SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Spiral

BANNED
Jun 24, 2005
2,018
8
193
Just an FYI to everyone ...

Reading through this thread, I keep seeing the same error over and over ...

The path "/etc/init.d/ should be "/etc/rc.d/init.d/"!
 

nitaish

Well-Known Member
PartnerNOC
Jan 6, 2006
138
3
168
Mulund, India,
I have installed the latest version yesterday, but the IP is neither being blocked in CSF nor logged in the log. Also, I modified the script to include the IP address in the email, but the IP address field is blank in the email. How to fix it?
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
I have installed the latest version yesterday, but the IP is neither being blocked in CSF nor logged in the log. Also, I modified the script to include the IP address in the email, but the IP address field is blank in the email. How to fix it?
Script getting IP from /var/log/messages file. If your FTP server is not logging ftp transactions, IP will not be discovered.

check your messages log while ftp transfer. If your server adds log line for every connection and every Download and upload script works.

If you cannot solve the problem please pm me...
 

Snowman30

Well-Known Member
PartnerNOC
Apr 7, 2002
679
0
316
cPanel Access Level
DataCenter Provider
ive been following thru this discussion and thought id give the script a try on one of our servers

I ran the installer and followed the instructions at Anti-Gumblar // Protection for IFRAME/Javascript/Gumblar Attacks

chmodded the clamscan_php file to 755 and restarted pureftp but i get the error:

# /etc/init.d/pure-ftpd restart
Stopping pure-config.pl: cat: /var/run/pure-ftpd/pure-uploadscript.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

Stopping pure-authd:
Starting pure-config.pl: Running: /usr/sbin/pure-ftpd -O clf:/var/log/xferlog --daemonize -A -c50 -B -C8 -D -E -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -s -U133:022 -u100 -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -o -k99 -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
[ OK ]
Starting pure-authd:
what am i missing?
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey

edybv

Member
Dec 19, 2007
8
0
51
Hello,

I have a problem,

i try to upload an iframe here is the log:

2009.09.09 12:36:57 --- init... File : /home/berek/public_ftp/iframe.php
2009.09.09 12:36:57 --- antivirus scan...
2009.09.09 12:36:57 --- word scan...
2009.09.09 12:36:57 --- wordscan results : .cn:8080/ at line 1 FOUND and file moved to File moved to : /home/quarantine/clamav//iframe.php.20090909123657
2009.09.09 12:36:57 --- /home/berek/public_ftp/iframe.php|.cn:8080/ at line 1|
2009.09.09 12:36:57 --- pass change for user :
2009.09.09 12:36:57 --- kill idle connection...
2009.09.09 12:36:57 --- IDLE Process not found...
2009.09.09 12:36:57 --- block attacker ip...
2009.09.09 12:36:57 --- send mail...
2009.09.09 12:36:57 --- end...

Ip is not block in csf and and when i upload the file the connection is working , the ftp process is not killed .

If somebody have an idear please share

Thanks.
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Hello,

I have a problem,

i try to upload an iframe here is the log:

2009.09.09 12:36:57 --- init... File : /home/berek/public_ftp/iframe.php
2009.09.09 12:36:57 --- antivirus scan...
2009.09.09 12:36:57 --- word scan...
2009.09.09 12:36:57 --- wordscan results : .cn:8080/ at line 1 FOUND and file moved to File moved to : /home/quarantine/clamav//iframe.php.20090909123657
2009.09.09 12:36:57 --- /home/berek/public_ftp/iframe.php|.cn:8080/ at line 1|
2009.09.09 12:36:57 --- pass change for user :
2009.09.09 12:36:57 --- kill idle connection...
2009.09.09 12:36:57 --- IDLE Process not found...
2009.09.09 12:36:57 --- block attacker ip...
2009.09.09 12:36:57 --- send mail...
2009.09.09 12:36:57 --- end...

Ip is not block in csf and and when i upload the file the connection is working , the ftp process is not killed .

If somebody have an idear please share

Thanks.
If script is not latest version please update.

If script is latest version please check your /var/log/messages file for FTP logs. If there is no information about ftp transactions script can not discover attacker's IP address..
 

1a-Websolutions

Active Member
Aug 24, 2006
42
0
156
Hello,

i have the same issue:

This say my Logfile:

2009.09.09 20:05:10 --- init... File : /home/obbaeren/public_html/joomla/clam.exe.html
2009.09.09 20:05:10 --- antivirus scan...
2009.09.09 20:05:10 --- word scan...
2009.09.09 20:05:10 --- wordscan : NOT FOUND.
2009.09.09 20:05:10 --- end...

2009.09.09 20:05:13 --- init... File : /home/obbaeren/public_html/joomla/iframe.html
2009.09.09 20:05:13 --- antivirus scan...
2009.09.09 20:05:13 --- word scan...
2009.09.09 20:05:13 --- wordscan results : .ru:8080/ at line 9 FOUND and file moved to File moved to : /quarantine/clamav//iframe.html.20090909200513
2009.09.09 20:05:13 --- /home/obbaeren/public_html/joomla/iframe.html|.ru:8080/ at line 9|
2009.09.09 20:05:13 --- pass change for user :
2009.09.09 20:05:14 --- kill idle connection...
2009.09.09 20:05:14 --- IDLE Process not found...
2009.09.09 20:05:14 --- block attacker ip...
2009.09.09 20:05:14 --- send mail...
2009.09.09 20:05:14 --- end...



- IP not blocked
- File not moved to quarantine
- FTP connection not blocked
- 1 File not marked as infected ( original clam.exe.html )
- /var/log/messages have lines for FTP-Upload incl. IP

use the latest version of Script-Files

Any solutions?

Thanks
 
Last edited:

1a-Websolutions

Active Member
Aug 24, 2006
42
0
156
Hello,

I have locate the Issue:

if the User have a other IP than the Main-IP from Server the Script dont works.

And shell_exe are need from Script.

Any solutions for this Issue?

Thanks
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Hello,

I have locate the Issue:

if the User have a other IP than the Main-IP from Server the Script dont works.

And shell_exe are need from Script.

Any solutions for this Issue?

Thanks
if you disabled shell_exec function in php.ini please remove shell_exec function from disable_function list...
 

1a-Websolutions

Active Member
Aug 24, 2006
42
0
156
Hello Hidonet,

shell_exec are not in the List from disable_function.

The Script works but the User that have a dedicated IP being not blocked if upload virusscripts.

A User where use the Main-IP for Upload are blocked.

Greats
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Hello Hidonet,

shell_exec are not in the List from disable_function.

The Script works but the User that have a dedicated IP being not blocked if upload virusscripts.

A User where use the Main-IP for Upload are blocked.

Greats
do you mean IP blocking is not working for attackers they have dedicated IP ?
 

1a-Websolutions

Active Member
Aug 24, 2006
42
0
156
hello,

that i mean.

I have make other Tests with infected files:

Main-IP = xx.xx.xx.05

User-IP = xx.xx.xx.10

- User have the same IP like the Server Main-IP => IP blocked

- User have a dedicated IP on the Server => not blocked



- User login with as FTP-Host the Main-IP => not blocked

- User login with as FTP-Host the User-IP => not blocked

- User login with as FTP-Host his domain.tld => not blocked

I recieve the Mail with informations but the IP are not blocked and i cann Upload files - the Script move the Files to the quarantine.

Best regards
 

edybv

Member
Dec 19, 2007
8
0
51
Hello,

If you dont want to remove shell_exec from disable_function edit ftp_clamscan.php replace first line with :

#!/var/cpanel/3rdparty/bin/php -d safe_mode="Off" -w -q
 

Silver_2000

Well-Known Member
Mar 31, 2002
337
1
318
it doesnt seem to be running for me
No errors when I restart FTP but it doesnt scan an eicar file or a text file with blocked content

When I restart pure ftp from WHM ( i know to restrt it from ssh ) it shows

Pure-ftpd (/usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh) running as root with PID 16826

Which means something is still calling that file


any ideas ?
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
it doesnt seem to be running for me
No errors when I restart FTP but it doesnt scan an eicar file or a text file with blocked content

When I restart pure ftp from WHM ( i know to restrt it from ssh ) it shows

Pure-ftpd (/usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh) running as root with PID 16826

Which means something is still calling that file


any ideas ?
restart ftpd from ssh.. restarting with whm is passing upload script feature