I have the following problem: how to scan incoming ftp files without using proftpd mod_clamav in Debian Lenny
Why? The reason is simple. I use Debian for my servers due it's stability and compiling my self proftpd to support mod_clamav leads to problems I could not manage in time, like recompiling every time there are a security bug, etc.
A script running, let's say every minute, from a cron-job, should be fine.
So I have a solution, but I don't know how to implement, because I don't know bash.
If there is anybody who know bash and he/she's willing to help me, this is what should be implement it:
ProFTPD write the transfer log in /var/log/proftpd/xferlog.
Here is an example:
Sat Feb 5 19:14:12 2011 0 vip-srv1.grupnet.ro 68 /home/vhost/template/template.tld/public_html/eicar.com.txt a _ i
ftp 0 * c
means ascii incoming;
is the full path to uploaded file
The bash script (scan_incomming_ftp.sh) should check if in the last xx seconds from current time there was the following records in xferlog: a _ i
or b _ i
, that's meaning upload.
If that is true then should extract from the log the names of the uploaded files and create a string with all matches (let's say the string is incoming_files
At the end the script should call clamdscan with incoming_files
as parameter + --remove.
A more elaborated version could mail the administrator to let him know the user who done bad things.
Thank You very much in advance.