The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Discussion in 'Security' started by hidonet, Aug 7, 2009.

  1. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    318
    Ive done both restart from SSH and restart the whole server but no change
     
  2. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    I've sent you a pm..
     
  3. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Slovenia
    Hi

    Now I have question I think it would benefit all and would get this script step further.
    How could I manually start this script to scan folder or folders for particular usre? It would come handy if we would have script witch could be start manualy or as cron job and would scan folders witch we set. Basiclly something like antivirus but with option to input own search string as this script offer.
     
  4. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Mbelitar
    I think this is not this script do.
     
  5. blargman

    blargman Well-Known Member

    Joined:
    Sep 11, 2007
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    56
    Hidonet- any reason you didn't use clamdscan instead of clamscan? It appears to use less resources this way.
     
  6. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    You can change if you want. There is no reason about that ;)
     
  7. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    UK, Luton
    The script works under FreeBSD, good job.

    One problem for us, its not picking up the username correctly and thus not changing the account password of compromised accounts.

    I see the following:

    Code:
    Subject: Gumblar Attack !!! user : home
    
    Warning !!!
    
    03.10.2009 11:12:43 Saturday
    There is a GUMBLAR ATTACK on account home
    
    Infected file : /usr/home/james/iframetest/test4.html
    
    Infection : (pattern removed) at line 1
    
    Action : File moved to : /quarantine/clamav//test4.html.20091003111243
    
    Password might be changed to : xxxxxxxxxxx
    
    
    
    Ret : Array
    
     
  8. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    hmmm...

    please send me right user path.. example : /home/username/ in linux

    I'm going to add freebsd support :)
     
  9. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    UK, Luton
    Usually it will be /usr/home/username

    On this particular system it is something different entirely. Maybe a config option could be added to specify it?
     
  10. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Yes I will add a config option about platform...
     
  11. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Quarantine files not overwrited... But your ide is good, i will do it.. :)
     
  12. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    UK, Luton
    Also, a neat feature would be to create a directory named after the username in the quarantine directory. As if more than one account becomes compromised and uploads done at the same time we could have the same files being quarantined, overwriting each other.

    /quarantine/username/infectedfiles
     
  13. headout

    headout Well-Known Member

    Joined:
    Aug 20, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    156
    The current download is missing ftp_clamscan_config.php. Can you please provide me a working ftp_clamscan_config.php file?
     
  14. mitya4004

    mitya4004 Member

    Joined:
    Dec 30, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    Could you provide manual for installing it on PROFTPd?

    Thank you
     
  15. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
  16. mitya4004

    mitya4004 Member

    Joined:
    Dec 30, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    I can find only instructions for pureftpd there..
     
  17. mitya4004

    mitya4004 Member

    Joined:
    Dec 30, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    51
    I do exact know that proftpd can use clamav for file scanning.
    and I think this functionality can help
     
  18. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Not yet... But I'm planning to add proftpd support. But I guess proftpd has not similar function to check files after or while upload...
     
  19. ljesh

    ljesh Well-Known Member

    Joined:
    Aug 2, 2008
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    56
    :cool:

    Whoa. This is probably the most useful script I have seen. Installed it, runned some tests, looks perfect and does it's job.
    hidonet, please keep up the great job. People, if you like the script, donate. He is doing this for free.
    hidonet, I would suggest one thing to fix for some future release:
    1. All infected files gets transfered in /quarantine/clamav. If you could make it /quarantine/clamav<username>/ would be great!
     
  20. onyx_love

    onyx_love Registered

    Joined:
    Dec 23, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    51
    Hello,

    There is an iframe exploit, which generates .pl files and those start sending mails from server localhost.

    Is this give protection for this also ?
     
Loading...

Share This Page