Did you installed last version ?
If you installed last version please pm me and I can help you to solve this problem...
If you installed last version please pm me and I can help you to solve this problem...
I have installed the latest version yesterday, but the IP is neither being blocked in CSF nor logged in the log. Also, I modified the script to include the IP address in the email, but the IP address field is blank in the email. How to fix it?
Script getting IP from /var/log/messages file. If your FTP server is not logging ftp transactions, IP will not be discovered.
check your messages log while ftp transfer. If your server adds log line for every connection and every Download and upload script works.
If you cannot solve the problem please pm me...
ive been following thru this discussion and thought id give the script a try on one of our servers
I ran the installer and followed the instructions at Anti-Gumblar // Protection for IFRAME/Javascript/Gumblar Attacks
chmodded the clamscan_php file to 755 and restarted pureftp but i get the error:
I ran the installer and followed the instructions at Anti-Gumblar // Protection for IFRAME/Javascript/Gumblar Attacks
chmodded the clamscan_php file to 755 and restarted pureftp but i get the error:
what am i missing?
This is normal error. I'm getting same error bur script working. Did you tested script ?
Hello,
I have a problem,
i try to upload an iframe here is the log:
2009.09.09 12:36:57 --- init... File : /home/berek/public_ftp/iframe.php
2009.09.09 12:36:57 --- antivirus scan...
2009.09.09 12:36:57 --- word scan...
2009.09.09 12:36:57 --- wordscan results : .cn:8080/ at line 1 FOUND and file moved to File moved to : /home/quarantine/clamav//iframe.php.20090909123657
2009.09.09 12:36:57 --- /home/berek/public_ftp/iframe.php|.cn:8080/ at line 1|
2009.09.09 12:36:57 --- pass change for user :
2009.09.09 12:36:57 --- kill idle connection...
2009.09.09 12:36:57 --- IDLE Process not found...
2009.09.09 12:36:57 --- block attacker ip...
2009.09.09 12:36:57 --- send mail...
2009.09.09 12:36:57 --- end...
Ip is not block in csf and and when i upload the file the connection is working , the ftp process is not killed .
If somebody have an idear please share
Thanks.
I have a problem,
i try to upload an iframe here is the log:
2009.09.09 12:36:57 --- init... File : /home/berek/public_ftp/iframe.php
2009.09.09 12:36:57 --- antivirus scan...
2009.09.09 12:36:57 --- word scan...
2009.09.09 12:36:57 --- wordscan results : .cn:8080/ at line 1 FOUND and file moved to File moved to : /home/quarantine/clamav//iframe.php.20090909123657
2009.09.09 12:36:57 --- /home/berek/public_ftp/iframe.php|.cn:8080/ at line 1|
2009.09.09 12:36:57 --- pass change for user :
2009.09.09 12:36:57 --- kill idle connection...
2009.09.09 12:36:57 --- IDLE Process not found...
2009.09.09 12:36:57 --- block attacker ip...
2009.09.09 12:36:57 --- send mail...
2009.09.09 12:36:57 --- end...
Ip is not block in csf and and when i upload the file the connection is working , the ftp process is not killed .
If somebody have an idear please share
Thanks.
If script is not latest version please update.
If script is latest version please check your /var/log/messages file for FTP logs. If there is no information about ftp transactions script can not discover attacker's IP address..
Hello,
i have the same issue:
This say my Logfile:
2009.09.09 20:05:10 --- init... File : /home/obbaeren/public_html/joomla/clam.exe.html
2009.09.09 20:05:10 --- antivirus scan...
2009.09.09 20:05:10 --- word scan...
2009.09.09 20:05:10 --- wordscan : NOT FOUND.
2009.09.09 20:05:10 --- end...
2009.09.09 20:05:13 --- init... File : /home/obbaeren/public_html/joomla/iframe.html
2009.09.09 20:05:13 --- antivirus scan...
2009.09.09 20:05:13 --- word scan...
2009.09.09 20:05:13 --- wordscan results : .ru:8080/ at line 9 FOUND and file moved to File moved to : /quarantine/clamav//iframe.html.20090909200513
2009.09.09 20:05:13 --- /home/obbaeren/public_html/joomla/iframe.html|.ru:8080/ at line 9|
2009.09.09 20:05:13 --- pass change for user :
2009.09.09 20:05:14 --- kill idle connection...
2009.09.09 20:05:14 --- IDLE Process not found...
2009.09.09 20:05:14 --- block attacker ip...
2009.09.09 20:05:14 --- send mail...
2009.09.09 20:05:14 --- end...
- IP not blocked
- File not moved to quarantine
- FTP connection not blocked
- 1 File not marked as infected ( original clam.exe.html )
- /var/log/messages have lines for FTP-Upload incl. IP
use the latest version of Script-Files
Any solutions?
Thanks
i have the same issue:
This say my Logfile:
2009.09.09 20:05:10 --- init... File : /home/obbaeren/public_html/joomla/clam.exe.html
2009.09.09 20:05:10 --- antivirus scan...
2009.09.09 20:05:10 --- word scan...
2009.09.09 20:05:10 --- wordscan : NOT FOUND.
2009.09.09 20:05:10 --- end...
2009.09.09 20:05:13 --- init... File : /home/obbaeren/public_html/joomla/iframe.html
2009.09.09 20:05:13 --- antivirus scan...
2009.09.09 20:05:13 --- word scan...
2009.09.09 20:05:13 --- wordscan results : .ru:8080/ at line 9 FOUND and file moved to File moved to : /quarantine/clamav//iframe.html.20090909200513
2009.09.09 20:05:13 --- /home/obbaeren/public_html/joomla/iframe.html|.ru:8080/ at line 9|
2009.09.09 20:05:13 --- pass change for user :
2009.09.09 20:05:14 --- kill idle connection...
2009.09.09 20:05:14 --- IDLE Process not found...
2009.09.09 20:05:14 --- block attacker ip...
2009.09.09 20:05:14 --- send mail...
2009.09.09 20:05:14 --- end...
- IP not blocked
- File not moved to quarantine
- FTP connection not blocked
- 1 File not marked as infected ( original clam.exe.html )
- /var/log/messages have lines for FTP-Upload incl. IP
use the latest version of Script-Files
Any solutions?
Thanks
Last edited:
Hello,
I have locate the Issue:
if the User have a other IP than the Main-IP from Server the Script dont works.
And shell_exe are need from Script.
Any solutions for this Issue?
Thanks
I have locate the Issue:
if the User have a other IP than the Main-IP from Server the Script dont works.
And shell_exe are need from Script.
Any solutions for this Issue?
Thanks
if you disabled shell_exec function in php.ini please remove shell_exec function from disable_function list...
Hello Hidonet,
shell_exec are not in the List from disable_function.
The Script works but the User that have a dedicated IP being not blocked if upload virusscripts.
A User where use the Main-IP for Upload are blocked.
Greats
shell_exec are not in the List from disable_function.
The Script works but the User that have a dedicated IP being not blocked if upload virusscripts.
A User where use the Main-IP for Upload are blocked.
Greats
do you mean IP blocking is not working for attackers they have dedicated IP ?
hello,
that i mean.
I have make other Tests with infected files:
Main-IP = xx.xx.xx.05
User-IP = xx.xx.xx.10
- User have the same IP like the Server Main-IP => IP blocked
- User have a dedicated IP on the Server => not blocked
- User login with as FTP-Host the Main-IP => not blocked
- User login with as FTP-Host the User-IP => not blocked
- User login with as FTP-Host his domain.tld => not blocked
I recieve the Mail with informations but the IP are not blocked and i cann Upload files - the Script move the Files to the quarantine.
Best regards
that i mean.
I have make other Tests with infected files:
Main-IP = xx.xx.xx.05
User-IP = xx.xx.xx.10
- User have the same IP like the Server Main-IP => IP blocked
- User have a dedicated IP on the Server => not blocked
- User login with as FTP-Host the Main-IP => not blocked
- User login with as FTP-Host the User-IP => not blocked
- User login with as FTP-Host his domain.tld => not blocked
I recieve the Mail with informations but the IP are not blocked and i cann Upload files - the Script move the Files to the quarantine.
Best regards
it doesnt seem to be running for me
No errors when I restart FTP but it doesnt scan an eicar file or a text file with blocked content
When I restart pure ftp from WHM ( i know to restrt it from ssh ) it shows
Pure-ftpd (/usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh) running as root with PID 16826
Which means something is still calling that file
any ideas ?
No errors when I restart FTP but it doesnt scan an eicar file or a text file with blocked content
When I restart pure ftp from WHM ( i know to restrt it from ssh ) it shows
Pure-ftpd (/usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh) running as root with PID 16826
Which means something is still calling that file
any ideas ?
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| M | ClamAV fails to start on CloudLinux 6 after updating to 100.0.8 solution | Security | 2 | |
|
A problem I do not know have a solution | Security | 3 | |
| J | Symlink Solution for OpenVZ / Virtuozzo | Security | 2 | |
|
Solutions for handling ddos attacks? | Security | 3 | |
| T | Hacking threat - and my idea for solution: | Security | 3 |