SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

[Silver_2000]

restart ftpd from ssh.. restarting with whm is passing upload script feature

Ive done both restart from SSH and restart the whole server but no change

 

[hidonet]

Ive done both restart from SSH and restart the whole server but no change

I've sent you a pm..

 

[webicom]

Hi

Now I have question I think it would benefit all and would get this script step further.
How could I manually start this script to scan folder or folders for particular usre? It would come handy if we would have script witch could be start manualy or as cron job and would scan folders witch we set. Basiclly something like antivirus but with option to input own search string as this script offer.

 

[isputra]

Hi

Now I have question I think it would benefit all and would get this script step further.
How could I manually start this script to scan folder or folders for particular usre? It would come handy if we would have script witch could be start manualy or as cron job and would scan folders witch we set. Basiclly something like antivirus but with option to input own search string as this script offer.

I think this is not this script do.

 

[blargman]

Hidonet- any reason you didn't use clamdscan instead of clamscan? It appears to use less resources this way.

 

[hidonet]

You can change if you want. There is no reason about that

 

[JamesSmith]

The script works under FreeBSD, good job.

One problem for us, its not picking up the username correctly and thus not changing the account password of compromised accounts.

I see the following:

Subject: Gumblar Attack !!! user : home

Warning !!!

03.10.2009 11:12:43 Saturday
There is a GUMBLAR ATTACK on account home

Infected file : /usr/home/james/iframetest/test4.html

Infection : (pattern removed) at line 1

Action : File moved to : /quarantine/clamav//test4.html.20091003111243

Password might be changed to : xxxxxxxxxxx



Ret : Array

 

[hidonet]

The script works under FreeBSD, good job.

One problem for us, its not picking up the username correctly and thus not changing the account password of compromised accounts.

I see the following:

Subject: Gumblar Attack !!! user : home

Warning !!!

03.10.2009 11:12:43 Saturday
There is a GUMBLAR ATTACK on account home

Infected file : /usr/home/james/iframetest/test4.html

Infection : (pattern removed) at line 1

Action : File moved to : /quarantine/clamav//test4.html.20091003111243

Password might be changed to : xxxxxxxxxxx



Ret : Array

hmmm...

please send me right user path.. example : /home/username/ in linux

I'm going to add freebsd support

 

[JamesSmith]

hmmm...

please send me right user path.. example : /home/username/ in linux

I'm going to add freebsd support

Usually it will be /usr/home/username

On this particular system it is something different entirely. Maybe a config option could be added to specify it?

 

[hidonet]

Usually it will be /usr/home/username

On this particular system it is something different entirely. Maybe a config option could be added to specify it?

Yes I will add a config option about platform...

 

[hidonet]

Also, a neat feature would be to create a directory named after the username in the quarantine directory. As if more than one account becomes compromised and uploads done at the same time we could have the same files being quarantined, overwriting each other.

/quarantine/username/infectedfiles

Quarantine files not overwrited... But your ide is good, i will do it..

 

[JamesSmith]

Also, a neat feature would be to create a directory named after the username in the quarantine directory. As if more than one account becomes compromised and uploads done at the same time we could have the same files being quarantined, overwriting each other.

/quarantine/username/infectedfiles

 

[headout]

The current download is missing ftp_clamscan_config.php. Can you please provide me a working ftp_clamscan_config.php file?

 

[mitya4004]

Could you provide manual for installing it on PROFTPd?

Thank you

 

[hidonet]

Updated !!!

check it out : anti-gumblar.oxio.net

 

[mitya4004]

I can find only instructions for pureftpd there..

 

[mitya4004]

I do exact know that proftpd can use clamav for file scanning.
and I think this functionality can help

 

[hidonet]

Could you provide manual for installing it on PROFTPd?

Thank you

Not yet... But I'm planning to add proftpd support. But I guess proftpd has not similar function to check files after or while upload...

 

[ljesh]

Whoa. This is probably the most useful script I have seen. Installed it, runned some tests, looks perfect and does it's job.
hidonet, please keep up the great job. People, if you like the script, donate. He is doing this for free.
hidonet, I would suggest one thing to fix for some future release:
1. All infected files gets transfered in /quarantine/clamav. If you could make it /quarantine/clamav<username>/ would be great!

 

[onyx_love]

check it out : anti-gumblar.oxio.net

Hello,

There is an iframe exploit, which generates .pl files and those start sending mails from server localhost.

Is this give protection for this also ?