ServerTune Logo Dedicated Servers Colocation VPS Server Management ServerTune.com
 
ServerTune HomeAbout usContact usHelp DeskKnowledgebaseSpecialLIVE Chat ServerTune
DirectAdmin VPS Server Management

Value, Power, and Performance :: Dedicated Servers starting $89 /month

Dedicated Server Hosting
Click here to view photos from the conferences we attended.   *** Follow ServerTune on: ServerTune is on Facebook ServerTune is on Twitter
 
Browse by category   Search
 
/ServerTune KB / Operating Systems / Security / HowTo :: scan and stop uploading infected files to your server/
HowTo :: scan and stop uploading infected files to your server
Printer Friendly
Printer friendly
email to a friend
Email to friend
Add comment Add comment
Views: 3319
Votes: 2
Comments: 0
Posted: 05 Jun, 2009
by: Customer Service :: S.
* * * * *
Updated: 28 Mar, 2010
by: Customer Service :: S.

To scan and stop uploading infected files to your server , you need to enable ClamAV with PureFTP (Do not use this with ProFTP or other FTP services on your server).

  1. Make sure Clamav is installed on your server and/or up-to-date.

Clamav binary files are installed in (for a cPanel and DirectAdmin powered servers)
/usr/local/bin and /usr/bin/

Using your favorite Linux text editor such as vi or pico, edit /etc/pure-ftpd.conf file and set the entry:

From:
#CallUploadScript yes

To:
CallUploadScript yes

Save and exit the file /etc/pure-ftpd.conf.

  1. Edit the file /etc/init.d/pure-ftpd
    Find the following entry:
    $DAEMONIZE $fullpath /etc/pure-ftpd.conf -O clf:/var/log/xferlog $OPTIONS --daemonize
    and insert the following line below it:
    $DAEMONIZE /usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh
     
  2. Find the following entry:
    kill $(cat /var/run/pure-ftpd.pid)
    and insert the following line below it:
    kill $(cat /var/run/pure-ftpd/pure-uploadscript.pid)
     
  3. Save and exit the file /etc/init.d/pure-ftpd
     
  4. Change the directory to:
    cd /var/run/pure-ftpd/
     
  5. Create the following script: clamscan.sh and insert the following text
#!/bin/sh

if [ "$1" = "" ]; then
        echo 'Variable is blank';
        exit;
fi
if [ ! -f "$1" ]; then
        echo "$1 file not found"
        exit;
fi


date=`date '+%d-%m-%y %H:%M'`;
scan=`/usr/bin/clamdscan --remove --no-summary "$1"`;
echo "$date ClamAV $scan" >> /var/log/messages
  1. Save and exit the file clamscan.sh, and then run the following command to change its permission:
    chmod 755 /var/run/pure-ftpd/clamscan.sh
  1. Restart PureFTP daemon (for generic server):
    /sbin/service pure-ftpd restart
    For a cPanel powered-server:
    /scripts/restartsrv pure-ftpd

Since we used the switch --remove with the clamscan command in the script above, infected files will be permanently deleted. If you do not want the script to delete infected files and just move them to a directory, change the following entry:

From:
scan=`/usr/bin/clamdscan --remove --no-summary "$1"`;

To:
scan=`/usr/bin/clamdscan --move=/root/junk --no-summary "$1"`;

If you do that, you need to create the subdirectory junk in the /root directory. To do so, execute this command:

  • mkdir /root/junk

DONE!
Other articles in this Category
document Understanding Attack Techniques
document The Concept of Security
document What Causes High Server Load?
document Security Tips
document Mod Security Rules and SPAM
document Limit the resources for a specific user
document Denial of Services (DoS) Detrimental to Businesses
document Protect Your Company Against DDoS Attacks
document Malecious Random JavaScript Rootkit
document Protect your server against IFRAME JS injection code with "ServerTune Plus Plan"
document Latest findings about the Random JavaScript Rootkit
document RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
document Linux kernels v2.6.17+ vmsplice()Root Exploit
document Horde v3.1.6 and earlier is NOT secure
document IFRAME injection code :: infected Web sites and suggestions
document Warning :: A new wave of domain scam/spam
document Your client or your PC might be a zombie in a Botnet


RSS
Last update: March 21st, 2010 ••• Copyright © 2004-2010 ServerTune Inc.
Control Panel Licensing
cPanel Plesk Miva Merchant