Imported Upstream version 1.5.1

.ca.def

@@ -177,12 +177,12 @@ scan_export_filelist="$scan_export_filelist"
 ##
 # The default quarantine action for malware hits
 # [0 = alert only, 1 = move to quarantine & alert]
-quarantine_hits="$quarantine_hits"
+quarantine_hits="1"
 
 # Try to clean string based malware injections
 # [NOTE: quarantine_hits=1 required]
 # [0 = disabled, 1 = clean]
-quarantine_clean="$quarantine_clean"
+quarantine_clean="1"
 
 # The default suspend action for users wih hits
 # Cpanel suspend or set shell /bin/false on non-Cpanel

CHANGELOG

@@ -1,12 +1,3 @@
-v1.5.1 | Sep 20 2015:
-[Fix] when clamdscan was running as a non-root user, would generate lstat errors for all file find results leading
-      to potential false positive hits/quarantines
-[Fix] the permissions of the $tmpdir path can cause clamd when running as a non-root user to fail on startup due
-      as a result of lstat errors on the custom user signature files stored under $tmpdir
-[Fix] clamd.conf configurations containing FollowDirectorySymlinks/FollowFileSymlinks set to false results in the
-      rfxn.* and lmd.user.* links causing clamd startup failures; corrected by updating clamav_linksigs() to copy
-      signatures into clamav data paths instead of linking them
-
 v1.5 | Sep 19 2015:
 [New] added -f|--file-list CLI option to allow user supplied run-time file list for scanning
 [New] added -i|--include-regex CLI option for run-time path/file inclusion based on posix-egrep regular expressions
@@ -131,6 +122,14 @@ v1.5 | Sep 19 2015:
 [Change] previously LMD only linked clamav signatures into clamav data paths on install, this is now done after each signature update
 [Change] maldet.sh init script exites code 1 on status check when maldet monitor mode is not found running
 [Change] monitor mode now invokes every 15 seconds, legacy installations will preserve 30 second cycle timing
+[Change] modified shebang to use env bash for portability
+[Fix] when clamdscan was running as a non-root user, would generate lstat errors for all file find results leading
+      to potential false positive hits/quarantines
+[Fix] the permissions of the $tmpdir path can cause clamd when running as a non-root user to fail on startup due
+      as a result of lstat errors on the custom user signature files stored under $tmpdir
+[Fix] clamd.conf configurations containing FollowDirectorySymlinks/FollowFileSymlinks set to false results in the
+      rfxn.* and lmd.user.* links causing clamd startup failures; corrected by updating clamav_linksigs() to copy
+      signatures into clamav data paths instead of linking them
 [Fix] inotify monitor execution now properly passes ionice configuration value
 [Fix] monitor_paths was not being preserved on version updates
 [Fix] record_hit() was not being invoked outside of clamscan based events
@@ -155,6 +154,7 @@ v1.5 | Sep 19 2015:
 [Fix] clean() function was improperly exiting after first file hit clean attempt and ignoring all other hits
 [Fix] set interpreter in uninstall.sh to /bin/bash instead of /bin/sh for better compatibility
 [Fix] modified psa scan paths to pull in top level and sub domain content
+[Fix] corrected invalid matching against clamdscan binary when clamd was not available
 
 v1.4.2 | Feb 25th 2013:
 [New] detection and alerting of libkeyutils root compromised libraries

CHANGELOG.RELEASE

@@ -1,12 +1,3 @@
-v1.5.1 | Sep 20 2015:
-[Fix] when clamdscan was running as a non-root user, would generate lstat errors for all file find results leading
-      to potential false positive hits/quarantines
-[Fix] the permissions of the $tmpdir path can cause clamd when running as a non-root user to fail on startup due
-      as a result of lstat errors on the custom user signature files stored under $tmpdir
-[Fix] clamd.conf configurations containing FollowDirectorySymlinks/FollowFileSymlinks set to false results in the
-      rfxn.* and lmd.user.* links causing clamd startup failures; corrected by updating clamav_linksigs() to copy
-      signatures into clamav data paths instead of linking them
-
 v1.5 | Sep 19 2015
 [New] added -f|--file-list CLI option to allow user supplied run-time file list for scanning
 [New] added -i|--include-regex CLI option for run-time path/file inclusion based on posix-egrep regular expressions
@@ -131,6 +122,14 @@ v1.5 | Sep 19 2015
 [Change] previously LMD only linked clamav signatures into clamav data paths on install, this is now done after each signature update
 [Change] maldet.sh init script exites code 1 on status check when maldet monitor mode is not found running
 [Change] monitor mode now invokes every 15 seconds, legacy installations will preserve 30 second cycle timing
+[Change] modified shebang to use env bash for portability
+[Fix] when clamdscan was running as a non-root user, would generate lstat errors for all file find results leading
+      to potential false positive hits/quarantines
+[Fix] the permissions of the $tmpdir path can cause clamd when running as a non-root user to fail on startup due
+      as a result of lstat errors on the custom user signature files stored under $tmpdir
+[Fix] clamd.conf configurations containing FollowDirectorySymlinks/FollowFileSymlinks set to false results in the
+      rfxn.* and lmd.user.* links causing clamd startup failures; corrected by updating clamav_linksigs() to copy
+      signatures into clamav data paths instead of linking them
 [Fix] monitor_paths was not being preserved on version updates
 [Fix] record_hit() was not being invoked outside of clamscan based events
 [Fix] monitor.pid file would potentially have an incorrect pid written to it on each execution of monitor_check()
@@ -155,3 +154,4 @@ v1.5 | Sep 19 2015
 [Fix] set interpreter in uninstall.sh to /bin/bash instead of /bin/sh for better compatibility
 [Fix] modified psa scan paths to pull in top level and sub domain content
 [Fix] inotify monitor execution now properly passes ionice configuration value
+[Fix] corrected invalid matching against clamdscan binary when clamd was not available

cron.daily

@@ -1,14 +1,30 @@
-#!/bin/bash
+#!/usr/bin/env bash
 export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
 export LMDCRON=1
-. /usr/local/maldetect/conf.maldet
-if [ -f "/usr/local/maldetect/conf.maldet.cron" ]; then
-	. /usr/local/maldetect/conf.maldet.cron
+install_path=/usr/local/maldetect
+
+cron_custom_exec=$inspath/cron/custom.cron
+cron_custom_conf=$inspath/cron/conf.maldet.cron
+
+if [ -f "$install_path/conf.maldet" ]; then
+	. $install_path/conf.maldet
+else
+	echo "could not find $install_path/conf.maldet, fatal error, bye."
+	exit 1
+fi
+
+if [ -f "$cron_custom_conf" ]; then
+	. $cron_custom_conf
 fi
+
+if [ -z "$scan_days" ]; then
+	scan_days=1
+fi
+
 find=`which find 2> /dev/null`
 if [ "$find" ]; then
 	# prune any quarantine/session/tmp data older than 7 days
-	tmpdirs="/usr/local/maldetect/tmp /usr/local/maldetect/sess /usr/local/maldetect/quarantine /usr/local/maldetect/pub"
+	tmpdirs="$install_path/tmp $install_path/sess $install_path/quarantine $install_path/pub"
 	for dir in $tmpdirs; do
 	 if [ -d "$dir" ]; then
 	  $find $dir -type f -mtime +7 -print0 | xargs -0 rm -f >> /dev/null 2>&1
@@ -23,38 +39,48 @@ fi
 
 if [ "$autoupdate_version" == "1" ]; then
 	# check for new release version
-	/usr/local/maldetect/maldet -d >> /dev/null 2>&1
+	$install_path/maldet -d >> /dev/null 2>&1
 fi
 
 if [ "$autoupdate_signatures" == "1" ]; then
 	# check for new definition set
-	/usr/local/maldetect/maldet -u >> /dev/null 2>&1
+	$install_path/maldet -u >> /dev/null 2>&1
 fi
 
 # if we're running inotify monitoring, send daily hit summary
 if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
-        /usr/local/maldetect/maldet --monitor-report >> /dev/null 2>&1
+        $install_path/maldet --monitor-report >> /dev/null 2>&1
 else
 	if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
 		# ensim
-	        /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ 1 >> /dev/null 2>&1
+	        $install_path/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ $scan_days >> /dev/null 2>&1
 	elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
 		# psa
-		/usr/local/maldetect/maldet -b -r /var/www/vhosts/?/ 1 >> /dev/null 2>&1
+		$install_path/maldet -b -r /var/www/vhosts/?/ $scan_days >> /dev/null 2>&1
         elif [ -d "/usr/local/directadmin" ]; then
                 # DirectAdmin
-                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ 1 >> /dev/null 2>&1
+                $install_path/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ $scan_days >> /dev/null 2>&1
 	elif [ -d "/var/www/clients" ]; then
 		# ISPConfig
-                /usr/local/maldetect/maldet -b -r /var/www/clients/?/web?/web 1 >> /dev/null 2>&1
+                $install_path/maldet -b -r /var/www/clients/?/web?/web,/var/www $scan_days >> /dev/null 2>&1
 	elif [ -d "/etc/webmin/virtual-server" ]; then
 		# Virtualmin
-                /usr/local/maldetect/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ 1 >> /dev/null 2>&1
+                $install_path/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /dev/null 2>&1
 	elif [ -d "/usr/local/ispmgr" ]; then
 		# ISPmanager
-		/usr/local/maldetect/maldet -b -r /var/www/?/data/,/home/?/data/ 1 >> /dev/null 2>&1
+		$install_path/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1
+	elif [ -d "/var/customers/webs" ]; then
+		# froxlor
+		$install_path/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
+        elif [ -d "/usr/local/vesta" ]; then
+                # VestaCP
+                $install_path/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/,/home/?/web/?/private/ $scan_days >> /dev/null 2>&1
 	else
 		# cpanel, interworx and other standard home/user/public_html setups
-	        /usr/local/maldetect/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ 1 >> /dev/null 2>&1
+	        $install_path/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1
 	fi
 fi
+
+if [ -f "$cron_custom_exec" ]; then
+	. $cron_custom_exec
+fi

files/VERSION.hash

@@ -1 +1 @@
-5fc16db8b9539a86706287c627a223a777fb21a5ca4c98bbf4ca91b90f5fa3e5
+536321f5b5d56f114b4e0bc11b07dd9860d09357e88900f9738b46326768206d

files/clean/base64.inject.unclassed

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # $1 file path, $2 signature name, $3 file owner, $4 file mode, $5 file size (b), $6 file md5sum
 if [ -f "$1" ]; then
 	sed -i -e 's/<?.*eval(base64_decode(.*?>//' -e 's/<?php.*eval(base64_decode(.*?>//' -e 's/eval(base64_decode([^;]*;//' "$1"

files/clean/gzbase64.inject.unclassed

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # $1 file path, $2 signature name, $3 file owner, $4 file mode, $5 file size (b), $6 file md5sum
 if [ -f "$1" ]; then
 	sed -i -e 's/<?.*eval(gzinflate(base64_decode(.*?>//' -e 's/<?php.*eval(gzinflate(base64_decode(.*?>//' -e 's/eval(gzinflate(base64_decode(.*);//' "$1"

files/clean/js.inject.VisitorTracker

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # $1 file path, $2 signature name, $3 file owner, $4 file mode, $5 file size (b), $6 file md5sum
 if [ -f "$1" ]; then
 	sed -i -e '/var visitortrackerin = setInterval(function(){/,/}\/\*visitorTracker\*\//d' -e '/\/\*visitorTracker\*\//d' "$1"

files/clean/php.brute.bf1lic

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # $1 file path, $2 signature name, $3 file owner, $4 file mode, $5 file size (b), $6 file md5sum
 if [ -f "$1" ]; then
 	sed -i -e 's/^<?php if(!isset($GLOBALS\[\"\\x.*; ?>//' "$1"

files/conf.maldet

@@ -1,5 +1,3 @@
-#!/bin/bash
-#
 ##
 # Linux Malware Detect v1.5
 #             (C) 2002-2015, R-fx Networks <proj@r-fx.org>
@@ -202,7 +200,7 @@ quarantine_suspend_user_minuid="500"
 # The default startup option for monitor mode, either 'users' or path to line
 # spaced file containing local paths to monitor. This option is used for the
 # init based startup script. This value is ignored when '/etc/sysconfig/maldet'
-# is present with a defined value for $MONITOR_MODE.
+# or '/etc/default/maldet' is present with a defined value for $MONITOR_MODE.
 # default_monitor_mode="users"
 # default_monitor_mode="/usr/local/maldetect/monitor_paths"
 

files/conf.maldet.cron

@@ -0,0 +1 @@
+cron/conf.maldet.cron

files/cron/conf.maldet.cron

@@ -0,0 +1,4 @@
+##
+# Place custom variables in this file for execution with the daily cronjob.
+# Any conf.maldet or internals/internals.conf variable can be redefined.
+##

files/cron/custom.cron

@@ -0,0 +1,3 @@
+##
+# Please use this file for preservation of custom LMD execution code for the daily cronjob.
+##

files/hookscan.sh

@@ -1,6 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
 file="$1"
-isclamd=`/sbin/pidof clamd 2> /dev/null`
+isclamd=`pidof clamd 2> /dev/null`
 clamdloc=`which clamdscan 2> /dev/null`
 if [ "$isclamd" ] && [ -f "$clamdloc" ]; then
 	clamd_scan=1

files/ignore_inotify

@@ -4,3 +4,4 @@
 ^/var/tmp/#sql_.*\.MYD$
 ^/tmp/#sql_.*\.MYD$
 ^/var/tmp/clamav-.*
+^/tmp/clamav-.*