Current File : //opt/imh-scan/__pycache__/clamlib.cpython-39.pyc
a

ʛh�X�@sdZddlmZddlZddlZddlZddlmZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlmZddlZddlZddlmZmZddlmZmZmZddlmZmZmZdd	lmZddlZddlZddl Z ddl!Z!ddl"m#Z$dd
l%m&Z&e�'�dkZ(dZ)dZ*d
Z+dZ,dZ-dZ.dZ/e0edd��1��Z2e�3dej4�Z5e�3d�Z6ee�7e�8��j9�Z:e�3d�Z;eGdd�d��Z<Gdd�de
j=�Z>Gdd�d�Z?dd�Z@eAeBeAeAd�d d!�ZCeDeAeeAdfd"�d#d$�ZEdd%�eDeeeAdfd&�d'd(�ZFeed)�d*d+�ZGd,d-�ZHdS).zClamscan and freshclam classes�)�	ExitStackN)�Path)�	dataclass)�IO�Union)�Popen�CalledProcessError�TimeoutExpired)�run�DEVNULL�PIPE)�	timedelta)�Procz,https://repo.imhadmin.net/open/shellscan/v3/)zimh.yara)zheuristic.yaraz/opt/imh-scan/sigs/heuri/z/opt/imh-scan/sigs/yara/z!/opt/imh-scan/sigs/last_freshclamz/opt/imh-scan/sigs/new/new.yara�)Zweeksz(.*)\: (.*) FOUND$z(?:YARA.)?[Hh]euristicz (/home[0-9]?/[a-zA-Z0-9]{1,16})/c@sveZdZUdZeed<eed<eeefed<eeefed<eed<e	ed�dd	��Z
e	eeefd�d
d��ZdS)
�
ScanResultzClamscan result�rcode�command�
hits_found�
heur_found�summary)�returncCs6|j|jdd�|j��D�dd�|j��D�|jd�S)NcSsi|]\}}t|�|�qS���str��.0�k�vrr�.//opt/imh-scan/clamlib.py�
<dictcomp>:�z'ScanResult.__dict__.<locals>.<dictcomp>cSsi|]\}}t|�|�qSrrrrrrr;r �rrrrr)rrr�itemsrr��selfrrr�__dict__5s�zScanResult.__dict__cCs|j|jBS�N)rrr#rrr�	all_found?szScanResult.all_foundN)�__name__�
__module__�__qualname__�__doc__�int�__annotations__r�dictr�propertyr%r'rrrrr+s
	rcsfeZdZdZeedeeed��fdd�Z	dd�Z
dd	�Zed
�dd�Zeeed
d�dd�Z
�ZS)�
ClamParserz"Thread for parsing clamscan stdout�Scanner��proc�scanner�
open_logfiles�print_itemscsNt�j|jdd�||_||_d|_||_i|_i|_g|_	||_
|��dS)NT)�targetZdaemonF)�super�__init__�parser3r4�_scanning_summary�_print_itemsrr�
summary_linesr5�start)r$r3r4r5r6��	__class__rrr9GszClamParser.__init__cCsB|��D]4}|jr2|jr$t|dd�|j�|�q|�|�qdS)N�)�end)�_iter_foundr;r<�printr=�append�
_handle_found�r$�linerrrr:YszClamParser.parseccs�d}|jjD]n}|jD]}|�|�q|jr4|Vq|�d�rPd|_d}|Vq|�d�rr|�|����Vd}q||7}qdS)NrAzSCAN SUMMARY -----------
TzFOUND
)r3�stdoutr5�writer;�endswith�rstrip)r$�prevrHZlog_filerrrrCbs 


zClamParser._iter_found)�datacCs�t�|�}|s"|jj�d|�dS|��\}}t|�}|��sR|jj�d|�dStt	�
|��}rp||j|<n
||j|<|�
|||�dS)Nz imh-scan bug: Regex failed on %rzimh-scan bug? %r is not a file)�FOUND_RE�matchr4�log�error�groupsr�is_file�bool�HEURISTIC_RE�searchrr�_print_found)r$rNrPZpath_str�rule�path�is_heurrrrrFus

zClamParser._handle_foundN)rZrYr[rcCsB|js
dS|rtjntj}tt�t|��||�d��ddd�dS)Nz FOUNDz: T)�sep�flush)r<�c�yellow�redrD�shlex�quoter)r$rZrYr[�colorrrrrX�s�zClamParser._print_found)r(r)r*r+rr�listrrUr9r:rCrFrX�
__classcell__rrr?rr0Ds�	r0c@seZdZdZeeeeeeeeeeeeeed�
dd�Zeeed�dd�Zdd	�Z	d
d�Z
eed�d
d�Zeed�dd�Zdd�Z
dd�Zeeeeeejdffeed�dd�Zeeeeeeeeed�	dd�Zd$eeeeeeejdffeed�dd �Zed!�d"d#�ZdS)%r1z(Handles executing clamscan and freshclam)
�exclude�verbose�extra_heuri�install�update�	heuristic�phishing�
disable_media�disable_excludes�disable_default�disable_freshclam�enable_maldetect�disable_new_yarac
Csj||_||_||_tjdd|r$tjntjtj	dd�|_
|j|||
d�|_|j
|||||
|	|||
d�	|_dS)zInitializes variablesNzimh_scan.Scannerz%(message)s)rZ�nameZloglevelZ	print_outZfmt�rqrpro)	rmrlrkrfrrrnrhrqro)rgrirj�radsZ
setup_logging�logging�DEBUG�INFO�sysrIrQ�_check_deps�	cmd_paths�
_make_commandr)r$rfrgrhrirjrkrlrmrnrorprqrrrrrr9�s4���zScanner.__init__rtc	Cs�t��dkotjdk}|}|o(|}|}d|dgd�d�||ddd	gd�||d
gd�d�||d
dgd�||d
dgd�d�}g}	g}
i}|��D]�\}}
|dkr�|
dr�t|
d�s�tt�d��|
ds�q�t|
d�}|r�|j	�
d|�|||<q�|j	�d|�|
d�s*|j	�d|�|
�|�q�|
dd
kr�|
d|	vr�|	�|
d�q�|
�r~|j	�d|
�|j	�d|	�t
�d�|	�s�|S|�|	�}|�s�|j	�d|	�t
�d�|S)z^error handling and installing of dependencies, only supports
        installing from EPEL repor�sharedTZclamav)z/usr/bin/clamscanz
/bin/clamscanz'/usr/local/cpanel/3rdparty/bin/clamscan)�need�permit�pkg�pathszclamav-dataz/var/lib/clamavz/var/clamavzclamav-freshclam)z/usr/bin/freshclamz(/usr/local/cpanel/3rdparty/bin/freshclamz/bin/freshclamz/etc/freshclam.confrAz/usr/local/maldetect/sigs)�clamscan�	clamav-db�	freshclam�	freshconf�maldetr�r~r�z�
maldet-imh is deprecated and no installation found.
This scan will proceed and maldet related errors can be ignored.
If you wish to utilize maldetect, please install from source.
z
found path %szmissing dependancy %srz#not permitted to install missing %sr�zmissing pkgs: %szallowed to install: %srz!Failed to install dependancies %s)�os�getuidru�IMH_ROLEr"�_find_binaryrDr^r`rQ�debugrRrEry�exit�
_install_deps)r$rqrproZ
shared_permitZclamdb_needZfreshclam_needZmaldet_needZdeps_dZinstall_listZfailed_listr��depZoptsZ
found_path�reqrrrrz�s����
���	���/��





zScanner._check_depsc
Cs�|jrd}ntd|�d�dd�}|dkr>|j�d�t�d�z$tgd	�||jrVdntd
d�Wn`t	y�}z"|j�
|�t�d�WYd}~n0d}~0ty�|j�d
�t�d�Yn0d
S)N�yzWould you like to install z? (y|n))r��n)�charsr�Zexitingr)Zyumz-yriT)rIZcheckrzerror running yum, exiting)
ri�
ask_promptrQ�warningryr�r
rgr�FileNotFoundErrorrRr�fatal)r$r�Zret�excrrrr�+s,
�

�
zScanner._install_depscCsFt��d}t��d}||kr<|j�d||�t�d�qdSqdS)Nrrz5Load too high to start clamscan (%s/%s), sleeping 30s�)�psutil�	cpu_countr��
getloadavgrQr��time�sleep)r$Z	cpu_limitZloadavgrrr�cpu_waitDs�zScanner.cpu_wait)rprocCs�ttfD]}t|�jdddd�q|j�dtt�tD](}t�|��}t�|��}|�	||�q8tD](}t�|��}t�|��}|�	||�qf|j
r�|j�d�|��t
�d�|s�|r�dS|��dS)zUpdates the custom definitionsi�T��mode�parents�exist_okzDefinitions to get: %szJust updating defintionsrN)�DEFS_DIR�HEUR_DIRr�mkdirrQr��	DEF_FILES�
HEUR_FILES�DEFS_SERVER�_download_filerjr��
_freshclamryr�)r$rproZdir_nameZdef_file�urlrZrrr�update_defsRs$
zScanner.update_defs)r��destc
Cs�|j�d||�z�tj|ddd��f}|��tt|�dd��,}|jdd�D]}|�|�qLWd�n1sp0YWd�n1s�0YWn6tj	y�}z|j�
d	||�WYd}~n
d}~00t�|d|�dS)
NzDownloading %s to %sTr�)�stream�timeoutz.tmp�wbi )Z
chunk_sizez"Unable to retrieve %s, skipping
%s)
rQr��requests�getZraise_for_status�openrZiter_contentrJZRequestExceptionrRr��rename)r$r�r�r��file�chunkr�rrrr�gsL&zScanner._download_filec	Cs�tt���}tj�t�r�|js�ttdd���}z>t|���	��}|d|krh|j
�d�WWd�dSWn4ty�}z|j
�
dt|�WYd}~n
d}~00Wd�n1s�0Yd|jd��}|jd	|g}|j
�d
|�zXt|tdd��4}|jD]}|j�s�q|�|��qWd�n1�s60YWn6t�yx}z|j
�
d
|�WYd}~dSd}~00|j�r�|j
�
d�dSttddd��}|�t|��Wd�n1�s�0Y|j��dS)zRuns freshclam for system�ascii��encodingi�Qz+freshclam ran less than a day ago, skippingNzerror reading %s
%sz--config-file=r�r�zfreshclam command: %s�utf-8)rIr�zERROR: freshclam failed: %sz=ERROR: freshclam failed, database.clamav.net probably offline�w)r,r�r�rZ�exists�FRESH_CACHErjr��read�striprQr��	ExceptionrRr{r�rrrIrg�_freshclam_print�OSError�
returncoderJr�close)	r$Znowr�Zlast_runr�Zfreshclam_confZ	fresh_cmdr3rHrrrr�ss@�D
2�.zScanner._freshclamcCsNztj|d�}|��Wn"ty:|j�d|�YdS0|j�d|�dS)N)�dirz%s is not writeableFz%s is writeableT)�tempfileZ
TemporaryFiler�r�rQr�)r$rZZtestfilerrr�write_ok�szScanner.write_okN)�stack�
log_tuplesrcCs�g}|D]�\}}z2|jjdddd�|dur@t�|j|j|j�Wn<ty~}z$|j�d|�t	�
d�WYd}~n
d}~00|�|�|j
ddd���|dur�t�||j|j�|jd	d
�q|S)N�Tr�z%s
error in _init_logs��ar�r�i�)r�)�parentr�r��chownZpw_uidZpw_gidr�rQr�ryr�rE�
enter_contextr��chmod)r$r�r��files�log_path�ownerr�rrr�
_init_logs�s  �zScanner._init_logs)	rmrlrkrrrnrhrqrorfc
Cs�|jdddddg}
|r"|
�d�|r0|
�d�|sH|
�d|jd	g�|
�dtg�|rn|
�d|jd
g�|s�tj�t�r�|
�dt�g�|r�|
�dtg�|r�|
�d�|s�|
�d�|	r�|	D]}|
�d
|g�q�|
�d�|
S)Nr�z-rz--normalize=noz--cross-fs=yesz-iz--heuristic-alerts=yesz--phishing-sigs=yesz-dr�r�z7--exclude=\.(jpe?g|png|gif|mp(eg|4|g)|mov|avi|wmv|flv)$z�--exclude=/home[0-9]?/[^/]*/(quarantine*|mail/|etc/|logs/.*(\.tar)?\.gz|tmp/awstats/.*.txt|tmp/webalizer/(.*usage_.*.html|webalizer\.current))z	--excludez--)	r{rE�extendr�r�rZr��DUMMYr�)r$rmrlrkrrrnrhrqrorf�cmdrZrrrr|�s@
�

��
zScanner._make_commandF)�
scan_pathsr�r6rc
Cs�ttt|��}|sJ�|j��}|�|�|j�dt�	t
�|����zt���}|�
||�}z�t|t��tdddd��T}t||||d�}	z|jtd�Wnty�|��Yn0|	��Wd�n1s�0YWn(t�y|��|j�d�Yn 0|jd	k�r$|j�d
|j�Wd�n1�s:0YWn>t�y�}
z$|j�d|
�t�d�WYd}
~
n
d}
~
00|jd	k�r|D]f\}}t|d
dd��<}
|
�d|j�d��|jdk�r�|
�d�Wd�n1�s�0Y�q�nZ|	j �sZ|	j!�sZ|D]D\}}t|ddd��}
|
�d�Wd�n1�sL0Y�q|	��t"|jt
�|�|	j |	j!d�|	j#�d�S)z
Runs clamscanzScan command: %sNr��surrogateescape)ZlimrI�stderrr��errorsr2)r�z>Scan interrupted; continuing with what it found so far, if anyrz\The clamscan process was killed with signal %d; continuing with what it found so far, if anyzError: clamav fatal error:
 %srr�r�z&Scan was interrupted with kill signal �
i����z.This usually means an out-of-memory condition
r�zNo malware detected
rAr!)$rd�maprr�copyr�rQr�r^�cyanra�joinrr�rr�r�rr0�wait�COMMAND_TIMEOUTr	�kill�KeyboardInterruptrRr�r�r�ryr�r�rJrrrr=)r$r�r�r6Zscan_path_strsr�r�r5r3�parserr�r��_r�rrr�scan�s�

��*�
�( ���*.
�zScanner.scan)rHcCsht�dt�d�|�}t�dt�d�d|�}t�dt�d�d|�}t�dt�d�|�}|j�|�dS)z$Styles clamscan output and prints itz(ClamAV update process started)z\1z!(WARNING|(?:YARA.)?[Hh]euristic):�:z(ERROR):z!((?:main|daily|bytecode)\.c[lv]d)N)	�re�subr^�boldr_r`r�rQr�rGrrrr�7s�zScanner._freshclam_print)F)r(r)r*r+rdrrUr9rzr�r�r�r�r�r�r�tuplerr�pwdZ
struct_passwdrr�r|rr�r�rrrrr1�s^�/�m%��6��Mr1cCstd��dS)NzPrompt timed out)�TimeoutError)ZsignumZ_framerrr�_prompt_timeoutBsr�)�linesr�rcGs\d}d}d�|�}t�tjt�t�|�||vrNtt�|�d����	�}q*t�d�|S)zSimple yes or no checkeri�:	rAr�r)
r��signal�SIGALRMr��alarm�inputr^r�r��lower)r�r�Zone_weekZanswerZquestionrrrr�Fs


r�)�paths_to_checkrcCs"|D]}tj�|�r|SqdS)z!used to find clamav and freshclamN)r�rZr�)r�rZrrrr�Ss
r�)�time_str)r�r�cCs�|durttt����}|s(td�dSg}|D]�}t�t|��}rdt|�d��}|d|��}n,tj	dkr�t
r�td|���}ntd|��}||vr�td|�|�|�zt
||�Wq0ty�}z$t|d|��d	tjd
�WYd}~q0d}~00q0dS)z4Decides the quarantine dir per file and runs jail_mvNzNothing to quarantinerzquarantine/quarantine_r}z"/home/t1bin/quarantine/quarantine_zQuarantine root: %szError: quarantine failed for r�)r\r�)rr,r�rD�HOME_RErPr�grouprur��IS_ROOT�
CUR_USER_HOMErE�jail_mvr�ryr�)r�r�Z
printed_roots�	file_pathrPZ	user_home�	jail_rootr�rrr�
jail_files[s2

�r�)r�r�cCs�|jdddd�t�|d�|t|j��d�}|jddd�t�|j|�t|j|�||j	}t�
||�t||�t�|�t�|d�dS)z+Quarantine function retaining dir structurer�Tr��/)r�r�rN)r�r�r�rr��lstrip�shutilZcopystat�
copy_uid_guidrsZcopy2�remove)r�r�Zdest_dirZ	dest_pathrrrr�ys


r�cCs^t�|�}t�|�}|j|jkr0|j|jkr0dSzt�||j|j�WntyXYn0dSr&)r��stat�st_uid�st_gidr�r�)�srcZdstZ	src_statsZ	dst_statsrrrr�s


�
�r)Ir+�
contextlibrZgetpassr�rv�pathlibrrarr�ryr�Z	threadingZdataclassesrr�r��typingrr�
subprocessrrr	r
rrZdatetimer
r�r�r�ruZ
rads.colorrcr^Zcprocrr�r�r�r�r�r�r�r�r�r,Z
total_secondsr��compile�DOTALLrOrV�getpwnamZgetuser�pw_dirr�r�rZThreadr0r1r�rr�r�rdr�r�r�rrrrr�<module>sd

J7
"