proftpd - Scan incoming files without mod_clamav

Discussion in 'Programming/Scripts' started by LightVision, Feb 5, 2011.

  1. LightVision

    LightVision New Member

    I have the following problem: how to scan incoming ftp files without using proftpd mod_clamav in Debian Lenny.
    Why? The reason is simple. I use Debian for my servers due it's stability and compiling my self proftpd to support mod_clamav leads to problems I could not manage in time, like recompiling every time there are a security bug, etc.

    A script running, let's say every minute, from a cron-job, should be fine.

    So I have a solution, but I don't know how to implement, because I don't know bash.
    If there is anybody who know bash and he/she's willing to help me, this is what should be implement it:

    ProFTPD write the transfer log in /var/log/proftpd/xferlog.
    Here is an example:
    Sat Feb 5 19:14:12 2011 0 68 /home/vhost/template/template.tld/public_html/ a _ i r [email protected] ftp 0 * c

    a_i means ascii incoming;
    /home/vhost/template/template.tld/public_html/ is the full path to uploaded file

    The bash script ( should check if in the last xx seconds from current time there was the following records in xferlog: a _ i or b _ i, that's meaning upload.
    If that is true then should extract from the log the names of the uploaded files and create a string with all matches (let's say the string is incoming_files).
    At the end the script should call clamdscan with incoming_files as parameter + --remove.

    A more elaborated version could mail the administrator to let him know the user who done bad things.

    Thank You very much in advance.
  2. LightVision

    LightVision New Member

    I give a partial answer my self

    Here is a partial answer; the script is written in php

     * Scan Incoming ProFTPd files
     * @copyright Marius Ionel <[email protected]>

    // We need to initialize variables
    $CheckInterval 60// check interval in seconds; 1 minute should be enough
    $PathToLog '/var/log/proftpd/xferlog'// path to log file, including file
    $FilesToScan ''// Files need to be checked by antivirus

    // Let's rock'n'roll

    // get current time
    $EndCheckTime time();

    // compute the interval to check
    $StartCheckTime $EndCheckTime $CheckInterval;

    // get the log file as array in reversed order
    $ArrayLog array_reverse(file($PathToLog));

    // parse the array log to find a mathc in date and file operation
    while (
    // get the current line of the log
    $CurrentLogLine explode(' '$ArrayLog[$LogCounter]);

    // get date from the current log line
    $LogLineDate=  strtotime($CurrentLogLine[0] . ' '
    $CurrentLogLine[1] . ' '
    $CurrentLogLine[2] . ' ' 
    $CurrentLogLine[3] . ' '
    $CurrentLogLine[4] . ' '

    // Check the date from the current log line
    if($LogLineDate >=$StartCheckTime) {
    // curent line is in interval, but it is a realy upload?
    $CurrentLogOperation=$CurrentLogLine[10] . $CurrentLogLine[11] . $CurrentLogLine[12];
    $CurrentLogOperation=='a_i' || $CurrentLogOperation=='b_i'){
    // upload
    $FilesToScan=$FilesToScan $CurrentLogLine[9] . ' ';

    // increment the counter to check another line
        } else {

    // nothing to check in the current interval

    // Let's check if we have files to scan
    if($FilesToScan<>'') {
    // call the antivirus with $FilesToScan as parameter.
         // Obviosly we delete the virused files!
         // clamdscan ...

    // get the current time again
    $ExecutionTime time();

    // We should run as a daemon, so sleep until we should run again
    time_sleep_until($ExecutionTime $CheckInterval);
    // we should call it's self


Share This Page