SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
I wrote a script for Cpanel + Pure FTP + Clamav installed servers.

/http://www.oxio.net/anti_gumblar/

Anti-Gumblar Protection Documentation
 

mtindor

Well-Known Member
Sep 14, 2004
1,417
82
178
inside a catfish
cPanel Access Level
Root Administrator
Looks nice, but does clamscan really do any good detecting javascript/iframe inserts? Probably not. They can change by the minute. I'm even doubtful that clamscan is very good at catching rogue php shellcode pages.

I'd be interested in hearing what others think about clamAV's abilities to discover these things.

Mike
 

headout

Well-Known Member
Aug 20, 2003
78
0
156
Does it catch up .cgi scripts (dark mailer etc.), who are a able to send out spam?
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
A little bit slows down ftp uploads. Waits 1 or 2 second after all uploaded files.
I have ~500 sites in one server and there is no complaint from customers.
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Anti Gumblar Script UPDATED

http://www.oxio.net/anti_gumblar/ftp_clamscan.phps

Script is much more clever.

1 ) Moves infected file to the quarantine directory
2 ) If antivirus answers as NOT INFECTED for file, scans it with word scanner and scans file for gumblar like addresses ( .cn:808x/tx.cgi... etc.). Yo can add your patterns.
3 ) Changes account's password with random password
4 ) Sends you a mail about all that actions and new password
5 ) Blocks Attacker ip with firewall ( CSF, APF etc )
6 ) Kills live FTP connection of attacker

:)
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Does it catch up .cgi scripts (dark mailer etc.), who are a able to send out spam?
I've added a new wordscan function on last release.

Scans cgi, pl files too. Add your patterns you want to catch.. Pattern must be unique. If you add #!/usr/bin/perl as pattern, script blocks every perl, cgi file.

Be careful :)
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
Anyone using this Gumblar Script beside the maker ? Please give us a review here.
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
Code:
$GLOBALS["whmhash"]        ="511e....2c";                // whm remote access key for root user
What is this mean ?

Can I install this script under /usr folder not /root folder ? I know that some configuration on ftp_clamscan.php has to be change to /usr. But is there any downside not using root folder ?
 

Vinayak

Well-Known Member
Jun 27, 2003
281
4
168
Bharat
cPanel Access Level
Root Administrator
Well working fine on my cPanel 11.24.5-R37946 - WHM 11.24.2 - X 3.9, CENTOS 5.3 x86_64 standard as far as catching the attack, it quarantines the files and sends the mail, but no other actions, does not log IP, IP blocking, password change is not working.

I am running it at a different location than /root and edited the script a bit to save log at /var/log/ftp_clamscan.log

This script need PHP function shell_exec to be enabled.

Though I must say its a good job and can be made better.
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Well working fine on my cPanel 11.24.5-R37946 - WHM 11.24.2 - X 3.9, CENTOS 5.3 x86_64 standard as far as catching the attack, it quarantines the files and sends the mail, but no other actions, does not log IP, IP blocking, password change is not working.

I am running it at a different location than /root and edited the script a bit to save log at /var/log/ftp_clamscan.log

This script need PHP function shell_exec to be enabled.

Though I must say its a good job and can be made better.
Thanks...

If you want another function please do not hesitate to contact me ;)
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Code:
$GLOBALS["whmhash"]        ="511e....2c";                // whm remote access key for root user
What is this mean ?

Can I install this script under /usr folder not /root folder ? I know that some configuration on ftp_clamscan.php has to be change to /usr. But is there any downside not using root folder ?
This is Remote Access Key. Script using this key for access to whm and changing password of attacked domain.

You have to access WHM as root for getting this key. Use this url after login to whm : http://www.yourserver.net:2086/scripts/setrhash

or find Set Remote Access Key link on left menu...
 

Vinayak

Well-Known Member
Jun 27, 2003
281
4
168
Bharat
cPanel Access Level
Root Administrator
hidonet

What your script is not doing is:

does not log IP,
does not block IP,
does not change password.

It would be good if you can fix that, below is the sample mail that I get after an attack happens:

Warning !!!

17.08.2009 12:26:52 Monday
There is a GUMBLAR ATTACK on account

Infected file : /home/vncind/public_html/support/templates/Bliss/images/index.php

Infection : .ru:8080/ at line 50

Action : File moved to : /karantina/clamav//index.php.20090817122652

Password might be changed to : ibHpcgHVOk



Ret : Array<passwd>
<passwd>
<rawout></rawout>
<services></services>
<status>0</status>
<statusmsg>No account was specified.</statusmsg>
</passwd>
</passwd>

<!-- Web Host Manager (c) cPanel, Inc. 2008 cPanel Inc. Unauthorized copying is prohibited. -->

Process Killed :
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
does not log IP,

if your FTP server not adds log to /var/log/messages ip will not discovered

does not block IP,

if your FTP server not adds log to /var/log/messages ip will not discovered

does not change password.

I think your ftp_clamscan.sh is old or WHM Remote Access Key is wrong

Are you trying latest files ?

If you can't solve I can help you... my msn address is [email protected]
 
Last edited:

Vinayak

Well-Known Member
Jun 27, 2003
281
4
168
Bharat
cPanel Access Level
Root Administrator

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Do you mean ftp_clamscan.sh and ftp_clamscan.php are two different files?

I am using only ftp_clamscan.php that is provided by you at http://www.oxio.net/anti_gumblar/ftp_clamscan.phps

I have followed the instructions at Anti-Gumblar Protection Documentation

If the file ftp_clamscan.sh is a different file, where to get it from and where to read more about it?
Yes ftp_clamscan.sh and ftp_clamscan.php is different files. ftp_clamscan.sh is passing FTP values to ftp_clamscan.php. If you don't use .sh file username will not discovered...

I will fix documentation if there is mistake and I will use only PHP file in next release...
 
Last edited: