The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Discussion in 'Security' started by hidonet, Aug 7, 2009.

  1. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    There is a problem on some servers. Pure FTP not returning username and blocking routine is not running because of that..

    I tested this problem on vinsar's server and his server not returning username argument.

    I'm updating the script... Coming very soon...
     
  2. ThE EnD

    ThE EnD Member

    Joined:
    Aug 25, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    51
    thanks for ur reply the

    result of the command was
    :

    and iam going to test uploading the page now
     
  3. ThE EnD

    ThE EnD Member

    Joined:
    Aug 25, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    51
    i have modified a html file and add the code in it
    and upload it to one of my server sites

    but no action
    no email
    not disconnected or bloked
    not thing happen
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,296
    Likes Received:
    41
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Are you sure that URL in that iframe is a known malicious URL that might somehow be in the database for ClamAV? Simply adding any old Iframe isn't going to do anything. It's not supposed to catch _all_ Iframes.

    mike
     
  5. ThE EnD

    ThE EnD Member

    Joined:
    Aug 25, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    51
    iam sure as i have get that codes from already infected pages
     
  6. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Mbelitar
    Using above command and work like a charm
     
  7. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Slovenia
    it seams the_end that your ftp_clamscan.sh script is not runing. If it would run on ps aux | grep clam you should get something like this
    [root@predator log]# ps aux | grep clam
    root 3355 0.0 0.0 6256 644 pts/2 S+ 09:14 0:00 grep clam
    root 5326 1.5 1.8 109892 75196 ? Ssl 08:48 0:24 /usr/sbin/clamd
    root 5869 0.0 0.0 8680 256 ? Ss 08:50 0:00 /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh
    [root@predator log]#


    this line is important and tels you that your script is runing root 5869 0.0 0.0 8680 256 ? Ss 08:50 0:00 /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh
     
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,296
    Likes Received:
    41
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Again, just because you know it's from and infected page, does that necessarily mean that ClamAV will pick it up? It's not exactly the best antivirus on the market, and even the best antivirus can't pick up the latest threats.

    Mike
     
  9. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    just add "neglite.com/?click="
     
  10. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Important note !!

    Do not restart FTP server with whm. Please restart with /etc/init.d/pure-ftpd restart command.

    Upload script not working when you restart FTPd with WHM.
     
  11. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Script updated !!!

    Release Changelog - 20090902
    - ) ftp_clamscan.sh.sh file REMOVED. We don't need to ftp_clamscan.sh file anymore.
    - ) Username finding mechanism fixed
    - ) Kill IDLE connection function renewed
    - ) Config file separated
    - ) Log file located to /var/log/ftp_clamscan.log ( or wherever you want )
    - ) Quarantine directory located to /quarantine/clamav/ ( or wherever you want )
    - ) Some minor bugs fixed


    Look at : Anti-Gumblar Protection Documentation
     
  12. smksa

    smksa Member

    Joined:
    Aug 1, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    151


    May i know whether you have implement taking from backup for any overwrited file ?
     
  13. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Mbelitar
    There are some bug :

    1. IP does not listed in csf.deny after the file move to quarantine folder
    2. User that do the attack does not kick off from FTP access after known by clamav as attacker, so hacker still can upload other files.

    Other than that this script is working and i like it.
     
  14. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Slovenia
    HI,

    So, if I understand right, on current instalation I delete ftp_clamscan.sh and all I have to do is to overwite ftp_clamscan.php and upload ftp_clamscan_config.php and restart pure-ftp?

    If so, may I ask what is calling ftp_clamsacan.php to work? Mybe my question is stupid but Im still learning.
     
  15. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Mbelitar
    You also have to edit /etc/init.d/pure-ftpd and change :
    Code:
    $DAEMONIZE /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh
    
    to :

    Code:
    $DAEMONIZE /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.php
    
    And you see that ftp_clamscan.php will be working by itself.
     
  16. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Slovenia
    Yes of course, thanx Isputra. Mybe one qustion for all users. Do you also experiance from time to time that ftp uploads for customers get very slow? I do, but better that then viruses:)
     
  17. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Mbelitar
    Yes, a delay about 5-10 second per file before it finished.
     
  18. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Yes it slows FTP operation a little bit. Because this script working after all uploaded files.
     
  19. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    I did a lot of tests.. This is the example log :

    2009.09.02 06:12:18 --- init... File : /home/cube/test.html
    2009.09.02 06:12:18 --- antivirus scan...
    2009.09.02 06:12:19 --- word scan...
    2009.09.02 06:12:19 --- /home/cube/test.html| Trojan.Iframe-9 |
    2009.09.02 06:12:20 --- kill idle connection...
    2009.09.02 06:12:20 --- kill -s 9 23714
    2009.09.02 06:12:20 --- Killed process(es) : 23714
    2009.09.02 06:12:20 --- block attacker ip...
    2009.09.02 06:12:20 --- deny failed: 88.*.*.24 is in the allow file /etc/csf/csf.allow
    2009.09.02 06:12:20 --- IP Blocked : 88.*.*.24
    2009.09.02 06:12:20 --- send mail...
    2009.09.02 06:12:20 --- end...

    Do you see deny failed ? System running correctly but CSF. But returning this error because I've added my ip to allow list.

    If your problem continues please pm me..
     
  20. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Mbelitar
    And this is what i have in my log :

    2009.09.02 14:21:09 --- ANTI GUMBLAR ( FTP CLAMSCAN ) LOG START
    2009.09.02 14:21:09 --- init... File : /home/test/public_html/if-rame.html
    2009.09.02 14:21:09 --- antivirus scan...
    2009.09.02 14:21:09 --- word scan...
    2009.09.02 14:21:09 --- wordscan results : .ru:8080/ at line 1 FOUND and file moved to File moved to : /quarantine/clamav//if-rame.html.20090902142109
    2009.09.02 14:21:09 --- /home/test/public_html/if-rame.html|.ru:8080/ at line 1|
    2009.09.02 14:21:09 --- pass change for user :
    2009.09.02 14:21:11 --- kill idle connection...
    2009.09.02 14:21:11 --- IDLE Process not found...
    2009.09.02 14:21:11 --- block attacker ip...
    2009.09.02 14:21:11 --- send mail...
    2009.09.02 14:21:11 --- end...

    As you can see, the log is not the same as yours. Some log line is missing :
    --- kill -s 9 XXXXX
    --- Killed process(es) : XXXXX
    --- IP Blocked : xx.xx.xx.xx

    I am using the latest script.
     
Loading...

Share This Page