Skip to content

Commit acd5889

Browse files
author
Marian Marinov
committed
hawk.pl: Update in the cpanel_broot() function
cPanel have introduced new file format for their logs, which results in the following errors: Nov 27 12:00:28 Illegal ip content at [2023-11-27 So this fixes this issue by providing proper parsing of the lines and detection of the position of the user and IP in both formats. Version updated to 7.5
1 parent 97c9e3b commit acd5889

1 file changed

Lines changed: 12 additions & 6 deletions

File tree

hawk.pl

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919
my $debug = 0;
2020
my $tail_pid = 0;
2121
$ENV{PATH} = ''; # remove unsecure path
22-
my $VERSION = '7.4';
22+
my $VERSION = '7.5';
2323

2424
use lib '/usr/lib/hawk/';
2525
use POSIX qw(setsid), qw(strftime), qw(WNOHANG);
@@ -405,25 +405,31 @@ sub proftpd_broot {
405405
sub cpanel_broot {
406406
#209.62.36.16 - webmail.1h216.com [07/17/2008:16:12:49 -0000] "GET / HTTP/1.1" FAILED LOGIN webmaild: user password hash is miss
407407
#201.245.82.85 - khaoib [07/17/2008:19:56:36 -0000] "POST / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
408+
#[2023-11-27 11:56:16 -0500] info [cpaneld] 185.117.82.70 - dd "GET / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
408409
#[2023-11-27 11:29:46 -0500] info [whostmgrd] 185.117.82.70 - dd "GET / HTTP/1.1" FAILED LOGIN whostmgrd: login attempt to whm by a non-reseller/root
409410

410411
my @cpanel = split /\s+/, $_;
411412
my $service = 4; # Service type is webmail by default
412-
413+
my $ip = $cpanel[5];
414+
my $user = $cpanel[2];
413415

414416
if ($cpanel[10] eq 'cpaneld:') { # Service type is cPanel if the log contains cpaneld:
415417
$service = 5;
418+
$user = $cpanel[7] if $cpanel[1] ne '-';
416419
} elsif ($cpanel[5] eq '[whostmgrd]') { # Service type is WHM if the log contains [whostmgrd]
417420
$service = 9;
418-
$cpanel[0] = $cpanel[5]; # Set the IP in the proper place
419-
$cpanel[2] = $cpanel[7]; # Set the User in the proper place
421+
$user = $cpanel[7];
422+
} else {
423+
$ip = $cpanel[0];
420424
}
421-
$cpanel[2] = 'unknown' if $cpanel[2] =~ /\[/;
425+
$user = 'unknown' if $user =~ /\[/;
426+
422427
# return ip, number of failed attempts, service under attack, failed username
423428
# this is later stored to the failed_log table via store_to_db
424429
# service id 4 -> webmail
425430
# service id 5 -> cpanel
426-
return ($cpanel[0], 1, $service, $cpanel[2]);
431+
# service id 9 -> whm
432+
return ($ip, 1, $service, $user);
427433
}
428434

429435
sub da_broot {

0 commit comments

Comments
 (0)