The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Discussion in 'Security' started by hidonet, Aug 7, 2009.

  1. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    8
    Trophy Points:
    193
    Just an FYI to everyone ...

    Reading through this thread, I keep seeing the same error over and over ...

    The path "/etc/init.d/ should be "/etc/rc.d/init.d/"!
     
  2. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Did you installed last version ?

    If you installed last version please pm me and I can help you to solve this problem...
     
  3. nitaish

    nitaish Well-Known Member
    PartnerNOC

    Joined:
    Jan 6, 2006
    Messages:
    129
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Mulund, India, India
    I have installed the latest version yesterday, but the IP is neither being blocked in CSF nor logged in the log. Also, I modified the script to include the IP address in the email, but the IP address field is blank in the email. How to fix it?
     
  4. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Script getting IP from /var/log/messages file. If your FTP server is not logging ftp transactions, IP will not be discovered.

    check your messages log while ftp transfer. If your server adds log line for every connection and every Download and upload script works.

    If you cannot solve the problem please pm me...
     
  5. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    316
    cPanel Access Level:
    DataCenter Provider
    ive been following thru this discussion and thought id give the script a try on one of our servers

    I ran the installer and followed the instructions at Anti-Gumblar // Protection for IFRAME/Javascript/Gumblar Attacks

    chmodded the clamscan_php file to 755 and restarted pureftp but i get the error:

    what am i missing?
     
  6. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey

    This is normal error. I'm getting same error bur script working. Did you tested script ?
     
  7. nitaish

    nitaish Well-Known Member
    PartnerNOC

    Joined:
    Jan 6, 2006
    Messages:
    129
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Mulund, India, India
    Even I got this error, but the script was working.
     
  8. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    This error about pid file of upload script daemon. But daemon's pid file lost always...
     
  9. edybv

    edybv Member

    Joined:
    Dec 19, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    Hello,

    I have a problem,

    i try to upload an iframe here is the log:

    2009.09.09 12:36:57 --- init... File : /home/berek/public_ftp/iframe.php
    2009.09.09 12:36:57 --- antivirus scan...
    2009.09.09 12:36:57 --- word scan...
    2009.09.09 12:36:57 --- wordscan results : .cn:8080/ at line 1 FOUND and file moved to File moved to : /home/quarantine/clamav//iframe.php.20090909123657
    2009.09.09 12:36:57 --- /home/berek/public_ftp/iframe.php|.cn:8080/ at line 1|
    2009.09.09 12:36:57 --- pass change for user :
    2009.09.09 12:36:57 --- kill idle connection...
    2009.09.09 12:36:57 --- IDLE Process not found...
    2009.09.09 12:36:57 --- block attacker ip...
    2009.09.09 12:36:57 --- send mail...
    2009.09.09 12:36:57 --- end...

    Ip is not block in csf and and when i upload the file the connection is working , the ftp process is not killed .

    If somebody have an idear please share

    Thanks.
     
  10. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    If script is not latest version please update.

    If script is latest version please check your /var/log/messages file for FTP logs. If there is no information about ftp transactions script can not discover attacker's IP address..
     
  11. 1a-Websolutions

    1a-Websolutions Active Member

    Joined:
    Aug 24, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    156
    Hello,

    i have the same issue:

    This say my Logfile:

    2009.09.09 20:05:10 --- init... File : /home/obbaeren/public_html/joomla/clam.exe.html
    2009.09.09 20:05:10 --- antivirus scan...
    2009.09.09 20:05:10 --- word scan...
    2009.09.09 20:05:10 --- wordscan : NOT FOUND.
    2009.09.09 20:05:10 --- end...

    2009.09.09 20:05:13 --- init... File : /home/obbaeren/public_html/joomla/iframe.html
    2009.09.09 20:05:13 --- antivirus scan...
    2009.09.09 20:05:13 --- word scan...
    2009.09.09 20:05:13 --- wordscan results : .ru:8080/ at line 9 FOUND and file moved to File moved to : /quarantine/clamav//iframe.html.20090909200513
    2009.09.09 20:05:13 --- /home/obbaeren/public_html/joomla/iframe.html|.ru:8080/ at line 9|
    2009.09.09 20:05:13 --- pass change for user :
    2009.09.09 20:05:14 --- kill idle connection...
    2009.09.09 20:05:14 --- IDLE Process not found...
    2009.09.09 20:05:14 --- block attacker ip...
    2009.09.09 20:05:14 --- send mail...
    2009.09.09 20:05:14 --- end...



    - IP not blocked
    - File not moved to quarantine
    - FTP connection not blocked
    - 1 File not marked as infected ( original clam.exe.html )
    - /var/log/messages have lines for FTP-Upload incl. IP

    use the latest version of Script-Files

    Any solutions?

    Thanks
     
    #71 1a-Websolutions, Sep 9, 2009
    Last edited: Sep 9, 2009
  12. 1a-Websolutions

    1a-Websolutions Active Member

    Joined:
    Aug 24, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    156
    Hello,

    I have locate the Issue:

    if the User have a other IP than the Main-IP from Server the Script dont works.

    And shell_exe are need from Script.

    Any solutions for this Issue?

    Thanks
     
  13. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    if you disabled shell_exec function in php.ini please remove shell_exec function from disable_function list...
     
  14. 1a-Websolutions

    1a-Websolutions Active Member

    Joined:
    Aug 24, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    156
    Hello Hidonet,

    shell_exec are not in the List from disable_function.

    The Script works but the User that have a dedicated IP being not blocked if upload virusscripts.

    A User where use the Main-IP for Upload are blocked.

    Greats
     
  15. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    do you mean IP blocking is not working for attackers they have dedicated IP ?
     
  16. 1a-Websolutions

    1a-Websolutions Active Member

    Joined:
    Aug 24, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    156
    hello,

    that i mean.

    I have make other Tests with infected files:

    Main-IP = xx.xx.xx.05

    User-IP = xx.xx.xx.10

    - User have the same IP like the Server Main-IP => IP blocked

    - User have a dedicated IP on the Server => not blocked



    - User login with as FTP-Host the Main-IP => not blocked

    - User login with as FTP-Host the User-IP => not blocked

    - User login with as FTP-Host his domain.tld => not blocked

    I recieve the Mail with informations but the IP are not blocked and i cann Upload files - the Script move the Files to the quarantine.

    Best regards
     
  17. edybv

    edybv Member

    Joined:
    Dec 19, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    Hello,

    If you dont want to remove shell_exec from disable_function edit ftp_clamscan.php replace first line with :

    #!/var/cpanel/3rdparty/bin/php -d safe_mode="Off" -w -q
     
  18. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    318
    it doesnt seem to be running for me
    No errors when I restart FTP but it doesnt scan an eicar file or a text file with blocked content

    When I restart pure ftp from WHM ( i know to restrt it from ssh ) it shows

    Pure-ftpd (/usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh) running as root with PID 16826

    Which means something is still calling that file


    any ideas ?
     
  19. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    restart ftpd from ssh.. restarting with whm is passing upload script feature
     
  20. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    i will do that in script...
     
Loading...

Share This Page