SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

webicom

Well-Known Member
PartnerNOC
Mar 30, 2004
59
2
158
Slovenia
Hi

Now I have question I think it would benefit all and would get this script step further.
How could I manually start this script to scan folder or folders for particular usre? It would come handy if we would have script witch could be start manualy or as cron job and would scan folders witch we set. Basiclly something like antivirus but with option to input own search string as this script offer.
 

isputra

Well-Known Member
May 3, 2003
574
0
166
Mbelitar
Hi

Now I have question I think it would benefit all and would get this script step further.
How could I manually start this script to scan folder or folders for particular usre? It would come handy if we would have script witch could be start manualy or as cron job and would scan folders witch we set. Basiclly something like antivirus but with option to input own search string as this script offer.
I think this is not this script do.
 

blargman

Well-Known Member
Verifed Vendor
Sep 11, 2007
99
0
56
Hidonet- any reason you didn't use clamdscan instead of clamscan? It appears to use less resources this way.
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
The script works under FreeBSD, good job.

One problem for us, its not picking up the username correctly and thus not changing the account password of compromised accounts.

I see the following:

Code:
Subject: Gumblar Attack !!! user : home

Warning !!!

03.10.2009 11:12:43 Saturday
There is a GUMBLAR ATTACK on account home

Infected file : /usr/home/james/iframetest/test4.html

Infection : (pattern removed) at line 1

Action : File moved to : /quarantine/clamav//test4.html.20091003111243

Password might be changed to : xxxxxxxxxxx



Ret : Array
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
The script works under FreeBSD, good job.

One problem for us, its not picking up the username correctly and thus not changing the account password of compromised accounts.

I see the following:

Code:
Subject: Gumblar Attack !!! user : home

Warning !!!

03.10.2009 11:12:43 Saturday
There is a GUMBLAR ATTACK on account home

Infected file : /usr/home/james/iframetest/test4.html

Infection : (pattern removed) at line 1

Action : File moved to : /quarantine/clamav//test4.html.20091003111243

Password might be changed to : xxxxxxxxxxx



Ret : Array
hmmm...

please send me right user path.. example : /home/username/ in linux

I'm going to add freebsd support :)
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
hmmm...

please send me right user path.. example : /home/username/ in linux

I'm going to add freebsd support :)
Usually it will be /usr/home/username

On this particular system it is something different entirely. Maybe a config option could be added to specify it?
 

hidonet

Well-Known Member
Apr 29, 2005
55
0
156
Istanbul / Turkey
Also, a neat feature would be to create a directory named after the username in the quarantine directory. As if more than one account becomes compromised and uploads done at the same time we could have the same files being quarantined, overwriting each other.

/quarantine/username/infectedfiles
Quarantine files not overwrited... But your ide is good, i will do it.. :)
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
Also, a neat feature would be to create a directory named after the username in the quarantine directory. As if more than one account becomes compromised and uploads done at the same time we could have the same files being quarantined, overwriting each other.

/quarantine/username/infectedfiles
 

headout

Well-Known Member
Aug 20, 2003
78
0
156
The current download is missing ftp_clamscan_config.php. Can you please provide me a working ftp_clamscan_config.php file?
 

mitya4004

Member
Dec 30, 2008
12
0
51
I do exact know that proftpd can use clamav for file scanning.
and I think this functionality can help
 

ljesh

Well-Known Member
Aug 2, 2008
65
0
56
:cool:

Whoa. This is probably the most useful script I have seen. Installed it, runned some tests, looks perfect and does it's job.
hidonet, please keep up the great job. People, if you like the script, donate. He is doing this for free.
hidonet, I would suggest one thing to fix for some future release:
1. All infected files gets transfered in /quarantine/clamav. If you could make it /quarantine/clamav<username>/ would be great!