Tag Archive: sendmail


Clam-Scan Revisited

We already had discussions on how we can make clam-scan rock solid, it’s implementation.

Ref: http://ustechnica.com/2013/06/19/clam-scan-from-an-eye-of-an-ethical-hacker/

Recently, A customer came to us with an issue of intermittent downtime of their websites.

and we just had a clam-scan execution completed, we have 4 scans running on Daily, weekly and monthly basis.

We assumed that it was clam-scan but client doesn’t work on assumptions so we implemented a reporting thing which will

not only figure out the load and memory consumption on server but also will check status of websites on that server during

execution of clam-scan.

Short Description of what script does:

  1. Mark the START time of scan
  2. child script will be executed from main script
  3. child script will execute while it reads pidof main script after every loop
  4. child script will keep on checking the HTTP status code and will keep on storing RAW data
  5. once Main script finishes execution, it will mark END time of scan
  6. during the START and END time, it will fetch CPU usage and Memory usage from SAR logs
  7. After that, reporting script will prepare the report from RAW data generated during execution of child script
  8. In the end you will get something like below,

clam1

clam2

In case your domain goes down,

then,

clam3

To achieve this,

Prerequisite:

1. SAR command , installed and configure it to read data every 3 mins.

root@MJ [~]# cat /etc/cron.d/sysstat
# run system activity accounting tool every 3 minutes
*/3 * * * * root /usr/lib/sa/sa1 1 1
# generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib/sa/sa2 -A

root@MJ [~]#

2. Folder Structure

cd /root/clam-scan-project

mkdir http-status-code/

under http-status-code, create two scripts,

create-report.sh

status.sh*

Actual Script:

##Main.sh (/etc/cron.monthly/add-signatures.sh)

file=/root/clam-scan-project/current.txt
if [ -f $file ];
then
wget -O /root/clam-scan-project/hosts.txt http://www.malwaredomainlist.com/hostslist/hosts.txt
cat /root/clam-scan-project/hosts.txt | col -b >> /root/clam-scan-project/host.txt
diff -I ‘^#’ /root/clam-scan-project/current.txt /root/clam-scan-project/host.txt | grep “^>” | grep -v localhost | awk ‘{ print $3 }’ >> /root/clam-scan-project/add-domains.txt
if [ -s /root/clam-scan-project/add-domains.txt ];
then
for i in $(cat /root/clam-scan-project/add-domains.txt)
do
x=$(echo $i | sigtool –hex-dump | sed ‘s/\(.*\)../\1/’)
echo “$i:0:*:$x” >> /root/clam-scan-project/signatures.ndb
done
fi
else
wget -O /root/clam-scan-project/hosts.txt http://www.malwaredomainlist.com/hostslist/hosts.txt
cat /root/clam-scan-project/hosts.txt | col -b >> /root/clam-scan-project/host.txt
for i in $(cat /root/clam-scan-project/host.txt | grep -v “^#” | awk ‘{ print $2 }’ | grep -v localhost)
do
x=$(echo $i | sigtool –hex-dump | sed ‘s/\(.*\)../\1/’)
echo “$i:0:*:$x” >> /root/clam-scan-project/signatures.ndb
done
fi

DIR=/root/clam-scan-project/http-status-code
rm -rf $DIR/*.txt
RESULT1=/root/clam-scan-project/http-status-code/HTTP_CODES.log
START=`date +%H:%M`
OUTPUT=/root/clam-scan-project/default-db-summary.log
OS=`uname -mrs`
PROCESSOR=`cat /proc/cpuinfo | grep -i processor | wc -l`
VENDOR=`cat /proc/cpuinfo | grep vendor_id | uniq | cut -d “:” -f2`
MODEL=`cat /proc/cpuinfo | grep -i model\ name | uniq | cut -d “:” -f2`
RAM=`grep ‘MemTotal:’ /proc/meminfo | awk ‘{ print $2 }’`
TOTALRAM=`echo “scale=2;$RAM/1024” | bc`
DOMAINS=`cat /etc/trueuserdomains | wc -l`
echo “<center>” >> $OUTPUT
echo “<TABLE BORDER=”5″ WIDTH=”50%” CELLPADDING=”4″ CELLSPACING=”3″ bgcolor=”#FAEBD7″>” >> $OUTPUT
echo “<TR>” >> $OUTPUT
echo “<TH COLSPAN=”2″><BR><H3>Server Information</H3>” >> $OUTPUT
echo “</TH>” >> $OUTPUT
echo “</TR>” >> $OUTPUT
echo “<TR ALIGN=”CENTER”>” >> $OUTPUT
echo “<TD>OS</TD>” >> $OUTPUT
echo “<TD>$OS</TD>” >> $OUTPUT
echo “</TR>” >> $OUTPUT
echo “<TR ALIGN=”CENTER”>” >> $OUTPUT
echo “<TD>Vendor ID</TD>” >> $OUTPUT
echo “<TD>$VENDOR</TD>” >> $OUTPUT
echo “</TR>” >> $OUTPUT
echo “<TR ALIGN=”CENTER”>” >> $OUTPUT
echo “<TD>Processor</TD>” >> $OUTPUT
echo “<TD>$PROCESSOR</TD>” >> $OUTPUT
echo “</TR>” >> $OUTPUT
echo “<TR ALIGN=”CENTER”>” >> $OUTPUT
echo “<TD>Model Name</TD>” >> $OUTPUT
echo “<TD><PRE>$MODEL</PRE></TD>” >> $OUTPUT
echo “</TR>” >> $OUTPUT
echo “<TR ALIGN=”CENTER”>” >> $OUTPUT
echo “<TD>RAM</TD>” >> $OUTPUT
echo “<TD><PRE>$TOTALRAM MB</PRE></TD>” >> $OUTPUT
echo “</TR>” >> $OUTPUT
echo “<TR ALIGN=”CENTER”>” >> $OUTPUT
echo “<TD>Domains Hosted</TD>” >> $OUTPUT
echo “<TD><PRE>$DOMAINS</PRE></TD>” >> $OUTPUT
echo “</TR>” >> $OUTPUT
echo “</TABLE>” >> $OUTPUT
echo “<br>” >> $OUTPUT
echo “<table>” >> $OUTPUT
echo “<caption>Storage</caption>” >> $OUTPUT
echo “<tr>” >> $OUTPUT
echo “<td><b><PRE>`df -h | column -t`</b></PRE></td>” >> $OUTPUT
echo “</tr>” >> $OUTPUT
echo “</table>” >> $OUTPUT
echo “<br>” >> $OUTPUT
echo “</center>” >> $OUTPUT
echo “<center><b>Clam-Scan Started at: $START</b></center>” >> /root/clam-scan-project/default-db-summary.log
/bin/sh $DIR/status.sh &
bPid=”$bPid $!”
#echo “<center><h1><i>Clam-Scan</i></h1></center>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<b><i>Clam-Scan Result using Default DB</i></b>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<i>Updating Clam AV database</i>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
freshclam –no-warnings >> /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<font color=”red”>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
clamscan –exclude-dir=mail –exclude-dir=virtfs -ir /home/* –log /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “</font>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
sed -n “/SCAN \SUMMARY/,/Time:/p” /root/clam-scan-project/default-db-summary.log > /root/clam-scan-project/summary.log
sed -i “/SCAN \SUMMARY/,/Time:/d” /root/clam-scan-project/default-db-summary.log
echo “<b>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
cat /root/clam-scan-project/summary.log >> /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “</b>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<HR ALIGN=”LEFT” SIZE=”3″ WIDTH=”70%” NOSHADE>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
echo “<b><i>Clam-Scan Result using Custom DB</i></b>” >> /root/clam-scan-project/custom-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
echo “<font color=”red”>” >> /root/clam-scan-project/custom-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-db-summary.log
clamscan -d /root/clam-scan-project/signatures.ndb –exclude-dir=tmp –exclude-dir=log –exclude-dir=mail –exclude-dir=virtfs -ir /home/* –log /root/clam-scan-project/custom-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-db-summary.log
echo “</font>” >> /root/clam-scan-project/custom-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
sed -n “/SCAN \SUMMARY/,/Time:/p” /root/clam-scan-project/custom-db-summary.log > /root/clam-scan-project/summary.log
sed -i “/SCAN \SUMMARY/,/Time:/d” /root/clam-scan-project/custom-db-summary.log
echo “<b>” >> /root/clam-scan-project/custom-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-db-summary.log
cat /root/clam-scan-project/summary.log >> /root/clam-scan-project/custom-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-db-summary.log
echo “</b>” >> /root/clam-scan-project/custom-db-summary.log
cat /root/clam-scan-project/default-db-summary.log /root/clam-scan-project/custom-db-summary.log >> /root/clam-scan-project/clam-scan-result.log
rm -f /root/clam-scan-project/current.txt
#mv /root/clam-scan-project/host.txt /root/clam-scan-project/current.txt
#rm -f /root/clam-scan-project/hosts.txt
sleep 500
END=`date +%H:%M`
echo “<center><b>Clam-Scan Ended: $END</b></center>” >> /root/clam-scan-project/clam-scan-result.log
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log
echo “<b>CPU Load Average during scan</b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log
echo “<b><center><PRE>`/usr/bin/sar -u -q -s $START:00 -e $END:00`</PRE></center></b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log
echo “<b>Memory Usage during scan</b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log
echo “<b><center><PRE>`/usr/bin/sar -r -s $START:00 -e $END:00`</PRE></center></b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log

array=( $(sar -r -s $START:00 -e $END:00 | tail -1 | awk ‘{ print $2,$3,$5,$6,$7 }’) )
kbmemfree=`echo “scale=2;${array[0]}/1024” | bc`
kbmemused=`echo “scale=2;${array[1]}/1024” | bc`
kbbuffers=`echo “scale=2;${array[2]}/1024” | bc`
kbcached=`echo “scale=2;${array[3]}/1024” | bc`
kbswpfree=`echo “scale=2;${array[4]}/1024” | bc`
echo “<b><center><PRE>Memory Free: $kbmemfree\MB</PRE></center></b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<b><center><PRE>Memory Used: $kbmemused\MB</PRE></center></b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<b><center><PRE>Cached: $kbcached\MB</PRE></center></b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<b><center><PRE>Free Swap: $kbswpfree\MB</center></b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log
/bin/sh $DIR/create-report.sh

if [ -f “$RESULT1” ];
then
echo “<b>HTTP Status Code during scan</b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log
cat /root/http-status-code-project/TABLE_STRUCTURE.log >> /root/clam-scan-project/clam-scan-result.log
else
echo “<br>” >> /root/clam-scan-project/clam-scan-result.log
echo “<b>HTTP Status Code Check for below HTTP Codes:</b>” >> /root/clam-scan-project/clam-scan-result.log
echo “<ul>” >> /root/clam-scan-project/clam-scan-result.log
echo “<li>HTTP 500: Internal Error</li>” >> /root/clam-scan-project/clam-scan-result.log
echo “<li>HTTP 503: Gateway timeout</li>” >> /root/clam-scan-project/clam-scan-result.log
echo “<li>HTTP 502: Service temporarily overloaded</li>” >> /root/clam-scan-project/clam-scan-result.log
echo “<li>HTTP 408: Request Timeout</li>” >> /root/clam-scan-project/clam-scan-result.log
echo “<li>HTTP 407: Proxy Authentication Required</li>” >> /root/clam-scan-project/clam-scan-result.log
echo “</ul>” >> /root/clam-scan-project/clam-scan-result.log
echo “<center><FONT COLOR=”GREEN”>No downtime for domains on $HOSTNAME during scan</FONT></center>” >> /root/clam-scan-project/clam-scan-result.log
fi
(echo -e “From: clam-scan@exa.com.au \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Clam-Scan on $HOSTNAME \nContent-Type: text/html \n”; cat /root/clam-scan-project/clam-scan-result.log) | sendmail -t
rm -f /root/clam-scan-project/default-db-summary.log
rm -f /root/clam-scan-project/custom-db-summary.log
rm -f /root/clam-scan-project/clam-scan-result.log
rm -f /root/clam-scan-project/summary.log
#mv -f /root/clam-scan-project/add-domains.txt /root/
rm -rf $DIR/*.log
rm -rf $DIR/*.txt

##Main.sh ENDs##

##Child Script, status.sh

DIR=/root/clam-scan-project/http-status-code/
FILE=url.txt
z=`pgrep -f “add-signatures.sh” | grep -v grep`
OUT=`echo $?`

while [ “$OUT” != 1 ];
do

for URLs in $(cat /etc/trueuserdomains | cut -d “:” -f1)
do

HTTP_CODE=`curl -s -o /dev/null -w “%{http_code}” “$URLs”`

if [ “$HTTP_CODE” -ne 200 ];
then
echo “www.$URLs” >> $DIR$FILE
if [ -f “$DIR$URLs.txt” ];
then
FOUND=`grep $HTTP_CODE $DIR$URLs.txt`

if [ -z “$FOUND” ];
then
echo “HTTP-$HTTP_CODE:0” >> $DIR$URLs.txt
else
COUNT=`cat $DIR$URLs.txt | grep HTTP-$HTTP_CODE | cut -d “:” -f2`
NEWCOUNT=`expr $COUNT + 1`
sed -i “s/HTTP-$HTTP_CODE.*/HTTP-$HTTP_CODE:$NEWCOUNT/g” $DIR$URLs.txt
fi
else
echo “$URLs” >> $DIR$URLs.txt
echo “HTTP-$HTTP_CODE:0” >> $DIR$URLs.txt
fi

fi
done

z=`pgrep -f “add-signatures.sh” | grep -v grep`
OUT=`echo $?`

done

##Ends##

##Create Report##

DIR=/root/clam-scan-project/http-status-code/
FILE=url.txt
RESULT=/root/clam-scan-project/http-status-code/TABLE_STRUCTURE.log
RESULT1=/root/clam-scan-project/http-status-code/HTTP_CODES.log
echo “<center>” >> $RESULT
echo “<TABLE BORDER=4 ALIGN=center CELLPADDING=10 CELLSPACING=2>” >> $RESULT
echo “<TR>” >> $RESULT
echo “<TH WIDTH=”5%”>Domain Name</TH>” >> $RESULT
echo “<TH WIDTH=”5%”>HTTP Status Code</TH>” >> $RESULT
echo “<TH WIDTH=”5%”>Headers</TH>” >> $RESULT
echo “</TR>” >> $RESULT

for DOMAINS in $(cat $DIR$FILE | sed ‘s/^[^\.]\+\.//’)
do
HTTP_STATUS_CODE=`grep HTTP-* $DIR$DOMAINS.txt | sed ‘/^$/d’`
SHORT_CODE=`echo $HTTP_STATUS_CODE | awk -F”[-:]” ‘{ print $2}’`

if [ “$SHORT_CODE” == 503 ] || [ “$SHORT_CODE” == 502 ] || [ “$SHORT_CODE” == 408 ] || [ “$SHORT_CODE” == 500 ] || [ “$SHORT_CODE” == 407 ];
then
HEADERS=`curl -sI “www.$DOMAINS”`

echo “<TR>” >> $RESULT1
echo “<TD ALIGN=”center”><PRE>$DOMAINS</PRE></TD>” >> $RESULT1
echo “<TD ALIGN=”center”><PRE>$HTTP_STATUS_CODE</PRE></TD>” >> $RESULT1
echo “<TD ALIGN=”center”><PRE>$HEADERS</PRE></TD>” >> $RESULT1
echo “</TR>” >> $RESULT1
fi
done

if [ -f “$RESULT1” ];
then
cat $RESULT1 | col -b >> $RESULT
fi

echo “</center>” >> $RESULT
echo “</TABLE>” >> $RESULT

##Ends##

Cheers!!!

Incremental Backup using Innobackup

This is not new, their are many scripts available in Google but they lack many things while taking Incremental backups using Innobackup. at-least I couldn’t find one. :).

If you guys have then yes have reinvented the wheel 😉

what’s missing?

  1. Do not apply logs
  2. LSN checks
  3. not enough conditions to check

Please go through this link to read about Incremental backups using Innobackup. I won’t be going to much detail.

http://www.percona.com/doc/percona-xtrabackup/2.1/innobackupex/incremental_backups_innobackupex.html

http://www.percona.com/doc/percona-xtrabackup/2.1/howtos/recipes_ibkx_inc.html

http://www.percona.com/doc/percona-xtrabackup/2.1/xtrabackup_bin/incremental_backups.html?id=percona-xtrabackup:xtrabackup:incremental

Script from Percona: https://gist.github.com/jmfederico/1495347

The reason I wrote this script because no one wants to untar the backup, apply logs and then restore during any disaster.

What my script does?

Have divided into following modules
 
1. Prerequisite
  • Check for directory structure, create if doesn’t exists.
  • check whether mysql is running or not, if not then exit.
2. Full Backup
  • Check whether Full backup done, if not then create
  • check for the result, If fail then exit
  • Apply logs
  • check for the result, if fail then exit.
  • output Xtrabackup Checkpoints
3. Incremental Backup
  • Check whether Incremental 1 to be backed-up or Incremental 2
  • Proceed accordingly
  • check for the result, fail then exit
4. LSN checks

  • Before Applying logs, it LSN will check the checkpoints with previous backups
  • If not matched then email with the checkpoints
  • If matched then Apply logs
5. Apply logs

  • Applying logs will proceed after the backup is successfully created, LSN numbers are matching
  • If apply logs fail then exit 
6. creating tar

  • After all the checks and applying logs, will have full-backup ready
  • create a tar file
  • remove the folders
7. Delete old backups (AGE = 6, 6 days backup will be retain)
8. LSN summary report

Note: both the scripts should reside under /root/

Main Script:

#!/bin/sh
rm -f /tmp/innobackupex-runner*
rm -f /root/lsn.log /root/inno.log
TMPFILE=”/tmp/innobackupex-runner.$$.tmp”
BASEBACKDIR=/Backup/Full
INCRBACKDIR=/Backup/Incremental
START=`date +%s`
INNOBACKUPEX=/usr/bin/innobackupex
AGE=6
FILE=/Backup/verdict.txt

##Check base dir exists and create if it doesn’t

if [ ! -d “$BASEBACKDIR” ];
then
echo “<h3>$BASEBACKDIR doesn’t exists, creating it</h3>” >> /root/inno.log
mkdir –parents $BASEBACKDIR
fi

##check Incremental dir exists and create if it doesn’t

if [ ! -d “$INCRBACKDIR” ];
then
echo “<h3>$INCRBACKDIR doesn’t exists, creating it</h3>” >> /root/inno.log
mkdir $INCRBACKDIR
fi

if [ ! -f $FILE ];
then
touch $FILE
fi

##Check if Mysql is running

if [ -z “`mysqladmin status | grep ‘Uptime’`” ]
then
echo “<h3>HALTED: MySQL does not appear to be running.</h3>”; echo “<br>” >> /root/inno.log
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB on $HOSTNAME \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
rm -f /root/inno.log
exit 1
fi

##Find latest backup directory and if doesn’t exists then create a NEW FULL BACKUP

LATEST=`find $BASEBACKDIR -mindepth 1 -maxdepth 1 -type d -printf “%P\n” | sort -nr | head -1`

if [ -z “$LATEST” ];
then
echo “<h3>Creating New Full Backup</h3>” >> /root/inno.log
$INNOBACKUPEX $BASEBACKDIR > $TMPFILE 2>&1

if [ -z “`tail -1 $TMPFILE | grep ‘completed OK!’`” ] ; then
echo “<h3>$INNOBACKUPEX failed:</h3>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<PRE>———- ERROR OUTPUT from $INNOBACKUPEX ———-</PRE>” >> /root/inno.log
rm -f $TMPFILE
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
rm -f /root/inno.log
exit 1
fi

THISBACKUP=`cat $TMPFILE | grep ‘Backup created in directory’ | awk ‘{ print $6 }’ | sed “s/’//g”`
rm -f $TMPFILE
echo “Databases backed up successfully to: $THISBACKUP” >> /root/inno.log
echo “<br> ” >> /root/inno.log
echo “Xtrabackup Checkpoints” >> /root/inno.log
echo “<br> ” >> /root/inno.log
echo “<PRE>`cat $THISBACKUP/xtrabackup_checkpoints`</PRE>” >> /root/inno.log
echo “<br> ” >> /root/inno.log
echo “Now applying logs to the backuped databases” >> /root/inno.log
$INNOBACKUPEX –apply-log –redo-only $THISBACKUP > $TMPFILE 2>&1

if [ -z “`tail -1 $TMPFILE | grep ‘completed OK!’`” ] ; then
echo “<h3>$INNOBACKUPEX failed:</h3>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<b>Applied Logs Failed</b>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<PRE>———- ERROR OUTPUT from $INNOBACKUPEX ———-</PRE>” >> /root/inno.log
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
echo “1” >> $FILE
rm -f /root/inno.log
rm -f $TMPFILE
exit 1
fi

echo “Logs applied to backuped databases successfully” >> /root/inno.log
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
echo “Full Backup: Done” >> $FILE
rm -f /root/inno.log
exit 1

fi

##Incremental Backups

LATESTINCR=`find $INCRBACKDIR -mindepth 1 -maxdepth 1 -type d | sort -nr | head -1`

if [ ! $LATESTINCR ]
then
echo “<h3>First Incremental Backup</h3>” >> /root/inno.log
BCKTYPE=INCR1
INCRBASEDIR=$BASEBACKDIR/$LATEST
INCRDIR=$INCRBACKDIR/Incr1
OPTIONS=”–apply-log –redo-only”
else
echo “<h3>Second Incremental Backup</h3>” >> /root/inno.log
BCKTYPE=INCR2
INCRBASEDIR=$LATESTINCR
INCRDIR=$INCRBACKDIR/Incr2
OPTIONS=”–apply-log”
fi

$INNOBACKUPEX –no-timestamp –incremental $INCRDIR –incremental-basedir=$INCRBASEDIR > $TMPFILE 2>&1

if [ -z “`tail -1 $TMPFILE | grep ‘completed OK!’`” ] ; then
echo “<b>$INNOBACKUPEX failed:</b>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<PRE>———- ERROR OUTPUT from $INNOBACKUPEX ———-</PRE>” >> /root/inno.log
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
rm -f /root/inno.log
rm -f $TMPFILE
exit 1
fi

THISBACKUP=`cat $TMPFILE | grep ‘Backup created in directory’ | awk ‘{ print $6 }’ | sed “s/’//g”`
rm -f $TMPFILE
echo “Databases backed up successfully to: $THISBACKUP” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “Xtrabackup Chckpoints Summary” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<PRE>`cat $INCRDIR/xtrabackup_checkpoints`</PRE>” >> /root/inno.log
echo “<br>” >> /root/inno.log

##LSN checks before applying logs

fullpath=$(find $BASEBACKDIR -mindepth 1 -maxdepth 1 -type d | sort -nr | head -1)
echo “<b>Log Sequence Number Checking:</b>” >> /root/inno.log
echo “<br>” >> /root/inno.log

if [ “$BCKTYPE” = INCR1 ];
then
full_to_lsn=`cat $fullpath/xtrabackup_checkpoints | grep -i “to_lsn” | awk ‘{print $3}’`
incr1_from_lsn=`cat $THISBACKUP/xtrabackup_checkpoints | grep -i “from_lsn” | awk ‘{print $3}’`

if [ “$full_to_lsn” -ne “$incr1_from_lsn” ];
then
echo “Can’t Apply Logs, LSN not matching with Incremental Backup1” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<b>Xtrabackup Checkpoints for Full Backup</b>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<PRE>`cat $fullpath/xtrabackup_checkpoints`</PRE>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<b>Xtrabackup Checkpoints for Incremental Backup 1</b>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<PRE>`cat $INCRDIR/xtrabackup_checkpoints`</PRE>” >> /root/inno.log
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
rm -f /root/inno.log
rm -f $TMPFILE
exit 1
fi
else
incr1_to_lsn=`cat $LATESTINCR/xtrabackup_checkpoints | grep -i “to_lsn” | awk ‘{print $3}’`
incr2_from_lsn=`cat $THISBACKUP/xtrabackup_checkpoints | grep -i “from_lsn” | awk ‘{print $3}’`

if [ “$incr1_to_lsn” -ne “$incr2_from_lsn” ];
then
echo “Can’t Apply Logs, LSN not matching with Incremental Backup2” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<b>Xtrabackup Checkpoints for Incremental Backup 1</b>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<PRE>`cat $THISBACKUP/xtrabackup_checkpoints`</PRE>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<b>Xtrabackup Checkpoints for Incremental Backup 2</b>” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<PRE>`cat $INCRDIR/xtrabackup_checkpoints`</PRE>” >> /root/inno.log
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
rm -f /root/inno.log
rm -f $TMPFILE
exit 1
fi
fi

echo “Log Sequence Number Matches with previous backup” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “Now applying logs to the backuped databases of $INCRDIR” >> /root/inno.log
echo “<br>” >> /root/inno.log
$INNOBACKUPEX $OPTIONS $BASEBACKDIR/$LATEST –incremental-dir=$INCRDIR > $TMPFILE 2>&1

if [ -z “`tail -1 $TMPFILE | grep ‘completed OK!’`” ] ; then
echo “$INNOBACKUPEX failed:” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “———- ERROR OUTPUT from $INNOBACKUPEX ———-” >> /root/inno.log
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
echo “1” >> $FILE
rm -f /root/inno.log
rm -f $TMPFILE
exit 1
fi

echo “Logs applied to backuped databases successfully” >> /root/inno.log
echo “$BCKTYPE: Done” >> $FILE

##Creating TAR

COUNT=$(grep -i ‘done’ $FILE | wc -l)

if [ “$COUNT” = 3 ];
then
LATEST=`find $BASEBACKDIR -mindepth 1 -maxdepth 1 -type d | sort -nr | head -1`
echo “<br>” >> /root/inno.log
echo “Compressing Full backup files” >> /root/inno.log
tar -czvf /Backup/backup_Mysql_CRMDB_`date +%d-%m-%Y-%H`.tar.gz $LATEST
echo “<br>” >> /root/inno.log
echo “completed: `date`” >> /root/inno.log
echo “<br>” >> /root/inno.log
echo “<h4><i>Checkpoints Summary</i></h4>” >> /root/inno.log
sh /root/lsn.sh
cat /root/lsn.log >> /root/inno.log
rm -rf $BASEBACKDIR/* $INCRBACKDIR/* $FILE

fi

 ##Clean-up

echo “<br>” >> /root/inno.log

echo “Cleaning up old backups (older than $AGE days) and temporary files” >> /root/inno.log
rm -rf $TMPFILE
cd /tmp ; find /Backup -maxdepth 1 -ctime +$AGE -exec echo “removing: “{} \; -exec rm -rf {} \;
(echo -e “From: Innobackup-Backup@exateam.com \nTo: abc@gmail.com \nMIME-Version: 1.0 \nSubject: Xtradb backup check report for CRM DB \nContent-Type: text/html \n”; cat /root/inno.log) | /usr/sbin/sendmail -t
rm -f /root/inno.log

##Main Script Ends here##

LSN output script:

echo “<center>” >> /root/lsn.log
echo “<h3><i>Innobackup/Xtrabackup Backup Report</i></h3>” >> /root/lsn.log
echo “</center>” >> /root/lsn.log
echo “<HR ALIGN=”CENTER” SIZE=”3″ WIDTH=”70%” NOSHADE>” >> /root/lsn.log
echo “<TABLE BORDER=4 ALIGN=center CELLPADDING=10 CELLSPACING=2>” >> /root/lsn.log
echo “<TR>” >> /root/lsn.log
echo “<TH WIDTH=”5%”>Backup Type</TH>” >> /root/lsn.log
echo “<TH WIDTH=”5%”>From LSN</TH>” >> /root/lsn.log
echo “<TH WIDTH=”5%”>To LSN</TH>” >> /root/lsn.log
echo “<TH WIDTH=”5%”>Last LSN</TH>” >> /root/lsn.log
echo “</TR>” >> /root/lsn.log

full=`find /Backup/Full -mindepth 1 -maxdepth 1 -type d | sort -nr | head -1`

full_backup_type=$(cat $full/xtrabackup_checkpoints | grep -i “backup_type” | awk ‘{print $3}’)
full_from_lsn=$(cat $full/xtrabackup_checkpoints | grep -i “from_lsn” | awk ‘{print $3}’)
full_to_lsn=$(cat $full/xtrabackup_checkpoints | grep -i “to_lsn” | awk ‘{print $3}’)
full_last_lsn=$(cat $full/xtrabackup_checkpoints | grep -i “last_lsn” | awk ‘{print $3}’)

incr1_backup_type=$(cat /Backup/Incremental/Incr1/xtrabackup_checkpoints | grep -i “backup_type” | awk ‘{print $3}’)
incr1_from_lsn=$(cat /Backup/Incremental/Incr1/xtrabackup_checkpoints | grep -i “from_lsn” | awk ‘{print $3}’)
incr1_to_lsn=$(cat /Backup/Incremental/Incr1/xtrabackup_checkpoints | grep -i “to_lsn” | awk ‘{print $3}’)
incr1_last_lsn=$(cat /Backup/Incremental/Incr1/xtrabackup_checkpoints | grep -i “last_lsn” | awk ‘{print $3}’)

incr2_backup_type=$(cat /Backup/Incremental/Incr2/xtrabackup_checkpoints | grep -i “backup_type” | awk ‘{print $3}’)
incr2_from_lsn=$(cat /Backup/Incremental/Incr2/xtrabackup_checkpoints | grep -i “from_lsn” | awk ‘{print $3}’)
incr2_to_lsn=$(cat /Backup/Incremental/Incr2/xtrabackup_checkpoints | grep -i “to_lsn” | awk ‘{print $3}’)
incr2_last_lsn=$(cat /Backup/Incremental/Incr2/xtrabackup_checkpoints | grep -i “last_lsn” | awk ‘{print $3}’)

if [[ “$full_to_lsn” -ne “$incr1_from_lsn” && “$incr1_to_lsn” -ne “$incr2_from_lsn” ]];
then
echo “<TR>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE><b>$full_backup_type</b></PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$full_from_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=RED><PRE>$full_to_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$full_last_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “</TR>” >> /root/lsn.log
echo “<TR>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE><b>$incr1_backup_type</b></PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=RED><PRE>$incr1_from_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=RED><PRE>$incr1_to_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr1_last_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “</TR>” >> /root/lsn.log
echo “<TR>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE><b>$incr2_backup_type</b></PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=RED><PRE>$incr2_from_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr2_to_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr2_last_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “</TR>” >> /root/lsn.log
else
echo “<TR>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE><b>$full_backup_type</b></PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$full_from_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$full_to_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$full_last_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “</TR>” >> /root/lsn.log
echo “<TR>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE><b>$incr1_backup_type</b></PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr1_from_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr1_to_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr1_last_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “</TR>” >> /root/lsn.log
echo “<TR>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE><b>$incr2_backup_type</b></PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr2_from_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr2_to_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “<TD ALIGN=”center”><FONT COLOR=GREEN><PRE>$incr2_last_lsn</PRE></FONT></TD>” >> /root/lsn.log
echo “</TR>” >> /root/lsn.log

fi

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.

What are we doing here? Let’s implement the below set-up,

clamscan

The main target is to have something to detect Malicious code/virus signatures/malware in an most efficient way possible without using any paid software/services.

Quickly jumping on to the implementation part,

Installation of Clamav on CentOS:

yum install clam* ( if this works then directly GoTo Set-up step)

OR

http://www.md3v.com/install-clamav-on-centos-6-0

http://datlinux.blogspot.com.au/2013/03/how-to-install-clamav-on-linux-centos.html

Set-up on Web-Server/Email Servers:

  • root@bt [~]# mkdir /root/clam-scan-project
  • root@bt [~]# vi /etc/cron.monthly/add-signatures.sh

Copy and paste the below code,

##Script starts from here##

file=/root/clam-scan-project/current.txt
if [ -f $file ];
then
wget -O /root/clam-scan-project/hosts.txt http://www.malwaredomainlist.com/hostslist/hosts.txt
cat /root/clam-scan-project/hosts.txt | col -b >> /root/clam-scan-project/host.txt
diff -I ‘^#’ /root/clam-scan-project/current.txt /root/clam-scan-project/host.txt | grep “^>” | grep -v localhost | awk ‘{ print $3 }’ >> /root/clam-scan-project/add-domains.txt
if [ -s /root/clam-scan-project/add-domains.txt ];
then
for i in $(cat /root/clam-scan-project/add-domains.txt)
do
x=$(echo $i | sigtool –hex-dump | sed ‘s/\(.*\)../\1/’)
echo “$i:0:*:$x” >> /root/clam-scan-project/signatures.ndb
done
fi
else
wget -O /root/clam-scan-project/hosts.txt http://www.malwaredomainlist.com/hostslist/hosts.txt
cat /root/clam-scan-project/hosts.txt | col -b >> /root/clam-scan-project/host.txt
for i in $(cat /root/clam-scan-project/host.txt | grep -v “^#” | awk ‘{ print $2 }’ | grep -v localhost)
do
x=$(echo $i | sigtool –hex-dump | sed ‘s/\(.*\)../\1/’)
echo “$i:0:*:$x” >> /root/clam-scan-project/signatures.ndb
done
fi
echo “<center><h1><i>Clam-Scan</i></h1></center>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<b><i>Clam-Scan Result using Default DB</i></b>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<i>Updating Clam AV database</i>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
freshclam –no-warnings >> /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<font color=”red”>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
clamscan –exclude-dir=mail -ir /home/* –log /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “</font>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
sed -n “/SCAN \SUMMARY/,/Time:/p” /root/clam-scan-project/default-db-summary.log > /root/clam-scan-project/summary.log
sed -i “/SCAN \SUMMARY/,/Time:/d” /root/clam-scan-project/default-db-summary.log
echo “<b>” >> /root/clam-scan-project/default-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/default-db-summary.log
cat /root/clam-scan-project/summary.log >> /root/clam-scan-project/default-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/default-db-summary.log
echo “</b>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/default-db-summary.log
echo “<HR ALIGN=”LEFT” SIZE=”3″ WIDTH=”70%” NOSHADE>” >> /root/clam-scan-project/default-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
echo “<b><i>Clam-Scan Result using Custom DB</i></b>” >> /root/clam-scan-project/custom-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
echo “<font color=”red”>” >> /root/clam-scan-project/custom-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-db-summary.log
clamscan -d /root/clam-scan-project/signatures.ndb –exclude-dir tmp –exclude-dir log –exclude-dir mail–exclude-dir tmp –exclude-dir log –exclude-dir mail –exclude-dir virtfs -ir /home/* –log /root/clam-scan-project/custom-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-db-summary.log
echo “</font>” >> /root/clam-scan-project/custom-db-summary.log
echo “<br>” >> /root/clam-scan-project/custom-db-summary.log
sed -n “/SCAN \SUMMARY/,/Time:/p” /root/clam-scan-project/custom-db-summary.log > /root/clam-scan-project/summary.log
sed -i “/SCAN \SUMMARY/,/Time:/d” /root/clam-scan-project/custom-db-summary.log
echo “<b>” >> /root/clam-scan-project/custom-db-summary.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-db-summary.log
cat /root/clam-scan-project/summary.log >> /root/clam-scan-project/custom-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-db-summary.log
echo “</b>” >> /root/clam-scan-project/custom-db-summary.log
if [ -d /root/clam-scan-project/customsig.ndb ];
then
echo “<br>” >> /root/clam-scan-project/custom-sig.log
echo “<b><i>Clam-Scan Result using signature server DB</i></b>” >> /root/clam-scan-project/custom-sig.log
echo “<br>” >> /root/clam-scan-project/custom-sig.log
echo “<font color=”red”>” >> /root/clam-scan-project/custom-sig.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-sig.log
clamscan -d /root/clam-scan-project/customsig.ndb –exclude-dir tmp –exclude-dir log –exclude-dir mail–exclude-dir tmp –exclude-dir log –exclude-dir mail –exclude-dir virtfs -ir /home/* –log /root/clam-scan-project/custom-db-summary.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-sig.log
echo “</font>” >> /root/clam-scan-project/custom-sig.log
echo “<br>” >> /root/clam-scan-project/custom-sig.log
sed -n “/SCAN \SUMMARY/,/Time:/p” /root/clam-scan-project/custom-sig.log > /root/clam-scan-project/summary.log
sed -i “/SCAN \SUMMARY/,/Time:/d” /root/clam-scan-project/custom-sig.log
echo “<b>” >> /root/clam-scan-project/custom-sig.log
echo ‘<pre>’ >> /root/clam-scan-project/custom-sig.log
cat /root/clam-scan-project/summary.log >> /root/clam-scan-project/custom-sig.log
echo ‘</pre>’ >> /root/clam-scan-project/custom-sig.log
echo “</b>” >> /root/clam-scan-project/custom-sig.log
cat /root/clam-scan-project/default-db-summary.log /root/clam-scan-project/custom-db-summary.log /root/clam-scan-project/custom-sig.log >> /root/clam-scan-project/clam-scan-result.log
else
cat /root/clam-scan-project/default-db-summary.log /root/clam-scan-project/custom-db-summary.log >> /root/clam-scan-project/clam-scan-result.log
fi
rm -f /root/clam-scan-project/current.txt
mv /root/clam-scan-project/host.txt /root/clam-scan-project/current.txt
rm -f /root/clam-scan-project/hosts.txt
(echo -e “From: clam-scan@domain.com \nTo: mailid@domain.com \nCc:emailid@domain.com,emailid@domain.com \nMIME-Version: 1.0 \nSubject: Clam-Scan on $HOSTNAME \nContent-Type: text/html \n”; cat /root/clam-scan-project/clam-scan-result.log) | sendmail -t
rm -f /root/clam-scan-project/default-db-summary.log
rm -f /root/clam-scan-project/custom-db-summary.log
rm -f /root/clam-scan-project/clam-scan-result.log
rm -f /root/clam-scan-project/summary.log
mv -f /root/clam-scan-project/add-domains.txt /root/

##Script Ends here##

  • Once you run the script you’ll see two files inside /root/clam-scan-project

root@bt [~/clam-scan-project]# ls
./ ../ current.txt signatures.ndb
root@bt [~/clam-scan-project]#

Set-up on main signature server:

  • [root@bt ~]# vi signature_creation.sh

##Script starts here##

i=$1
touch /root/customsig.ndb

if [ -s /root/add-by-users.txt ];
then

for files in $(cat /root/add-by-users.txt)
do
x=$(echo “$files” | sigtool –hex-dump | sed ‘s/\(.*\)../\1/’)
y=$(echo “$files” | head -c 2048)
echo “$y:0:*:$x” >> /root/customsig.ndb
done
else
echo “No arguments supplied”
exit
fi

##script Ends here##

[root@bt~]# cat add-by-users.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Trojan.exe\4fiveVirus
[root@bt ~]#

  • The above script will add something like below in custom.ndb,

[root@bt ~]# cat customsig.ndb

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
Trojan.exe\4fiveVirus:0:*:54726f6a616e2e6578655c34666976655669727573

[root@bt ~]#

Execution of Script:

[root@bt ~]# clamscan -d /root/customsig.ndb eicar.txt
eicar.txt: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*.UNOFFICIAL FOUND

———– SCAN SUMMARY ———–
Known viruses: 2
Engine version: 0.97.8
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.005 sec (0 m 0 s)

  • copy the customsig.ndb from signature server to webserver

Location on Web-Servers: /root/clam-scan-project/

Report from Web-Servers:

report1

report2

Cheers!!!!

Advanced Intrusion Detection Environment

What is AIDE?

AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker.

It is a host-based intrusion detection system (HIDS) for checking the integrity of files. It does this by creating a baseline database of files on an initial run, and then checks this database against the system on subsequent runs. File properties that can be checked against include inode, permissions, modification time, file contents, etc.

Scenario: Detect changes in Zone files in such a way that it should report changes with the difference between old record and new record.

Step by Step Installation:

1. Install Mhash

Mhash is a free (under GNU Lesser GPL) library which provides a uniform interface to a large number of hash algorithms. These algorithms can be used to compute checksums, message digests, and other signatures.

  • wget http://sourceforge.net/projects/mhash/files/mhash/0.9.9/mhash-0.9.9.tar.gz
  • tar -xzvf mhash-0.9.9.tar.gz
  • cd mhash-0.9.9.9/
  • ./configure

If error occurs like “configure error: you don’t have zlib properly installed” then,

  • ./configure –without-zlib
  • make && make install

2. Install AIDE

3. Run rsync command for the Initial setup

  • mkdir /home/dnsbackup
  • rsync /var/named/* /home/dnsbackup/

4. copy below conf file and replace it with file under root/aide-0.15/doc/aide.conf

Note: Before that, cp /root/aide-0.15/doc/aide.conf  /root/ ….(Backup) 🙂

#
# AIDE 0.15
#
# example configuration file
#
# IMPORTANT NOTE!! PLEASE READ
#
# This configuration file checks the integrity of the
# AIDE package.
#
# This file is not intended to be used as the primary aide.conf file for
# your system. This file is intended to be a showcase for different
# features for aide.conf file.
#
# WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE WRITING
#
#
# Default values for the parameters are in comments before the
# corresponding line.
#

@@define TOPDIR /root/aide-0.15
@@define LOGDIR /var/log/aide

@@ifndef TOPDIR
@@define TOPDIR /
@@endif

@@ifdef DEBUG
@@define DEBUG ison
@@undef NOT_DEBUG
@@else
@@define NOT_DEBUG true
@@undef DEBUG
@@endif

@@ifhost korppi
@@define KORPPI yes
@@endif

@@ifnhost ftp
@@define BUMMER true
@@endif

# The location of the database to be read.
#database=file:aide.db
database=file:/home/aide/aide.db

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{TOPDIR}/doc/aide.db.new

# Whether to gzip the output to database
#gzip_dbout=yes

#verbose=5
verbose=20

report_url=stdout
#other possibilities
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#report_url=file:/tmp/aide.txt
#report_url=file:@@{LOGDIR}/aide.log
#report_url=syslog:LOG_AUTH
#report_url=stdout

# @@{TOPDIR} is replaced with /root/aide-0.15 when
# read by aide.
#p: permissions
#ftype: file type
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+ftype+i+l+n+u+g+s+m+c+md5
#L: p+ftype+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+ftype+l+u+g+i+n+S
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available and added to the default groups R, L and >
#only when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattrs: extended file attributes
#e2fsattrs: file attributes on a second extended file system

# Rule definition
All=R+a+sha1+rmd160+sha256+sha512+tiger+whirlpool

#Let Logfile grow

#LOG = >

# report_attributes is a special rule definition
# the attributes listed in it are alway displayed for changed files
# in the final report
report_attributes = u+g

# ignore_list is a special rule definition
# the attributes listed in it are not displayed in the
# final report, it overrules report_attributes where they conflict
#ignore_list = b

# Attributes that can be used to verify that aide in intact
# by people that have downloaded it from the web.
# Let’s be paranoid
Norm=l+s+n+b+u+g+a+m+c+ftype

# The commented rules are just examples the rest are used by
# make check

#AIDE check on following folders

/var/named Norm
!/var/named/data
!/var/named/chroot
!/var/named/slaves

#Selection regexp rule
@@{TOPDIR}/.* Norm
#Equals selection only the directory doc is checked and not it’s children
#=@@{TOPDIR}/doc L
#Negative selection no rule is necessary but ignored if there
!@@{TOPDIR}/.*~
!@@{TOPDIR}/src/.*\.o
!@@{TOPDIR}/src/(aide|core)$ L
!@@{TOPDIR}/.*RCS
!@@{TOPDIR}/.*CVS
!@@{TOPDIR}/.*aide\.db.*
!@@{TOPDIR}/.*\.cvsignore.*
# @@{TOPDIR}/doc/.* All

  • mkdir /home/aide
  • chown nobody:nobody /home/aide
  • /usr/local/bin/aide -c /root/aide-0.15/doc/aide.conf –init
  • echo yes | cp /root/aide-0.15/doc/aide.db.new /home/aide/aide.db
  • Check the permission of /home/aide/aide.db should be root:root, if not, use command:- chown root:root /home/aide/aide.db
  • Create file /root/aide_html.sh and copy below content in it.

 

Script:

##Starts Here##

#!/bin/bash
#echo “<body bgcolor=”#6D7B8D”>” >> /tmp/aide.log
echo “<h2><center><i>AIDE Report on changes done</i></center></h2>” >> /tmp/aide.log
echo “<HR ALIGN=”CENTER” SIZE=”3″ WIDTH=”70%” NOSHADE>” >> /tmp/aide.log
echo “<br>” >> /tmp/aide.log
echo “<pre>” >> /tmp/aide.log
/usr/local/bin/aide -c /root/aide-0.15/doc/aide.conf –check >> /tmp/aide.log
echo “</pre>” >> /tmp/aide.log
echo “</body>” >> /tmp/aide.log
sleep 10
grep -wi “All files match AIDE database” /tmp/aide.log
if [ $? -eq 1 ]
then
cat /tmp/aide.log | mail -s “$(echo -e “AIDE Changes under /var/named/ on $HOSTNAME\nContent-Type: text/html”)” youremailaddress@domain.com — -f AIDE@domain.com
grep ‘File’ /tmp/aide.log | awk ‘{ print $2 }’ | awk -F ‘/’ ‘{ print $4 }’ > /tmp/grep.txt
if [ -s /tmp/grep.txt ]
then
#echo “<body bgcolor=”#6D7B8D”>” >> /tmp/domains.txt
echo “<h2><center><i>Detailed AIDE Report</i></center></h2>” >> /tmp/domains.txt
echo “<HR ALIGN=”CENTER” SIZE=”3″ WIDTH=”70%” NOSHADE>” >> /tmp/domains.txt
for i in $(cat /tmp/grep.txt)
do
echo “<br>” >> /tmp/domains.txt
echo “<i><b>AIDE Report for $i</b></i>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<pre>” >> /tmp/domains.txt
sed -n “/File: \/var\/named\/$i/,/Ctime/p” /tmp/aide.log >> /tmp/domains.txt
echo “</pre>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<b><i><center>Difference found for $i under /var/named/</center></i></b>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
minus=$(diff -u –expand-tabs –ignore-all-space –ignore-blank-lines –ignore-space-change /home/dnsbackup/$i /var/named/$i | grep “^-” | grep -iv “cPanel” | grep -iv “serial number”)
plus=$(diff -u –expand-tabs –ignore-all-space –ignore-blank-lines –ignore-space-change /home/dnsbackup/$i /var/named/$i | grep “^+” |grep -v “cPanel” | grep -iv “serial number”)
echo “<TABLE BORDER=7 ALIGN=”center” CELLPADDING=”8″>” >> /tmp/domains.txt
echo “<caption>$i</caption>” >> /tmp/domains.txt
echo “<TR>” >> /tmp/domains.txt
echo “<TH WIDTH=”20%”>Before</TH>” >> /tmp/domains.txt
echo “<TH WIDTH=”20%”>After</TH>” >> /tmp/domains.txt
echo “</TR>” >> /tmp/domains.txt
echo “<TR>” >> /tmp/domains.txt
echo “<TD ALIGN=”char”><PRE>$minus</PRE></TD>” >> /tmp/domains.txt
echo “<TD ALIGN=”char”><PRE>$plus</PRE></TD>” >> /tmp/domains.txt
echo “</TR>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “</table>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<b><i><center>Difference ends for $i</center></i></b>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
done


(echo -e “From: aideReport@domain.com \nTo: youremailaddress@domain.com \nCc:youremailaddress@domain.com \nMIME-Version: 1.0 \nSubject: AIDE Report for $HOSTNAME \nContent-Type: text/html \n”; cat /tmp/domains.txt) | sendmail -t
fi
fi
rm -f /tmp/domains.txt
rm -f /tmp/aide.log
/usr/local/bin/aide -c /root/aide-0.15/doc/aide.conf –update
echo yes | cp /root/aide-0.15/doc/aide.db.new /home/aide/aide.db
rsync /var/named/* /home/dnsbackup

##Script Ends here##

Results:

aide

 

 

Cheers!!!!