NEW VPS Plans

ServerTune provides -- managed and un-managed -- VPS hosting solutions at affordable prices to accommodate your personal and/or businesses needs.

Click here for more info ...

NEW VPS Plans

Click to hideClick to view
ServerTune

Browse by category

Search    |    Advanced search

Home / Security / HowTo :: scan and stop uploading infected files to your server/
HowTo :: scan and stop uploading infected files to your server

To scan and stop uploading infected files to your server, you need to enable ClamAV with PureFTP (Do not use this with ProFTP or other FTP services on your server).

  1. Make sure Clamav is installed on your server and/or up-to-date.

Clamav binary files are installed in (for a cPanel and DirectAdmin powered servers)
/usr/local/bin and /usr/bin/

Using your favorite Linux text editor such as vi or pico, edit /etc/pure-ftpd.conf file and set the entry:

From:
#CallUploadScript yes

To:
CallUploadScript yes

Save and exit the file /etc/pure-ftpd.conf.

  1. Edit the file /etc/init.d/pure-ftpd
    Find the following entry:
    $DAEMONIZE $fullpath /etc/pure-ftpd.conf -O clf:/var/log/xferlog $OPTIONS --daemonize
    and insert the following line below it:
    $DAEMONIZE /usr/sbin/pure-uploadscript -B -r /var/run/pure-ftpd/clamscan.sh
     
  2. Find the following entry:
    kill $(cat /var/run/pure-ftpd.pid)
    and insert the following line below it:
    kill $(cat /var/run/pure-ftpd/pure-uploadscript.pid)
     
  3. Save and exit the file /etc/init.d/pure-ftpd
     
  4. Change the directory to:
    cd /var/run/pure-ftpd/
     
  5. Create the following script: clamscan.sh and insert the following text
#!/bin/sh

if [ "$1" = "" ]; then
        echo 'Variable is blank';
        exit;
fi
if [ ! -f "$1" ]; then
        echo "$1 file not found"
        exit;
fi


date=`date '+%d-%m-%y %H:%M'`;
scan=`/usr/bin/clamdscan --remove --no-summary "$1"`;
echo "$date ClamAV $scan" >> /var/log/messages
  1. Save and exit the file clamscan.sh, and then run the following command to change its permission:
    chmod 755 /var/run/pure-ftpd/clamscan.sh
  1. Restart PureFTP daemon (for generic server):
    /sbin/service pure-ftpd re start
    For a cPanel powered-server:
    /scripts/restartsrv pure-ftpd

Since we used the switch --remove with the clamscan command in the script above, infected files will be permanently deleted. If you do not want the script to delete infected files and just move them to a directory, change the following entry:

From:
scan=`/usr/bin/clamdscan --remove --no-summary "$1"`;

To:
scan=`/usr/bin/clamdscan --move=/root/junk --no-summary "$1"`;

If you do that, you need to create the subdirectory junk in the /root directory. To do so, execute this command:

DONE!

Printer Friendly
Printer friendly
 
email to a friend
Email to friend
 
Add comment
Add comment
 
Views: 3628
 
Votes: 2
 
Comments: 0
 
Posted: 05 Jun, 2009 by: Customer Service S.
Updated: 03 Mar, 2011 by: Customer Service S.

Other articles in this Category

Article
Understanding Attack Techniques
Article
The Concept of Security
Article
What Causes High Server Load?
Article
Mod Security Rules and SPAM
Article
Limit the resources for a specific user
Article
Denial of Services (DoS) Detrimental to Businesses
Article
Protect Your Company Against DDoS Attacks
Article
Malecious Random JavaScript Rootkit
Article
Latest findings about the Random JavaScript Rootkit
Article
RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
Article
Linux kernels v2.6.17+ vmsplice()Root Exploit
Article
Horde v3.1.6 and earlier is NOT secure
Article
IFRAME injection code :: infected Web sites and suggestions
Article
Warning :: A new wave of domain scam/spam
Article
Your client or your PC might be a zombie in a Botnet
RSS
Copyright © 2004-2011 ServerTune, Inc.