SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Ive done both restart from SSH and restart the whole server but no change

 

Hi

Now I have question I think it would benefit all and would get this script step further.
How could I manually start this script to scan folder or folders for particular usre? It would come handy if we would have script witch could be start manualy or as cron job and would scan folders witch we set. Basiclly something like antivirus but with option to input own search string as this script offer.

 

I think this is not this script do.

 

Hidonet- any reason you didn't use clamdscan instead of clamscan? It appears to use less resources this way.

 

The script works under FreeBSD, good job.

One problem for us, its not picking up the username correctly and thus not changing the account password of compromised accounts.

I see the following:

Code:

Subject: Gumblar Attack !!! user : home

Warning !!!

03.10.2009 11:12:43 Saturday
There is a GUMBLAR ATTACK on account home

Infected file : /usr/home/james/iframetest/test4.html

Infection : (pattern removed) at line 1

Action : File moved to : /quarantine/clamav//test4.html.20091003111243

Password might be changed to : xxxxxxxxxxx



Ret : Array

 

Usually it will be /usr/home/username

On this particular system it is something different entirely. Maybe a config option could be added to specify it?

 

Also, a neat feature would be to create a directory named after the username in the quarantine directory. As if more than one account becomes compromised and uploads done at the same time we could have the same files being quarantined, overwriting each other.

/quarantine/username/infectedfiles

 

The current download is missing ftp_clamscan_config.php. Can you please provide me a working ftp_clamscan_config.php file?

 

Could you provide manual for installing it on PROFTPd?

Thank you

 

I can find only instructions for pureftpd there..

 

I do exact know that proftpd can use clamav for file scanning.
and I think this functionality can help

 

Whoa. This is probably the most useful script I have seen. Installed it, runned some tests, looks perfect and does it's job.
hidonet, please keep up the great job. People, if you like the script, donate. He is doing this for free.
hidonet, I would suggest one thing to fix for some future release:
1. All infected files gets transfered in /quarantine/clamav. If you could make it /quarantine/clamav<username>/ would be great!

 

Hello,

There is an iframe exploit, which generates .pl files and those start sending mails from server localhost.

Is this give protection for this also ?