipient = root;
    $headers="From: ".$hostname."<root@".$hostname.">
    X-Mailer: PHP
    Content-type: text/plain; charset=UTF-8";
    mail($recipient, $subject, $output, $headers);
    }
    ?>

    ####php end###

    chmod 700 hooks.php

    imunify360-agent hook add --event malware-detected --path /root/hooks/hooks.php

  • #2
    Hello Nick,
    Thank you for following up! For our part, we can add that CloudLinux is not responsible for this script. Everyone can use it at their discretion. We recommend making a repo on github and uploading the code there.
    Thanks.

    Comment


    • #3
      It is much better when server admin get detailed email report of all infections when daily scan run like maldet.

      Comment


      • #4
        > It is much better when server admin get detailed email report of all infections when daily scan run like maldet.

        Hello Jawed, thanks for following up!
        We plan to release this feature on Q1 2020.
        If you have any other questions, feel free to ask here. Thank you for contacting us.

        Comment


        • #5
          @Nick I know this is an old post, but I wanted to thank you for taking time to document this solution. It is currently impossible to find any good examples of a hook like this, and your example is exactly what I wanted... to notify root upon finding malware. It works PERFECTLY. Thank you again!!

          - Scott

          Comment


          • #6
            The script didnt worked for me, hooks.log says below error, any help will be much appreciated

            root@srv1 [~]# cat /var/log/imunify360/hook.log
            1609894101 : 53fb7664-36fa-4187-9ee9-a47a76992836 : started : malware-detected : critical : /root/hooks/hooks.php
            1609894101 : 53fb7664-36fa-4187-9ee9-a47a76992836 : done : malware-detected : critical : /root/hooks/hooks.php : ERROR:2
            /root/hooks/hooks.php: line 4: ?php: No such file or directory
            /root/hooks/hooks.php: line 5: syntax error near unexpected token `(
            /root/hooks/hooks.php: line 5: `$hostname = gethostname();

            Comment


            • #7
              Hi,
              Built-in notifications for detected malware are already there in Imunify360: https://docs.imunify360.com/features...lware-detected

              Comment

              Working...
              X