The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Discussion in 'Security' started by hidonet, Aug 7, 2009.

  1. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    I wrote a script for Cpanel + Pure FTP + Clamav installed servers.

    /http://www.oxio.net/anti_gumblar/

    Anti-Gumblar Protection Documentation
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Looks nice, but does clamscan really do any good detecting javascript/iframe inserts? Probably not. They can change by the minute. I'm even doubtful that clamscan is very good at catching rogue php shellcode pages.

    I'd be interested in hearing what others think about clamAV's abilities to discover these things.

    Mike
     
  3. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    I'm using over 1 week and no negative point about clamav. Catched every infection...
     
  4. headout

    headout Well-Known Member

    Joined:
    Aug 20, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Does it catch up .cgi scripts (dark mailer etc.), who are a able to send out spam?
     
  5. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    System scanning all files while upload.

    Pls send me sample files. I cant test and write here..

    hidonet@gmail.com
     
    #5 hidonet, Aug 8, 2009
    Last edited: Aug 8, 2009
  6. sc00zy

    sc00zy Active Member

    Joined:
    Jan 2, 2006
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Assen, The Netherlands
    Doesn't this solution cause the server to have a high load and is there a chance normal ftp uploads will fail/corrupt?

    Thanks
     
  7. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    A little bit slows down ftp uploads. Waits 1 or 2 second after all uploaded files.
    I have ~500 sites in one server and there is no complaint from customers.
     
  8. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    Anti Gumblar Script UPDATED

    http://www.oxio.net/anti_gumblar/ftp_clamscan.phps

    Script is much more clever.

    1 ) Moves infected file to the quarantine directory
    2 ) If antivirus answers as NOT INFECTED for file, scans it with word scanner and scans file for gumblar like addresses ( .cn:808x/tx.cgi... etc.). Yo can add your patterns.
    3 ) Changes account's password with random password
    4 ) Sends you a mail about all that actions and new password
    5 ) Blocks Attacker ip with firewall ( CSF, APF etc )
    6 ) Kills live FTP connection of attacker

    :)
     
  9. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    I've added a new wordscan function on last release.

    Scans cgi, pl files too. Add your patterns you want to catch.. Pattern must be unique. If you add #!/usr/bin/perl as pattern, script blocks every perl, cgi file.

    Be careful :)
     
  10. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Anyone using this Gumblar Script beside the maker ? Please give us a review here.
     
  11. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    Code:
    $GLOBALS["whmhash"]        ="511e....2c";                // whm remote access key for root user
    What is this mean ?

    Can I install this script under /usr folder not /root folder ? I know that some configuration on ftp_clamscan.php has to be change to /usr. But is there any downside not using root folder ?
     
  12. Bartuc

    Bartuc Member

    Joined:
    Jan 9, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Tried on 64-bit OS, not working.
     
  13. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    267
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Well working fine on my cPanel 11.24.5-R37946 - WHM 11.24.2 - X 3.9, CENTOS 5.3 x86_64 standard as far as catching the attack, it quarantines the files and sends the mail, but no other actions, does not log IP, IP blocking, password change is not working.

    I am running it at a different location than /root and edited the script a bit to save log at /var/log/ftp_clamscan.log

    This script need PHP function shell_exec to be enabled.

    Though I must say its a good job and can be made better.
     
  14. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    Thanks...

    If you want another function please do not hesitate to contact me ;)
     
  15. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    There is no special function about 32bit or 64 bit. If php, clamav, cpanel, pure-ftpd, CSF ( or APF, or similar Firewall ) is working on your server this script works too.
     
  16. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    This is Remote Access Key. Script using this key for access to whm and changing password of attacked domain.

    You have to access WHM as root for getting this key. Use this url after login to whm : http://www.yourserver.net:2086/scripts/setrhash

    or find Set Remote Access Key link on left menu...
     
  17. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    267
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    hidonet

    What your script is not doing is:

    does not log IP,
    does not block IP,
    does not change password.

    It would be good if you can fix that, below is the sample mail that I get after an attack happens:

     
  18. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    does not log IP,

    if your FTP server not adds log to /var/log/messages ip will not discovered

    does not block IP,

    if your FTP server not adds log to /var/log/messages ip will not discovered

    does not change password.

    I think your ftp_clamscan.sh is old or WHM Remote Access Key is wrong

    Are you trying latest files ?

    If you can't solve I can help you... my msn address is msndestek@oxio.net
     
    #18 hidonet, Aug 17, 2009
    Last edited: Aug 17, 2009
  19. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    267
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
  20. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / Turkey
    Yes ftp_clamscan.sh and ftp_clamscan.php is different files. ftp_clamscan.sh is passing FTP values to ftp_clamscan.php. If you don't use .sh file username will not discovered...

    I will fix documentation if there is mistake and I will use only PHP file in next release...
     
    #20 hidonet, Aug 17, 2009
    Last edited: Aug 17, 2009
Loading...
Similar Threads - SOLUTION Gumblar IFRAME
  1. tazosmr
    Replies:
    3
    Views:
    339

Share This Page