h0dZddlZddlZddlZddlmZddlmZddlm Z m Z ddl m Z ddl mZmZmZddlmZdd lmZmZmZdd lmZmZdd lmZdd lmZdd lmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)m*Z*ej+e,Z-edej.Z/edZ0edZ1e0dz Z2e0dz Z3GddeeZ4dS)u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N)Path) HookEvent)ANTIVIRUS_MODE SystemConfig) MessageType) MessageSink MessageSourceexpect) hosting_panel) load_state save_stateregister_lock_file)Scoperecurring_check) check_lock)DAY)plugin) Wordpress) MalwareHitWPSite)get_sites_by_path)is_secret_expired rotate_secretz wp-gen-authz-/etc/sysconfig/imunify360/imunify360.config.dzF/opt/imunify360/venv/share/imunify360/11_on_first_install_wp_av.configz 11_on_first_install_wp_av.configz.11_on_first_install_wp_av.flagcFeZdZejZdZdZdZdZ dZ dZ ddZ d Z eed ee d Zeejd ZeejdZeejdZeejdZdS)ImunifySecurityPlugincd|_d|_tdd|_tddp t j|_d|_d|_ dS)Nr installedenabled) _loop_sinkr getinstallation_completedrSECURITY_PLUGIN_ENABLEDlast_config_valueinstallation_task deleting_taskselfs K/opt/imunify360/venv/lib/python3.11/site-packages/imav/plugins/wordpress.py__init__zImunifySecurityPlugin.__init__Fs{  &01H&I&I&M&M ' ' # . / / 3 3I > > 10 7;26c KdSN)r)loops r* create_sinkz!ImunifySecurityPlugin.create_sinkSs  r,cK||_||_|j||_t r|d{VdStddS)NT) missing_ok) r r! create_taskrefresh_auth_files_update_auth_taskr_apply_first_install_configFIRST_INSTALL_FLAGunlink)r)r0sinks r* create_sourcez#ImunifySecurityPlugin.create_sourceVs  !%!7!7  # # % %" "   72244 4 4 4 4 4 4 4 4 4  % % % 6 6 6 6 6r,cfKtsdStjd{VdkrKt t}t dt dS)Ni) r8existsr HostingPanel users_countFIRST_INSTALL_CONFIG_PATH write_textFIRST_INSTALL_CONFIG_FILE read_textchmodr9)r)_s r*r7z1ImunifySecurityPlugin._apply_first_install_configas!((**  F+--99;; ; ; ; ; ; ;q @ @)44)3355A & + +E 2 2 2!!#####r,cVK|j|jd{VdSr.)r6cancelr(s r*shutdownzImunifySecurityPlugin.shutdownks< %%'''$$$$$$$$$$r,ct||std|t||}|duo)| o| S)NzUnknown task '%s')hasattrloggererrorgetattrdone cancelled)r)task_attr_nametasks r*_task_in_progressz'ImunifySecurityPlugin._task_in_progresspsdt^,, > LL,n = = =t^,,4L OLDNN| t j|jd{Vd|_dSdSdS) Nz3 3 3. ++)tz:::",         ^0 0 0* ;;; ; ; ; ; ; ; ; ; ; ^y ( (1tzBBB B B B B B B B4 4++/TZ@@@/4+++) ( 4 4r,cKt|dtsdStj}||jkrdS||_|rB|js;|tj|j d{Vd|_nC|sA|jr:| tj |j d{Vd|_td|j|ddS)NconfrcTFr)rr) isinstancerrr$r%r#rYrrir!r[rlr )r)rmcurrent_config_values r*manage_plugin_installationz0ImunifySecurityPlugin.manage_plugin_installationsF'&/<88  F(@ 4#9 9 9 F"6  0(C 0++)tz:::       +/D ' '% 0$*E 0''+<<<       +0D ' #!8/       r,c$K|jsdS|ddks|dsdStj|d}t }|D]}|jdkr t j|j}tj |}|r|j nd}|D]5}|j |r|||fn6#t$rYwxYw|st ddSt dt'|d|D} tj|j| d{Vt d t'| dS) a INFO [2025-02-24 12:00:20,384] imav.plugins.wordpress: Malware cleanup finished: HookEvent.MalwareCleanupFinished( { 'cleanup_id': 'fa4fe7e48dbf45588f53b24366cd8893', 'started': 1740398411.786418, 'error': None, 'total_files': 3, 'total_cleaned': 3, 'status': 'ok' } ) Nstatusokstartedfilez3Cleanup finished => no sites found for cleaned hitsz1Cleanup finished => %s site(s) need to be updatedc8g|]\}}t|d|S))docrootdomainuidr).0 site_pathr}s r* zIImunifySecurityPlugin.handle_malware_cleanup_finished..s;    3 9RS 9 9 9   r,z"%s site(s) updated after a cleanup)r%r"r cleaned_sinceset resource_typepwdgetpwnamuserrget_sites_for_userpw_uid orig_file startswithaddKeyErrorrLdebugrflenupdate_data_on_sitesr!) r)rmhits site_pathshit user_info user_sitesr}rwordpress_sitess r*handle_malware_cleanup_finishedz5ImunifySecurityPlugin.handle_malware_cleanup_finisheds %  F ;;x D ( ( I0F0F ( F' (:;;UU   C F**  # SX 6 6I!'!:9!E!EJ,5? ((4&0"" =33I>>"&NNIs+;<<<!E" D+  LLN O O O F ?  OO     ",    )$*oFFFFFFFFF 8#o:N:NOOOOOs4A0C%% C21C2cK|jsdS|ddks*|dr|dsdS|d}t|}|std|dStdt |tj|j |d{Vtdt |dS) a INFO [2025-02-24 11:57:17,968] imav.plugins.wordpress: Malware scan finished: HookEvent.MalwareScanningFinished( { 'scan_id': 'b9bd136aff0a4d87a248c859cfe41c47', 'scan_type': 'user', 'path': '/home/user1' } ) INFO [2025-02-24 12:00:10,740] imav.plugins.wordpress: Malware scan finished: HookEvent.MalwareScanningFinished( { 'scan_id': 'a74271d2cdd04e0c9bd49ef6de23e0d8', 'scan_type': 'user', 'path': '/home/user4', 'started': 1740398383, 'total_files': 39229, 'total_malicious': 3, 'error': None, 'status': 'ok', 'scan_params': {'intensity_cpu': 2, 'intensity_io': 2, 'intensity_ram': 2048, 'initiator': None, 'file_patterns': None, 'exclude_patterns': None, 'follow_symlinks': False, 'detect_elf': True}, 'stats': {'scan_time': 27, 'mem_peak': 28217344, 'smart_time_hs': 0.004, 'scan_time_hs': 1.1751, 'smart_time_preg': 0, 'scan_time_preg': 2.7391, 'finder_time': 13.5896, 'cas_time': 0.7562, 'deobfuscate_time': 0.8998, 'total_files': 39229} } ) Nrurvpathstatsz+Scan finished => no sites found for path=%sz.Scan finished => %s site(s) need to be updatedz%s site(s) updated after a scan) r%r"rrLrrfrrrr!)r)rmrsitess r*handle_malware_scan_finishedz2ImunifySecurityPlugin.handle_malware_scan_finisheds8%  F KK ! !T ) );;v&& *;;w'' * Fv!$''  LLF M M M F  P>P.->P@ VI -..4C4C/.4C4C4Cr,r)5__doc__loggingrrVpathlibr%defence360agent.contracts.hook_eventsr defence360agent.contracts.configrr"defence360agent.contracts.messagesr!defence360agent.contracts.pluginsrr r defence360agent.subsys.panelsr 'defence360agent.subsys.persistent_stater r rdefence360agent.utilsrr defence360agent.utils.check_lockrdefence360agent.utils.commonrimav.wordpressrimav.contracts.configrimav.malwarelib.modelrimav.model.wordpressrimav.wordpress.site_repositoryrimav.wordpress.proxy_authrr getLoggerrrLrr CONFIG_DIRrCrAr8rr/r,r*rsS* ;;;;;;IIIIIIII:::::: 877777 98888888777777,,,,,,!!!!!!++++++,,,,,,''''''<<<<<<FFFFFFFF  8 $ $  }en = = TA B B  DL')KK"CCQCQCQCQCQCKQCQCQCQCQCr,