From 7604c7db98dd7066bb6ee2ff2230f2647711e4b5 Mon Sep 17 00:00:00 2001 From: mjollnir_ Date: Thu, 16 Sep 2004 23:12:20 +0000 Subject: [PATCH] Logging infected files to error_log AND moodle log table. These patches are maintained in an publicly accessible Arch repository, see: http://lists.eduforge.org/cgi-bin/archzoom.cgi/arch-eduforge@catalyst.net.nz--2004-MIRROR/moodle--eduforge--1.3.3 Index of arch patches in this commit: arch-eduforge@catalyst.net.nz--2004/moodle--eduforge--1.3.3--patch-72 2004-09-16 22:30:44 GMT Penny Leach logging infected files to error_log and the moodle log table, slight change to instructions in handlevirus.php Full logs: Revision: moodle--eduforge--1.3.3--patch-72 Archive: arch-eduforge@catalyst.net.nz--2004 Creator: Penny Leach Date: Fri Sep 17 10:30:44 NZST 2004 Standard-date: 2004-09-16 22:30:44 GMT Modified-files: admin/handlevirus.php lib/uploadlib.php New-patches: arch-eduforge@catalyst.net.nz--2004/moodle--eduforge--1.3.3--patch-72 Summary: logging infected files to error_log and the moodle log table, slight change to instructions in handlevirus.php Keywords: --- admin/handlevirus.php | 4 ++-- lib/uploadlib.php | 25 ++++++++++++++++++++++++- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/admin/handlevirus.php b/admin/handlevirus.php index 1755905cd8..159dbee520 100644 --- a/admin/handlevirus.php +++ b/admin/handlevirus.php @@ -1,6 +1,6 @@ 2>&1 | php thisfile.php + * clamscan -r --infected --no-summary 2>&1 | php -d error_log=/path/to/log thisfile.php * also it's important that the output of clamscan prints the FULL PATH to each infected file, so use absolute paths for area to scan * also it should be run as root, or whatever the webserver runs as so that it has the right permissions in the quarantine dir etc. */ @@ -28,7 +28,7 @@ while(!feof($fd)) { $bits = explode('/',$file); $a->filename = $bits[count($bits)-1]; - if (!$log = get_record("log","module","upload","info",$file)) { + if (!$log = get_record("log","module","upload","info",$file,"action","upload")) { $a->action = clam_handle_infected_file($file,0,false); clam_replace_infected_file($file); notify_admins_unknown($file,$a); diff --git a/lib/uploadlib.php b/lib/uploadlib.php index 7a0a589e03..f08fc807fa 100644 --- a/lib/uploadlib.php +++ b/lib/uploadlib.php @@ -410,6 +410,7 @@ function clam_handle_infected_file($file,$userid=0,$basiconly=false) { $now = date('YmdHis'); if (rename($file,$CFG->quarantinedir.'/'.$now.'-user-'.$userid.'-infected')) { $delete = false; + clam_log_infected($file,$CFG->quarantinedir.'/'.$now.'-user-'.$userid.'-infected',$userid); if ($basiconly) { $notice .= "\n".get_string('clammovedfilebasic'); } @@ -436,6 +437,7 @@ function clam_handle_infected_file($file,$userid=0,$basiconly=false) { } if ($delete) { if (unlink($file)) { + clam_log_infected($file,'',$userid); $notice .= "\n".get_string('clamdeletedfile'); } else { @@ -601,7 +603,6 @@ function clam_log_upload($newfilepath,$course=null) { if (strpos($newfilepath,$CFG->dataroot) === false) { $newfilepath = $CFG->dataroot.'/'.$newfilepath; } - $CFG->debug=10; $courseid = 0; if ($course) { $courseid = $course->id; @@ -609,6 +610,28 @@ function clam_log_upload($newfilepath,$course=null) { add_to_log($courseid,"upload","upload","",$newfilepath); } +/** + * This function logs to error_log and to the log table that an infected file has been found and what's happened to it. + * @param $oldfilepath - full path to the infected file before it was moved. + * @param $newfilepath - full path to the infected file since it was moved to the quarantine directory (if the file was deleted, leave empty). + * @param $userid - id of user who uploaded the file. + */ +function clam_log_infected($oldfilepath='',$newfilepath='',$userid=0) { + + add_to_log(0,"upload","infected","",$oldfilepath,0,$userid); + + $user = get_record('user','id',$userid); + + $errorstr = 'Clam AV has found a file that is infected with a virus. It was uploaded by ' + . ((empty($user) ? ' an unknown user ' : $user->firstname. ' '.$user->lastname)) + . ((empty($oldfilepath)) ? '. The infected file was caught on upload ('.$oldfilepath.')' + : '. The original file path of the infected file was '.$oldfilepath) + . ((empty($newfilepath)) ? '. The file has been deleted ' : '. The file has been moved to a quarantine directory and the new path is '.$newfilepath); + + error_log($errorstr); +} + + /** * some of the modules allow moving attachments (glossary), in which case we need to hunt down an original log and change the path. */ -- 2.39.5