[ SEA-GHOST MINI SHELL]

Path : /proc/2/root/proc/2/root/usr/local/bin/
FILE UPLOADER :
Current File : //proc/2/root/proc/2/root/usr/local/bin/blazescan

#!/bin/bash

###############################setup##################################
#choose y/N
yesno(){ read -p "$question " choice;case "$choice" in y|Y|yes|Yes|YES ) decision=1;; n|N|no|No|NO ) decision=0;; * ) echo "invalid" && yesno; esac; }

#making log location
if [[ -e /usr/local/scan ]];then #then pwd exists
	echo -e 
else
mkdir -p /usr/local/scan
fi

if [[ -e /usr/local/scan/report ]];then #then pwd exists
	echo -e 
else
mkdir -p /usr/local/scan/report
fi

reportdir=/usr/local/scan/report
envelope=/usr/local/scan/report/mail

#set sigdir
sigdir=/usr/local/scan/lw-yara

if [[ -e /usr/local/scan/lw-yara/lw.hdb ]]; then #rules installed, run update
	cd $sigdir
	git pull
	echo -e
else git clone https://github.com/Hestat/lw-yara.git $sigdir
	echo -e
fi

scandir=/usr/local/scan

if [[ -x $(which maldet) ]]; then #maldet installed adding maldet sigs
	sigdir2=/usr/local/maldetect/sigs
else
	echo -e #not installed
fi

#create color vars
yell='\e[33m'
gre='\e[32m'
whi='\e[0m'


######################   versioning ########################################

VERSION="[ version 1.5 ]"

#check if blazescan is up to date

UPDATECHECK(){
remoteprogsig=$(curl -sS https://raw.githubusercontent.com/Hestat/blazescan/master/blazescan | md5sum | awk '{print$1}')
localprogsig=$(md5sum /usr/local/scan/blazescan | awk '{print$1}')
if [[ "$remoteprogsig" = "$localprogsig" ]]; then
	echo -e "$gre Blazescan is up to date $whi"
	sleep 1
else echo -e "$yell Newer version of Blazescan available, would you like to update? [y/n]"
	yesno; if [ $decision = 1 ]; then
	wget -O /usr/local/scan/blazescan https://raw.githubusercontent.com/Hestat/blazescan/master/blazescan
	echo -e "Update complete $whi\n"
	else echo -e "Ending update check$whi\n"
	fi
fi
}



######################   create formatting #################################
#Creates variable for red color
red='\e[0;31m'
#Creates variable for bold red color
redbold='\e[1;31m'
#Creates variable for green color
green='\e[0;32m'
#Creates variable for yellow color
yellow='\e[1;33m'
#Creates variable for purple color
purple='\e[1;35m'
#Creates variable for no color
whi='\e[0m'
#blue
blue='\e[34m'

div(){
  for ((i=0;i<$1;i++)); do printf '='; done;
}

header(){
	echo -e "\n$(div 80)\n"
}

header2=$(echo -e "$(div 3)")

title(){
echo -e "                      __________________"
echo -e "                      \                 \ "
echo -e "                       \                 \ "
echo -e "                        \            )    \ "
echo -e "                         \          ).(    \ "
echo -e "       /-------------------------).(.(------"
echo -e "     //---------------//   (     ).(.   //  |"
echo -e "    //                //    (.)   ).(. // __|"
echo -e "   //               //   ) .( .( ).)) //    ||"
echo -e "  //               // ).( .( .) .(.).//     ||"
echo -e " //_______________//  ^^^^^^^^^^^^^^//      ||"
echo -e "------------------------------------/ ------ |"
echo -e "| Blazescan   |         |  Another  |        |"    
echo -e "| AMS Software|         |  Malware  |        |"   
echo -e "|--------------         |  Scanner  |        |"   
echo -e "|                       ------------|        |"
echo -e "----------------------------------------------" 
echo -e "Sometimes you need to burn it down and start fresh"
}

scanout(){
	echo -e "$redbold Scan output file can be found here: $whi"
}

maldetandyara(){
	echo -e "$blue maldet detected, using maldet and lw-yara signatures $whi"
}

headtimestamp(){
	echo -e "Change timestamps on malicious files flagged in the scan"
}

#########################   help menu   #####################################

helpmenu(){
	header
	echo -e "Blazescan $redbold $VERSION $whi is a malware scanning and incident response tool" 
	echo -e "that uses clamav and custom malware databases\n"
	echo -e "If you run blazescan without any arguments it will present a simple scanning menu\n"
	echo -e "  -a will scan all cpanel accounts\n"
	echo -e "  -A will use Agressive mode to scan all cpanel accounts"
	echo -e "     uses clamd to run multicore scans, can increase load\n"
	echo -e "  -u will scan the specified cpanel user\n"
	echo -e "  -l will show the results of the last scan\n"
	echo -e "  -t will display ctime of the hits in the last scan\n"
	echo -e "  -d scan a directory of your choosing\n"
	echo -e "  -w will run a scan on the directory of your choosing with wordpress checks included\n"
	echo -e "  -f will run search for all files in the directory given and record ctime of all files\n"
	echo -e "  -i provide a file to pull vital stats about the file\n"
	echo -e "  -m will email the list of hits from the last malware scan\n"
	echo -e "  -n will provide an overview of logged in users and network traffic\n"
	echo -e "  -N will run a tcpdump for a specified time period and write the data to a file for later analysis\n"
	echo -e "  -U will check for updates, and allow you to perform any available updates\n"
	echo -e "  -R will allow you to report a malicious file back to add a signature"
	echo -e "     use this if you encounter new malicious code that is not detected\n"	
	echo -e "  -h will display the help menu\n"
	echo -e "By default the scanner will use the rules at https://github.com/Hestat/lw-yara\n"
	echo -e "It will also use the maldet rules if installed http://www.rfxn.com/projects/linux-malware-detect/\n"
	header
}

###########################   scan functions    ################################


enumcpaneldocrootall(){
	find /var/cpanel/userdata/ -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $3}'
}


clamdcpanelallscan(){
	for FILE in $( enumcpaneldocrootall ); do echo -e "$yellow Scan location:\t$FILE\n $whi" | tee -a $OP1 
		clamdscan --config-file=/usr/local/scan/blazescand.conf $FILE | tee -a $OP1; echo -e "\n" | tee -a $OP1 ; done; scanout; echo -e "$OP1\n"
		headtimestamp >> $OP1
		header >> $OP1
		timestamps >> $OP1
}


cpanelallscan1(){
		for FILE in $( enumcpaneldocrootall ); do echo -e "$yellow Scan location:\t$FILE\n $whi" | tee -a $OP1 
		clamscan -ir -d /usr/local/scan/lw-yara/ $FILE | tee -a $OP1; echo -e "\n" | tee -a $OP1 ; done; scanout;echo -e "$OP1\n"
		headtimestamp >> $OP1
		header >> $OP1
		timestamps >> $OP1
}


cpanelallscan2(){
		for FILE in $( enumcpaneldocrootall ); do echo -e "$yellow Scan location:\t$FILE\n $whi" | tee -a $OP1 
		clamscan -ir --no-summary -d /usr/local/maldetect/sigs -d /usr/local/scan/lw-yara/ $FILE | tee -a $OP1; echo -e "\n" | tee -a $OP1 ; done; scanout; echo -e "$OP1\n"
		headtimestamp >> $OP1
		header >> $OP1
		timestamps >> $OP1
}

singlecpanelscan1a(){
                for FILE2 in $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $2}'); do echo -e "$yellow Scan location:\t$FILE2\n $whi" | tee -a $OP2
                clamscan -ir  --no-summary -d  /usr/local/scan/lw-yara/ $FILE2 | tee -a $OP2; echo -e "\n" | tee -a $OP2;done; scanout; echo -e "$OP2\n"
		headtimestamp >> $OP2
		header >> $OP2
		timestamps >> $OP2
}

singlecpanelscan2a(){
                for FILE2 in $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $2}'); do echo -e "$yellow Scan location:\t$FILE2\n $whi" | tee -a $OP2
                clamscan -ir  --no-summary -d /usr/local/maldetect/sigs -d  /usr/local/scan/lw-yara/ $FILE2 | tee -a $OP2; echo -e "\n" | tee -a $OP2;done; scanout; echo -e "$OP2\n"
		headtimestamp >> $OP2
		header >> $OP2
		timestamps >> $OP2
}

singlecpanelscan1b(){
                for FILE2 in $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $3}'); do echo -e "$yellow Scan location:\t$FILE2\n $whi" | tee -a $OP2
                clamscan -ir  --no-summary -d  /usr/local/scan/lw-yara/ $FILE2 | tee -a $OP2; echo -e "\n" | tee -a $OP2;done; scanout; echo -e "$OP2\n"
		headtimestamp >> $OP2
		header >> $OP2
		timestamps >> $OP2
}

singlecpanelscan2b(){
                for FILE2 in $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot | awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | awk -F":" '{print $3}'); do echo -e "$yellow Scan location:\t$FILE2\n $whi" | tee -a $OP2
                clamscan -ir  --no-summary -d /usr/local/maldetect/sigs -d  /usr/local/scan/lw-yara/ $FILE2 | tee -a $OP2; echo -e "\n" | tee -a $OP2;done; scanout;echo -e "$OP2\n"
		headtimestamp >> $OP2
		header >> $OP2
		timestamps >> $OP2
}

directoryscanM(){
 	clamscan -ir  --no-summary -d /usr/local/maldetect/sigs -d  /usr/local/scan/lw-yara/ $direct | tee -a $OP3; echo -e "\n" | tee -a $OP3; scanout; echo -e "$OP3\n"
	headtimestamp >> $OP3
	header >> $OP3
	timestamps >> $OP3
}

directoryscan(){
 	clamscan -ir --no-summary -d  /usr/local/scan/lw-yara/ $direct | tee -a $OP3; echo -e "\n" | tee -a $OP3; scanout; echo -e " $OP3\n"
	headtimestamp >> $OP3
	header >> $OP3
	timestamps >> $OP3
}

clamddirectoryscan(){

	 clamdscan --config-file=/usr/local/scan/blazescand.conf $direct | tee -a $OP3; echo -e "\n" | tee -a $OP3 scanout; echo -e "$OP3\n"
	 headtimestamp >> $OP3
	 header >> $OP3
	 timestamps >> $OP3
}

wpclicheck(){
	#wpuser=$(find $wpdirect -name wp-config.php | xargs stat -t --format=%U)
	echo -e " Wordpress path: $wpdirect" | tee -a $OP3
	runuser -l  $wpuser -s /bin/bash -c "wp checksum core --path=$wpdirect" 2>&1 | tee -a $OP3
	echo -e "\n Wordpress Administrative users, review to confirm no malicious users" | tee -a $OP3
	runuser -l $wpuser -s /bin/bash -c "wp user list --role=administrator --path=$wpdirect --format=csv" 2>&1 | tee -a $OP3
	echo -e "\n"
}


############################# network information ############################# 

listening(){
	header
	echo -e "$red $header2 Listening services $header2 $whi\n"
	if [[ -e /etc/systemd ]]; then #systemd os using ss
		ss -tulpn
	else #init using netstat
		netstat -tulpn
	fi
}

active(){
	header
	echo -e "$red $header2 Active connections $header2 $whi\n"
	if [[ -e /etc/systemd ]]; then #systemd os using ss
		ss -tupn
	else #init using netstat
		netstat -tupn
	fi
	header
}

users(){
	header
	echo -e "$red $header2 Connected users $header2 $whi\n"
	w
	echo -e
	header
	echo -e "$red $header2 Last 10 logins $header2 $whi\n"
	last -Faixw | head
}



livecapture(){
	PORT=""
	HOST=""
	NP1=/usr/local/scan/nettraffic$(date +%F-%H%M).pcap
	echo -e "How long would you like to capture traffic? (measured in seconds)"
	read TIME

	echo -e "\nWould you like to set a host ip address? [y/n]"
	yesno; if [ $decision = 1 ];then
	echo -e "Enter ip address:"
	read HOST
	else
	sleep 0
	fi

	echo -e "\nWould you like to set a port to watch? [y/n]"
	yesno; if [ $decision = 1 ];then
        echo -e "Enter port number:"
        read PORT
	else
	sleep 0
	fi

	if [[ $(echo $HOST| wc -c) > 1 ]] && [[ $(echo $PORT|wc -c) > 1 ]];then
	timeout $TIME tcpdump -vvv host $HOST and port $PORT -w $NP1
	elif [[ $(echo $HOST| wc -c) > 1 ]]; then
	timeout $TIME tcpdump -vvv host $HOST -w $NP1
	elif [[ $(echo $PORT|wc -c) > 1 ]];then
	timeout $TIME tcpdump -vvv port $PORT -w $NP1
	else
	timeout $TIME tcpdump -vvv -w $NP1
	fi
	echo -e "\nPacket capture stored in $NP1"
	echo -e "\n\nIf you would like to review this data now run the following command"
	echo -e "\ntcpdump -nr $NP1\n"
}

#############################  time stamps and other things ###################

list(){
	if [[ $(grep UNOFFICIAL $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | wc -l) -ge "1"  ]]; then
		grep UNOFFICIAL $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}')
	else echo -e " not hits found\n"
	fi
}


wlist(){
	if [[ $(grep "Warning:" $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | wc -l) -ge "1"  ]]; then
		grep "Warning:" $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}')
	else echo -e " Wordpress core files match\n"
	fi
}

timestamps(){
	if [[ $(grep UNOFFICIAL $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | cut -d : -f1 | xargs stat -t --format=%z,%n 2> /dev/null | wc -l) -ge "1" ]]; then 
		grep UNOFFICIAL $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | cut -d : -f1 | xargs stat -t --format=%z,%n
else echo -e " no hits found\n"
fi
}

forensic(){
	find $direct -type f | xargs stat -t --format=%y:%n 2> /dev/null 1>> $OP4
}

filebasic(){
			echo -e "File Stats:"
			header
			stat $fileid
			header
			echo -e "\n\nFile type:"
			header
			file $fileid
			header
			echo -e "\n\nFile SHA1 hash:"
			header
			sha1sum $fileid
			header
}

vtcheck(){
	echo -e "\n VirusTotal results"
	header
	curl -s -X POST 'https://www.virustotal.com/vtapi/v2/file/report' --form apikey="$vtkey" --form resource="$vthash" | json_pp | egrep "permalink|scan_date|verbose_msg|positives|total" 
	header
}

############################# reporting        ################################

objectName=suspectfile$(date +%y%m%d-%H%M).zip
bucket=blazescan-signatures
resource="/${bucket}/${objectName}"
contentType="application/zip"
dateValue=`date -R`
acl="x-amz-acl:public-read"
stringToSign="PUT\n\n${contentType}\n${dateValue}\n${resource}"

s3put(){

curl  -i -X PUT -T "${upload}" \
          -H "Host: ${bucket}.s3.amazonaws.com" \
          -H "Date: ${dateValue}" \
          -H "Content-Type: ${contentType}" \
	  -H "$acl" \
          https://${bucket}.s3-us-west-2.amazonaws.com/${objectName}
}


############################# flags for running ###############################


while getopts ":ahltu:d:w:UARfi:mnN" opt; do
  case ${opt} in
    h ) # process option h to display help menu
	    helpmenu
	    exit 0
      ;;
    u ) # process option u for individual cpanel account
	    user=$OPTARG
		OP2=/usr/local/scan/$user-$(date +%F-%H%M.txt)
		echo -e "\n"|tee -a $OP2
		if [[ -x $(which maldet) ]];then 
			#echo -e "maldet detected, using maldet and lw-yara signatures"
			maldetandyara
			if [[ $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot |awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | wc -l) -eq "1" ]]; then 
                       			singlecpanelscan2a
                       	else
                       			singlecpanelscan2b
                       	fi; 
                else
                        echo -e "using only lw-yara signatures"
                        if [[ $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot |awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | wc -l) -eq "1" ]]; then 
                       			singlecpanelscan1a
                       	else
                       			singlecpanelscan1b
				fi
			fi
			exit 0;;

	A ) # -A agressive mode
			if [[ -x $(which clamdscan 2>/dev/null) ]]; then
				echo -e "Multiple CPU cores detected, would you like to use Blazescan in Aggressive mode? [y/n]"
		       		echo -e "Warning if the server is under load, this is not recommended as it will create additional heavy load on the system"	
				yesno; if [ $decision = 1 ]; then
					OP1=/usr/local/scan/scan-$(date +%F-%H%M.txt)
					echo -e "\n"|tee -a $OP1
					clamdcpanelallscan
					exit 0
					else
					exit 0
				fi
				else "install clamd first"
			fi
			exit 0;;

	a ) # -a option to scan all cpanel accounts
		#creating log file
		OP1=/usr/local/scan/scan-$(date +%F-%H%M.txt)
		echo -e "\n"|tee -a $OP1
		if [[ -x $(which maldet) ]]; then 
			#echo -e "maldet detected, using maldet and lw-yara signatures"
			maldetandyara
		#elif [ $(nproc) >= "2" ]; then 
		#		echo -e "Multiple CPU cores detected, would you like to use Blazescan in Aggressive mode? [y/n]"
		#	       	echo -e "Warning if the server is under load, this is not recommended as it will create additional heavy load on the system"	
		#		yesno; if [ $decision = 1 ]; then
		#		clamdcpanelallscan
		#else
			cpanelallscan2
		else
			echo -e "using only lw-yara signatures"
			cpanelallscan1
		fi
		exit 0;;

	l ) #list results
		list
		if [[ $(grep "Warning:" $(find /usr/local/scan/ -maxdepth 1 -name '*.txt' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1 |awk '{print$4}') | wc -l) -ge "1"  ]]; then
			echo -e "\nWordpress checks"
			wlist
			echo -e
		else
			exit 0
		fi
		exit 0;;
	t ) timestamps
		exit 0;;
	d ) #scan specified directory
		direct=$OPTARG
		#creating log file
		OP3=/usr/local/scan/scan-$(date +%F-%H%M.txt)
		echo -e "\n"|tee -a $OP3
		#if [[ $(nproc) = 2 ]]; then
		#	echo -e "Multiple CPU cores detected, would you like to use Blazescan in Aggressive mode? [y/n]"
		#	echo -e "Warning if the server is under load, this is not recommended as it will create additional heavy load on the system"	
		#	yesno; if [ $decision = 1 ]; then
		#	clamddirectoryscan
		#	exit 0
		#	else #continue
		#	fi
		if [[ -x $(which maldet) ]];then
			#echo -e "maldet detected, using maldet and lw-yara signatures"
			maldetandyara
			directoryscanM
		else
			echo -e "using only lw-yara signatures"
			directoryscan
		fi
		exit 0;;
	
	w ) #perform wordpress based scanning
		wpdirect=$OPTARG
		direct=$wpdirect
		wpuser=$(find $wpdirect -name wp-config.php | xargs stat -t --format=%U)
		OP3=/usr/local/scan/$wpuser-$(date +%F-%H%M.txt)
		echo -e "$yellow Performing wordpress checks... $whi"
		echo -e "\n" | tee -a $OP3
		wpclicheck
		echo -e "\n" | tee -a $OP3
		if [[ -x $(which maldet) ]];then
			#echo -e "maldet detected, using maldet and lw-yara signatures"
			maldetandyara
			directoryscanM
		else
			echo -e "using only lw-yara signatures"
			directoryscan
		fi
		exit 0;;
	
	f ) #perform a forensic capture of all ctimes on files recursively via the path given
		echo -e "What path would you like to collect forensic change timestamps?"
		read direct
		echo -e "Provide your username:"
		read USER
		OP4=/usr/local/scan/forensic-$USER-$(date +%F-%H%M).log
		forensic
		echo -e "$red Log can be found here: $whi"
		echo -e "$OP4"
		exit 0;;

	U ) #perform update checks
		UPDATECHECK
		exit 0;;
	R ) #report a malicous file that was not found
		echo -e "$yellow Provide the full path file you would like to send"
		echo -e " EX: /home/test/example.php $whi"
		read file
		cp $file $reportdir
		tempup=$(find $reportdir -maxdepth 1 -type f -exec stat -c "%y %n" {} + | sort -r | head -n1|awk '{print$4}' | cut -d / -f 6)
		pushd /usr/local/scan/report/
		zip -P "malware" report.zip $tempup
		popd
		upload=$(find $reportdir -maxdepth 1 -name '*.zip' -type f -exec stat -c "%y %n" {} + | sort -r | head -n1|awk '{print$4}') 
		s3put
		#rm $tempup 
		rm $upload 2> /dev/null
		echo -e "$green Upload complete, thank you for reporting the file $whi"
		exit 0;;

	i ) #perform file analysis
		fileid=$OPTARG
		OPFILE=/usr/local/scan/filecheck-$(date +%F-%H%M.log)
			echo -e "$yellow Collecting information on file...\n $whi"
			filebasic >> $OPFILE
			filebasic
			echo -e "\n Would you like to view file strings? [y/n]"
			yesno; if [ $decision = 1 ]; then
				strings $fileid | less
			else
				echo -e
			fi
			echo -e "\n Would you like to check hash against Virustotal? [y/n]"
			yesno; if [ $decision = 1 ]; then
			vtkey=$(grep "#VTapikey=" /usr/local/scan/blazescand.conf| cut -d = -f2)
			vthash=$(sha1sum $fileid| awk '{print$1}')
			if [ $(echo $vtkey| wc -c) = 1 ]; then #no api key
				echo -e "$yellow No Virustotal API key found, please add to /usr/local/scan/blazescand.conf $whi"
			else
				vtcheck
				vtcheck >> $OPFILE
			fi
			echo -e "\n"
			else
				echo -e
			fi
			echo -e "$red basic file info recorded in $whi $OPFILE"
			exit 0;;

	
	m ) #mail-to function
		addr=$(grep Mailtoaddress /usr/local/scan/blazescand.conf | cut -d = -f2)
		if [ $(echo $addr| wc -c) = 1 ]; then
			echo -e "$yellow No Email address specified, please set up in /usr/local/scan/blazescand.conf $whi"
		else
			echo -e "Subject: Blazescan malware hits report" > $envelope
	        	list >> $envelope
			echo -e "Sending report to $addr\n\n"
			cat $envelope | sendmail $addr
			rm $envelope
		fi	
		exit 0;;


	n ) #network checks
		users
		listening
		active
		exit 0;;
	N ) #network capture
		livecapture
		exit 0;;


    \? ) echo "Usage: cmd [-d directory path to scan] [-w path to wordpress homedir to scan] [-u cpanel user] [ -a scan all cpanel account] [-l list last scan results] [-t list create time of hits] [ -h Use to get a full list of the features and flags]"
	    exit 0;;
  esac
done

shift "$((OPTIND -1))"

#subcommand=$1; shift
#case "$subcommand" in

#	mail)
#		address=$1;
#		echo -e "I'm running!"
#	       	shift
#		exit 0;;
#esac

#############################   begin main   ##################################

if [[ -x $(which whmapi1) ]]; then #cpanel

	#begin menu for cpanel options
	while true
	do
		clear
		header
		helpmenu
		header
		echo -e
		#title
		echo -e
		echo -e "Please select scan you would like to run\n"
		echo -e "Select [1] to scan all Cpanel accounts and Docroots\n"
		echo -e "Select [2] to scan individual account\n"
		echo -e "Select [3] to exit\n"
		header
read answer
case "$answer" in

	
	1) if [[ -x $(which clamscan) ]]; then #clamav installed
		#creating log file
		OP1=/usr/local/scan/scan-$(date +%F-%H%M.txt)
		echo -e "\n"|tee -a $OP1
		if [[ -x $(which maldet) ]]; then 
			#echo -e "maldet detected, using maldet and lw-yara signatures"
			maldetandyara
			cpanelallscan2
		else
			echo -e "using only lw-yara signatures"
			cpanelallscan1
		fi
	else echo -e "trying to link to existing clamscan binary"
		ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan 
		ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/bin/freshclam
		if [[ -x $(which clamscan) ]]; then 
			echo -e "success, please restart to scan"
			else echo -e "clamav not installed please install"
		fi
	fi;;

	2) 	echo "What is the cpanel user?"
		read user
		#creating log file
		OP2=/usr/local/scan/$user-$(date +%F-%H%M.txt)
		echo -e "\n"|tee -a $OP2
		if [[ -x $(which maldet) ]];then 
			#echo -e "maldet detected, using maldet and lw-yara signatures"
			maldetandyara
			if [[ $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot |awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | wc -l) -eq "1" ]]; then 
                       			singlecpanelscan2a
                       	else
                       			singlecpanelscan2b
                       	fi; 
                else
                        echo -e "using only lw-yara signatures"
                        if [[ $(find /var/cpanel/userdata/$user -type f | xargs grep documentroot |awk -F":" '{print$1}' | egrep -v "(cache|SSL|nobody)" | xargs grep documentroot | wc -l) -eq "1" ]]; then 
                       			singlecpanelscan1a
                       	else
                       			singlecpanelscan1b
                       	fi; 
		fi;;			

	3) exit;;
	esac
	echo -e "Press Enter to return to menu"
	read input
done
else
	echo -e "not cpanel, please use the -d flag to set the directory you want to scan\n"
	echo -e "use the -h flag to see the flags that can be used"
fi

SEA-GHOST - SHELL CODING BY SEA-GHOST