Helpdesk Support

Official Supportmonk Company Blog!

FTP upload scanner for cPanel servers

September 7, 2015 , 10:18 pm


Popular CMSs like wordpress,Joomla are always notorious for being hacked. Since so many sites use them, they are constantly being searched for vulnerabilities and malware codes appended to the account.Older versions of scripts will sometimes have security vulnerabilities so those scripts has to be updated. But in most cases we won’t be able to do the update on the installed plugins as it effect the layout of the site and might require some coding knowledge. So its always a good idea to set up proper auditing on these accounts.

Getting and installing a malware scanner in place on your web/FTP server is something that needs to be done as a priority, pretty much as soon as the server is set up as the proverb says  ‘Prevention is better than cure’. If you are on shared hosting then this will probably not be possible as you don’t control what you can install on a global basis but your host provider should provide some type of malware scanner solution.

If you are on a VPS or Dedicated Server plan than you certainly are in a postion to set up your own solutions.

Here we are discussing the steps to set up the custom FTP scan script, as we already have several method to monitor the web uploads like modsecurity,cxs etc.

This is a custom script which integrating the maldet with the (Linux Malware Detect) FTP service and providing a real time monitoring on the FTP uploads.So every file upload will be scanned before they get added to the user account.

Please note that this script need to have maldet and proftp configured on your server.

Here is the installtion script for the FTP upload scan


chown -R root.nobody /usr/local/maldetect
find /usr/local/maldetect -type f -exec chmod 775 {} ‘;’
find /usr/local/maldetect -type d -exec chmod 775 {} ‘;’

if [ -f /etc/proftpd.conf ]; then
echo “Pureftpd not running on `hostname`” | mail -s “WARNING proftpd running on `hostname`” $staff_email
echo “Proftpd running on server”
echo “Pureftpd running on server”

cp /etc/pure-ftpd.conf /etc/pure-ftpd.conf.`date +%F`
sed -i ‘/CallUploadScript/ d’ /etc/pure-ftpd.conf
echo “CallUploadScript yes” >> /etc/pure-ftpd.conf

cp /etc/rc.d/init.d/pure-ftpd /etc/rc.d/init.d/pure-ftpd.`date +%F`
wget -O /etc/rc.d/init.d/pure-ftpd
wget -O /etc/pure-ftpd/

chmod 755 /etc/pure-ftpd/
chmod 755  /etc/rc.d/init.d/pure-ftpd

/etc/rc.d/init.d/pure-ftpd restart

result=`ps ax |  grep  “”  | grep -v grep | grep -o pure-uploadscript | uniq`
if [[ “$result”  = “pure-uploadscript” && -f /etc/pure-ftpd/ ]]; then
echo “SUCCESS `hostname` Pureftpd configured with maldet scan” | mail -s “SUCCESS `hostname` Pureftpd configured with maldet scan” $staff_email

echo “CRITICAL: Failed to configure FTP scan `hostname`” | mail -s “CRITICAL: Failed to configure FTP scan on `hostname`” $staff_email

You need to specify the staff mail to get the installation mail and it will restart the FTP service with the new scan feature.

There is no need to initiate the upload check as it is already appended to the pureftp statup script.

Whenever there is a malware file uploaded to the account through FTP, you will  get a notification on the staff mail and the file will be quarantined.

That’s it!!

Outsourced Customer Support