SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

[hidonet]

I wrote a script for Cpanel + Pure FTP + Clamav installed servers.

Anti-Gumblar Protection Documentation

[mtindor]

Looks nice, but does clamscan really do any good detecting javascript/iframe inserts? Probably not. They can change by the minute. I'm even doubtful that clamscan is very good at catching rogue php shellcode pages.

I'd be interested in hearing what others think about clamAV's abilities to discover these things.

Mike

[hidonet]

I'm using over 1 week and no negative point about clamav. Catched every infection...

[headout]

Does it catch up .cgi scripts (dark mailer etc.), who are a able to send out spam?

[hidonet]

System scanning all files while upload.

Pls send me sample files. I cant test and write here..

hidonet@gmail.com

[sc00zy]

Doesn't this solution cause the server to have a high load and is there a chance normal ftp uploads will fail/corrupt?

Thanks

[hidonet]

A little bit slows down ftp uploads. Waits 1 or 2 second after all uploaded files.
I have ~500 sites in one server and there is no complaint from customers.

[hidonet]

http://www.oxio.net/anti_gumblar/ftp_clamscan.phps

Script is much more clever.

1 ) Moves infected file to the quarantine directory
2 ) If antivirus answers as NOT INFECTED for file, scans it with word scanner and scans file for gumblar like addresses ( .cn:808x/tx.cgi... etc.). Yo can add your patterns.
3 ) Changes account's password with random password
4 ) Sends you a mail about all that actions and new password
5 ) Blocks Attacker ip with firewall ( CSF, APF etc )
6 ) Kills live FTP connection of attacker

[hidonet]

Does it catch up .cgi scripts (dark mailer etc.), who are a able to send out spam?

I've added a new wordscan function on last release.

Scans cgi, pl files too. Add your patterns you want to catch.. Pattern must be unique. If you add #!/usr/bin/perl as pattern, script blocks every perl, cgi file.

Be careful

[isputra]

Anyone using this Gumblar Script beside the maker ? Please give us a review here.

[isputra]

Code:

$GLOBALS["whmhash"]        ="511e....2c";                // whm remote access key for root user

What is this mean ?

Can I install this script under /usr folder not /root folder ? I know that some configuration on ftp_clamscan.php has to be change to /usr. But is there any downside not using root folder ?

[Bartuc]

Tried on 64-bit OS, not working.

[Vinayak]

Well working fine on my cPanel 11.24.5-R37946 - WHM 11.24.2 - X 3.9, CENTOS 5.3 x86_64 standard as far as catching the attack, it quarantines the files and sends the mail, but no other actions, does not log IP, IP blocking, password change is not working.

I am running it at a different location than /root and edited the script a bit to save log at /var/log/ftp_clamscan.log

This script need PHP function shell_exec to be enabled.

Though I must say its a good job and can be made better.

[hidonet]

Well working fine on my cPanel 11.24.5-R37946 - WHM 11.24.2 - X 3.9, CENTOS 5.3 x86_64 standard as far as catching the attack, it quarantines the files and sends the mail, but no other actions, does not log IP, IP blocking, password change is not working.

I am running it at a different location than /root and edited the script a bit to save log at /var/log/ftp_clamscan.log

This script need PHP function shell_exec to be enabled.

Though I must say its a good job and can be made better.

Thanks...

If you want another function please do not hesitate to contact me

[hidonet]

Tried on 64-bit OS, not working.

There is no special function about 32bit or 64 bit. If php, clamav, cpanel, pure-ftpd, CSF ( or APF, or similar Firewall ) is working on your server this script works too.