SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Just an FYI to everyone ...

Reading through this thread, I keep seeing the same error over and over ...

The path "/etc/init.d/ should be "/etc/rc.d/init.d/"!

 

I have installed the latest version yesterday, but the IP is neither being blocked in CSF nor logged in the log. Also, I modified the script to include the IP address in the email, but the IP address field is blank in the email. How to fix it?

 

ive been following thru this discussion and thought id give the script a try on one of our servers

I ran the installer and followed the instructions at Anti-Gumblar // Protection for IFRAME/Javascript/Gumblar Attacks

chmodded the clamscan_php file to 755 and restarted pureftp but i get the error:

what am i missing?

 

Even I got this error, but the script was working.

 

Hello,

I have a problem,

i try to upload an iframe here is the log:

2009.09.09 12:36:57 --- init... File : /home/berek/public_ftp/iframe.php
2009.09.09 12:36:57 --- antivirus scan...
2009.09.09 12:36:57 --- word scan...
2009.09.09 12:36:57 --- wordscan results : .cn:8080/ at line 1 FOUND and file moved to File moved to : /home/quarantine/clamav//iframe.php.20090909123657
2009.09.09 12:36:57 --- /home/berek/public_ftp/iframe.php|.cn:8080/ at line 1|
2009.09.09 12:36:57 --- pass change for user :
2009.09.09 12:36:57 --- kill idle connection...
2009.09.09 12:36:57 --- IDLE Process not found...
2009.09.09 12:36:57 --- block attacker ip...
2009.09.09 12:36:57 --- send mail...
2009.09.09 12:36:57 --- end...

Ip is not block in csf and and when i upload the file the connection is working , the ftp process is not killed .

If somebody have an idear please share

Thanks.

 

Hello,

i have the same issue:

This say my Logfile:

2009.09.09 20:05:10 --- init... File : /home/obbaeren/public_html/joomla/clam.exe.html
2009.09.09 20:05:10 --- antivirus scan...
2009.09.09 20:05:10 --- word scan...
2009.09.09 20:05:10 --- wordscan : NOT FOUND.
2009.09.09 20:05:10 --- end...

2009.09.09 20:05:13 --- init... File : /home/obbaeren/public_html/joomla/iframe.html
2009.09.09 20:05:13 --- antivirus scan...
2009.09.09 20:05:13 --- word scan...
2009.09.09 20:05:13 --- wordscan results : .ru:8080/ at line 9 FOUND and file moved to File moved to : /quarantine/clamav//iframe.html.20090909200513
2009.09.09 20:05:13 --- /home/obbaeren/public_html/joomla/iframe.html|.ru:8080/ at line 9|
2009.09.09 20:05:13 --- pass change for user :
2009.09.09 20:05:14 --- kill idle connection...
2009.09.09 20:05:14 --- IDLE Process not found...
2009.09.09 20:05:14 --- block attacker ip...
2009.09.09 20:05:14 --- send mail...
2009.09.09 20:05:14 --- end...



- IP not blocked
- File not moved to quarantine
- FTP connection not blocked
- 1 File not marked as infected ( original clam.exe.html )
- /var/log/messages have lines for FTP-Upload incl. IP

use the latest version of Script-Files

Any solutions?

Thanks

 

Hello,

I have locate the Issue:

if the User have a other IP than the Main-IP from Server the Script dont works.

And shell_exe are need from Script.

Any solutions for this Issue?

Thanks

 

Hello Hidonet,

shell_exec are not in the List from disable_function.

The Script works but the User that have a dedicated IP being not blocked if upload virusscripts.

A User where use the Main-IP for Upload are blocked.

Greats

 

hello,

that i mean.

I have make other Tests with infected files:

Main-IP = xx.xx.xx.05

User-IP = xx.xx.xx.10

- User have the same IP like the Server Main-IP => IP blocked

- User have a dedicated IP on the Server => not blocked



- User login with as FTP-Host the Main-IP => not blocked

- User login with as FTP-Host the User-IP => not blocked

- User login with as FTP-Host his domain.tld => not blocked

I recieve the Mail with informations but the IP are not blocked and i cann Upload files - the Script move the Files to the quarantine.

Best regards

 

Hello,

If you dont want to remove shell_exec from disable_function edit ftp_clamscan.php replace first line with :

#!/var/cpanel/3rdparty/bin/php -d safe_mode="Off" -w -q

 

it doesnt seem to be running for me
No errors when I restart FTP but it doesnt scan an eicar file or a text file with blocked content

When I restart pure ftp from WHM ( i know to restrt it from ssh ) it shows

Pure-ftpd (/usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh) running as root with PID 16826

Which means something is still calling that file


any ideas ?