Browse Tag: virus

Email alerts on new virus with Sophos

Sophos’s Linux antivirus product is an interesting beast, but I’ll reserve opinion. We offer a web interface wherein the end-user may review alerts, though some also wish an email alert. This can be configured through savwebd, the web GUI provided with the Sophos antivirus client, or configured on the command line:

[code lang=”bash”]cd /opt/sophos-av/bin
./savconfig -v # review current configuration settings
./savconfig set Email email@address.com # recipient
./savconfig set EmailNotifier true
./savconfig set EmailDemandSummaryIfThreat true
./savconfig set EmailServer localhost
./savconfig set SendThreatEmail true
./savconfig set ThreatMessage “A virus has been detected and blocked. Please contact your support team for more information.”
[/code]

Better way to scan for – and clean up – virus activity

**NOTE** The following only works with FTP daemons that log full paths in xferlog — ie, not vsftpd with its default configuration. Works like a charm on Plesk, fails terribly on non-Plesk. For non-Plesk, please scroll to the bottom of this post.

I made an earlier post about this subject, but there are too many holes in the script provided. Rather, I’ve found this simple awk recipe to do the trick quite well.

[code lang=”bash”]awk ‘$12 != prev {print $9; prev=$12}’ xferlog | egrep “\.php|\.htm|\.shtm|\.js” | sort |uniq > ftp_modified.out[/code]

Note that the output it prints is not definitive, but it certainly gives you something to start with. Now, roll a grep:

[code lang=”bash”]cat ftp_modified.out |while read line; do grep -H iframe $line >> iframe.out ; done[/code]

**You will need to review this output to find the actual string and distinguish between legitimate iframes and the baddies.** The following sed will usually take care of about 80% of them:

[code lang=”bash”]cat iframe.out | awk -F\: ‘{print $1}’ | while read line ; do sed -i ‘s/