I wrote a script for Cpanel + Pure FTP + Clamav installed servers.
/http://www.oxio.net/anti_gumblar/
Anti-Gumblar Protection Documentation
/http://www.oxio.net/anti_gumblar/
Anti-Gumblar Protection Documentation
Looks nice, but does clamscan really do any good detecting javascript/iframe inserts? Probably not. They can change by the minute. I'm even doubtful that clamscan is very good at catching rogue php shellcode pages.
I'd be interested in hearing what others think about clamAV's abilities to discover these things.
Mike
I'd be interested in hearing what others think about clamAV's abilities to discover these things.
Mike
System scanning all files while upload.
Pls send me sample files. I cant test and write here..
[email protected]
Pls send me sample files. I cant test and write here..
[email protected]
Last edited:
Doesn't this solution cause the server to have a high load and is there a chance normal ftp uploads will fail/corrupt?
Thanks
Thanks
A little bit slows down ftp uploads. Waits 1 or 2 second after all uploaded files.
I have ~500 sites in one server and there is no complaint from customers.
I have ~500 sites in one server and there is no complaint from customers.
Anti Gumblar Script UPDATED
http://www.oxio.net/anti_gumblar/ftp_clamscan.phps
Script is much more clever.
1 ) Moves infected file to the quarantine directory
2 ) If antivirus answers as NOT INFECTED for file, scans it with word scanner and scans file for gumblar like addresses ( .cn:808x/tx.cgi... etc.). Yo can add your patterns.
3 ) Changes account's password with random password
4 ) Sends you a mail about all that actions and new password
5 ) Blocks Attacker ip with firewall ( CSF, APF etc )
6 ) Kills live FTP connection of attacker
http://www.oxio.net/anti_gumblar/ftp_clamscan.phps
Script is much more clever.
1 ) Moves infected file to the quarantine directory
2 ) If antivirus answers as NOT INFECTED for file, scans it with word scanner and scans file for gumblar like addresses ( .cn:808x/tx.cgi... etc.). Yo can add your patterns.
3 ) Changes account's password with random password
4 ) Sends you a mail about all that actions and new password
5 ) Blocks Attacker ip with firewall ( CSF, APF etc )
6 ) Kills live FTP connection of attacker
I've added a new wordscan function on last release.
Scans cgi, pl files too. Add your patterns you want to catch.. Pattern must be unique. If you add #!/usr/bin/perl as pattern, script blocks every perl, cgi file.
Be careful
Code:
$GLOBALS["whmhash"] ="511e....2c"; // whm remote access key for root userCan I install this script under /usr folder not /root folder ? I know that some configuration on ftp_clamscan.php has to be change to /usr. But is there any downside not using root folder ?
Well working fine on my cPanel 11.24.5-R37946 - WHM 11.24.2 - X 3.9, CENTOS 5.3 x86_64 standard as far as catching the attack, it quarantines the files and sends the mail, but no other actions, does not log IP, IP blocking, password change is not working.
I am running it at a different location than /root and edited the script a bit to save log at /var/log/ftp_clamscan.log
This script need PHP function shell_exec to be enabled.
Though I must say its a good job and can be made better.
I am running it at a different location than /root and edited the script a bit to save log at /var/log/ftp_clamscan.log
This script need PHP function shell_exec to be enabled.
Though I must say its a good job and can be made better.
There is no special function about 32bit or 64 bit. If php, clamav, cpanel, pure-ftpd, CSF ( or APF, or similar Firewall ) is working on your server this script works too.
This is Remote Access Key. Script using this key for access to whm and changing password of attacked domain.
You have to access WHM as root for getting this key. Use this url after login to whm : http://www.yourserver.net:2086/scripts/setrhash
or find Set Remote Access Key link on left menu...
hidonet
What your script is not doing is:
does not log IP,
does not block IP,
does not change password.
It would be good if you can fix that, below is the sample mail that I get after an attack happens:
What your script is not doing is:
does not log IP,
does not block IP,
does not change password.
It would be good if you can fix that, below is the sample mail that I get after an attack happens:
does not log IP,
if your FTP server not adds log to /var/log/messages ip will not discovered
does not block IP,
if your FTP server not adds log to /var/log/messages ip will not discovered
does not change password.
I think your ftp_clamscan.sh is old or WHM Remote Access Key is wrong
Are you trying latest files ?
If you can't solve I can help you... my msn address is [email protected]
if your FTP server not adds log to /var/log/messages ip will not discovered
does not block IP,
if your FTP server not adds log to /var/log/messages ip will not discovered
does not change password.
I think your ftp_clamscan.sh is old or WHM Remote Access Key is wrong
Are you trying latest files ?
If you can't solve I can help you... my msn address is [email protected]
Last edited:
Do you mean ftp_clamscan.sh and ftp_clamscan.php are two different files?
I am using only ftp_clamscan.php that is provided by you at http://www.oxio.net/anti_gumblar/ftp_clamscan.phps
I have followed the instructions at Anti-Gumblar Protection Documentation
If the file ftp_clamscan.sh is a different file, where to get it from and where to read more about it?
I am using only ftp_clamscan.php that is provided by you at http://www.oxio.net/anti_gumblar/ftp_clamscan.phps
I have followed the instructions at Anti-Gumblar Protection Documentation
If the file ftp_clamscan.sh is a different file, where to get it from and where to read more about it?
Yes ftp_clamscan.sh and ftp_clamscan.php is different files. ftp_clamscan.sh is passing FTP values to ftp_clamscan.php. If you don't use .sh file username will not discovered...
I will fix documentation if there is mistake and I will use only PHP file in next release...
Last edited:
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| M | ClamAV fails to start on CloudLinux 6 after updating to 100.0.8 solution | Security | 2 | |
|
A problem I do not know have a solution | Security | 3 | |
| J | Symlink Solution for OpenVZ / Virtuozzo | Security | 2 | |
|
Solutions for handling ddos attacks? | Security | 3 | |
| T | Hacking threat - and my idea for solution: | Security | 3 |