ServerTune Logo Control Panel Licenses Server Management VPS Dedicated Servers Colocation ServerTune.com
 
ServerTune HomeAbout usContact usHelp DeskKnowledgebaseSpecialLIVE Chat ServerTune
DirectAdmin VPS Server Management

Our most popular service:

Dedicated Server Hosting

Dedicated Servers: starting $89 /month

  

Issues, Tips, and Solutions

Click here to tour ServerTune's Data Center and view photos from the conferences we attended.

*** Follow ServerTune on: ServerTune is on Facebook ServerTune is on Twitter
 
 
Browse by category   Search
 
/ServerTune KB / Operating Systems / Security / HowTo scan and stop uploading infected files to your server/
HowTo scan and stop uploading infected files to your server
Printer Friendly
Printer friendly
email to a friend
Email to friend
Add comment Add comment
Views: 2095
Votes: 2
Comments: 0
Posted: 05 Jun, 2009
by: Customer Service :: S.
* * * * *
Updated: 17 Jul, 2009
by: Customer Service :: S.

To scan and stop uploading infected files to your server , you need to enable ClamAV with PureFTP (Do not use this with ProFTP or other FTP services on your server).

  1. Make sure Clamav is installed on your server and/or up-to-date.

Clamav binary files are installed in (for a cPanel and DirectAdmin powered servers)
/usr/local/bin and /usr/bin/

Using your favorite Linux text editor such as vi or pico, edit /etc/pure-ftpd.conf file and set the entry:

From:
#CallUploadScript yes

To:
CallUploadScript yes

Save and exit the file /etc/pure-ftpd.conf.

  1. Edit the file /etc/init.d/pure-ftpd
    Find the following entry:
    $DAEMONIZE $fullpath /etc/pure-ftpd.conf -O clf:/var/log/xferlog $OPTIONS --daemonize
    right underneath this entry add the following line:
    $DAEMONIZE /usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh
     
  2. Find the following entry:
    kill $(cat /var/run/pure-ftpd.pid)
    right underneath this entry add the following line:
    kill $(cat /var/run/pure-ftpd/pure-uploadscript.pid)
     
  3. Save and exit the file /etc/init.d/pure-ftpd
     
  4. Change the directory to:
    cd /var/run/pure-ftpd/
     
  5. Create the following script: clamscan.sh and insert the following text
#!/bin/sh

if [ "$1" = "" ]; then
        echo 'Variable is blank';
        exit;
fi
if [ ! -f "$1" ]; then
        echo "$1 file not found"
        exit;
fi


date=`date '+%d-%m-%y %H:%M'`;
scan=`/usr/bin/clamdscan --remove --no-summary "$1"`;
echo "$date ClamAV $scan" >> /var/log/messages
  1. Save and exit the file clamscan.sh. Then run the following commands at the prompt:
    • chmod 755 /var/run/pure-ftpd/clamscan.sh
    • /sbin/service pure-ftpd restart

Since we used the switch --remove with the clamscan command in the script above, infected files will be permanently deleted. If you do not want the script to delete infected files and just move them to a directory, change the following entry:

From:
scan=`/usr/bin/clamdscan --remove --no-summary "$1"`;

To:
scan=`/usr/bin/clamdscan --move=/root/junk --no-summary "$1"`;

If you do that, you need to create the subdirectory junk in the /root directory. To do so, execute this command:

  • mkdir /root/junk

DONE!
Other articles in this Category
document Understanding Attack Techniques
document The Concept of Security
document What Causes High Server Load?
document Security Tips
document Mod Security Rules and SPAM
document Limit the resources for a specific user
document Denial of Services (DoS) Detrimental to Businesses
document Protect Your Company Against DDoS Attacks
document Malecious Random JavaScript Rootkit
document Protect your server against IFRAME JS injection code with "ServerTune Plus Plan"
document Latest findings about the Random JavaScript Rootkit
document RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
document Linux kernels v2.6.17+ vmsplice()Root Exploit
document Horde v3.1.6 and earlier is NOT secure
document IFRAME injection code :: infected Web sites and suggestions
document Warning :: A new wave of domain scam/spam
document Your client or your PC might be a zombie in a Botnet


RSS
Last update: December 22nd, 2009 ••• Copyright © 2004-2010 ServerTune Inc.
Control Panel Licensing
cPanel Plesk Miva Merchant