Re: [Clamav-users] How can i scan the POST data
Dear Lyle Giese thank you but i dont think tha , i am sure that is the solution is here with clam , there is nothing to do with javascript here . regards. On Mon, Feb 22, 2010 at 9:00 AM, Lyle Giese l...@lcrcomputer.net wrote: You proably won't find their code using ClamAV. More likely is that they will inject code in an HREF or some java to download the malicious content from a different site. My experience is that that they won't inject code that will be detected by ClamAV, but will inject a pointer to their code. You need to know when someone injects code when you are not looking. More like aide or some other file checker code. Aide will detect if your files have changed. You can then determine what the changes are or if someone that is not authorized to make changes is changing your webpages. IMHO, that is the direction you need to look. ClamAV is not the tool needed here. Lyle beshoo wrote: my achieve is to stop hackers from saving file to my server via HTTP Post to php page. or via edit the php file from CPANEL and paste the shellphp code , that is my goal . On Mon, Feb 22, 2010 at 7:40 AM, steve st...@greengecko.co.nz wrote: On Mon, 2010-02-22 at 07:10 +0200, beshoo wrote: Dear all , while i am looking on the net , i found the *mod_clamav* it said that it will protect the HTTP traffic . now what i did to install it : PS my server has CPANEL. [snip] What are you trying to achieve? I've never used mod_clamav, but it'll be checking the content that you serve. Is that OK? Personally, I protect my web *clients* by using squid proxy, integrating it via havp to a clamd server. Which - to me - is much more useful. Steve -- Steve Holdoway st...@greengecko.co.nz http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How can i scan the POST data
Hi there, On Sun, 21 Feb 2010 beshoo wrote: Well i am using Apache 2 :) :) BTW ModSecurity scan post data I am not talking about file uploading , We heard you the first time. :) It doesn't matter whether you are uploading files or not. All you have to do is send the stream of bytes to clamd. The daemon doesn't care what the stream of bytes represents, neither does it care what you intend to do with the bytes after it has scanned them. It just swallows the bytes, scans them, throws them all away, and tells you if it finds something unpalatable. It's up to you to decide what to do then. but how can i tell ModSecurity to scan the post with clam AV ! I have no idea, I've never used ModSecurity. My suggestion was that you could probably achieve what you want to achieve with a few lines in a CGI script. If you want to use an Apache module, why not ask on an Apache list? -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How can i scan the POST data
Dear all , while i am looking on the net , i found the *mod_clamav* it said that it will protect the HTTP traffic . now what i did to install it : PS my server has CPANEL. my Apache is : r...@server [~]# httpd -v Server version: Apache/2.2.14 (Unix) Server built: Feb 21 2010 20:50:26 Cpanel::Easy::Apache v3.2.0 rev5009 r...@server [~]# and my box is : Linux 2.6.18-164.11.1.el5.centos.plus #1 SMP Wed Jan 20 18:49:35 EST 2010 x86_64 x86_64 x86_64 GNU/Linux mod_proxy installed as well # Steps that i did # 1- download the latest version . http://software.othello.ch/mod_clamav/ and extract it :) 2- ./configure --with-apxs=/usr/bin/apxs --with-apache=/usr/local/apache 3 - make 4 - make install make[1]: Entering directory `/root/download/mod_clamav-0.23' make all-am make[2]: Entering directory `/root/download/mod_clamav-0.23' make[2]: Leaving directory `/root/download/mod_clamav-0.23' /usr/bin/apxs -i -a -n 'clamav' .libs/mod_clamav.so /usr/local/apache/build/instdso.sh SH_LIBTOOL='/usr/local/apache/build/libtool' .libs/mod_clamav.so /usr/local/apache/modules /usr/local/apache/build/libtool --mode=install cp .libs/mod_clamav.so /usr/local/apache/modules/ cp .libs/mod_clamav.so /usr/local/apache/modules/mod_clamav.so Warning! dlname not found in /usr/local/apache/modules/mod_clamav.so. Assuming installing a .so rather than a libtool archive. chmod 755 /usr/local/apache/modules/mod_clamav.so [activating module `clamav' in /usr/local/apache/conf/httpd.conf] make[1]: Nothing to be done for `install-data-am'. make[1]: Leaving directory `/root/download/mod_clamav-0.23' 5 - now here i did not understand how can i make it work to scan the HTTP i did read the docs that said some thing about _http://software.othello.ch/mod_clamav/ Configuration The distribution includes a sample configuration file *sample.conf*, which should get you started. what i understand form the doc is to conf the vars , but where i have to put these vars , thy did not said any thing , so i think that may want me to put the conf in side the httpd.conf and that what i did m i put the following conf in my httpd.conf which is located : /usr/local/apache/conf/httpd.conf ClamavTmpdir/var/tmp/ ClamavDbdir /usr/share/clamav ClamavSafetypes image/jpg ClamavMode daemon ClamavSocket/var/clamd ClamavTrickleInterval 10 ClamavTrickleSize 1024 ClamavSizelimit 100 ClamavShm /var/log/clam/clamav.shm ClamavMutex /var/log/clam/clamav.lock ClamavAcceptDaemonproblem on ClamavExtendedLogging on LogFormat %t %!304{clamav:status}n %{clamav:details}n %{clamav:virusname}n request=\%r\, status=%s, sent=%!304b, delay=%!304D clamav_stats CustomLog logs/scan_log clamav_stats # make sure proxy data is filtered Proxy * SetOutputFilter CLAMAV /Proxy # define the location for status information Location /clamav SetHandler clamav allow from all /Location ClamavMessage \ !DOCTYPE HTML PUBLIC \-//W3C//DTD HTML 4.0//EN\\ html\ head\ title%i found virus/title\ /head\ body text=\#00\ bgcolor=\#ff\\ basefont size=\4\\ h1center%i found virus/center/h1\ pThe virus b%v/b was found while downloading i%u/i.\ The transfer has been aborted./p\ /basefont\ /body\ /html\ But after all of that , i can send a POST with a phpshell virus , what the wrong steps that i did and please correct me :) thank you for your patient :) On Sun, Feb 21, 2010 at 7:44 PM, G.W. Haywood g...@jubileegroup.co.ukwrote: Hi there, On Sun, 21 Feb 2010 beshoo wrote: Well i am using Apache 2 :) :) BTW ModSecurity scan post data I am not talking about file uploading , We heard you the first time. :) It doesn't matter whether you are uploading files or not. All you have to do is send the stream of bytes to clamd. The daemon doesn't care what the stream of bytes represents, neither does it care what you intend to do with the bytes after it has scanned them. It just swallows the bytes, scans them, throws them all away, and tells you if it finds something unpalatable. It's up to you to decide what to do then. but how can i tell ModSecurity to scan the post with clam AV ! I have no idea, I've never used ModSecurity. My suggestion was that you could probably achieve what you want to achieve with a few lines in a CGI script. If you want to use an Apache module, why not ask on an Apache list? -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How can i scan the POST data
On Mon, 2010-02-22 at 07:10 +0200, beshoo wrote: Dear all , while i am looking on the net , i found the *mod_clamav* it said that it will protect the HTTP traffic . now what i did to install it : PS my server has CPANEL. [snip] What are you trying to achieve? I've never used mod_clamav, but it'll be checking the content that you serve. Is that OK? Personally, I protect my web *clients* by using squid proxy, integrating it via havp to a clamd server. Which - to me - is much more useful. Steve -- Steve Holdoway st...@greengecko.co.nz http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 signature.asc Description: This is a digitally signed message part ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How can i scan the POST data
my achieve is to stop hackers from saving file to my server via HTTP Post to php page. or via edit the php file from CPANEL and paste the shellphp code , that is my goal . On Mon, Feb 22, 2010 at 7:40 AM, steve st...@greengecko.co.nz wrote: On Mon, 2010-02-22 at 07:10 +0200, beshoo wrote: Dear all , while i am looking on the net , i found the *mod_clamav* it said that it will protect the HTTP traffic . now what i did to install it : PS my server has CPANEL. [snip] What are you trying to achieve? I've never used mod_clamav, but it'll be checking the content that you serve. Is that OK? Personally, I protect my web *clients* by using squid proxy, integrating it via havp to a clamd server. Which - to me - is much more useful. Steve -- Steve Holdoway st...@greengecko.co.nz http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How can i scan the POST data
You proably won't find their code using ClamAV. More likely is that they will inject code in an HREF or some java to download the malicious content from a different site. My experience is that that they won't inject code that will be detected by ClamAV, but will inject a pointer to their code. You need to know when someone injects code when you are not looking. More like aide or some other file checker code. Aide will detect if your files have changed. You can then determine what the changes are or if someone that is not authorized to make changes is changing your webpages. IMHO, that is the direction you need to look. ClamAV is not the tool needed here. Lyle beshoo wrote: my achieve is to stop hackers from saving file to my server via HTTP Post to php page. or via edit the php file from CPANEL and paste the shellphp code , that is my goal . On Mon, Feb 22, 2010 at 7:40 AM, steve st...@greengecko.co.nz wrote: On Mon, 2010-02-22 at 07:10 +0200, beshoo wrote: Dear all , while i am looking on the net , i found the *mod_clamav* it said that it will protect the HTTP traffic . now what i did to install it : PS my server has CPANEL. [snip] What are you trying to achieve? I've never used mod_clamav, but it'll be checking the content that you serve. Is that OK? Personally, I protect my web *clients* by using squid proxy, integrating it via havp to a clamd server. Which - to me - is much more useful. Steve -- Steve Holdoway st...@greengecko.co.nz http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How can i scan the POST data
Well i am using Apache 2 :) BTW ModSecurity scan post data I am not talking about file uploading , but how can i tell ModSecurity to scan the post with clam AV ! On Tue, Feb 16, 2010 at 3:36 PM, G.W. Haywood g...@jubileegroup.co.ukwrote: Hi there, On Tue, 16 Feb 2010 Matus UHLAR wrote: On Tue, 9 Feb 2010 beshoo wrote: i need to scan the post data , not the POST uploaded files On 09.02.10 11:27, G.W. Haywood wrote: man clamd Look for 'INSTREAM'. he is apparently searching for http server module that would scan POST data for viruses... Yes, of course he is, and if he'd told us which Web server he's using he might have received more feedback about that. But he doesn't really need anything as complex as, say, an Apache module. A simple CGI script could send the POST data to clamd, read the result, and decide what to do about it. These references may help: perldoc perlipc http://www.google.com/#hl=ennum=100q=%22unix+socket%22+examplemeta=aq=oq=%22unix+socket%22+example This may be a start: [r...@mail3 ~]# echo PING | socat unix-connect:/var/run/clam/clamd.sock stdio PONG -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How can i scan the POST data
Hi there, On Tue, 16 Feb 2010 Matus UHLAR wrote: On Tue, 9 Feb 2010 beshoo wrote: i need to scan the post data , not the POST uploaded files On 09.02.10 11:27, G.W. Haywood wrote: man clamd Look for 'INSTREAM'. he is apparently searching for http server module that would scan POST data for viruses... Yes, of course he is, and if he'd told us which Web server he's using he might have received more feedback about that. But he doesn't really need anything as complex as, say, an Apache module. A simple CGI script could send the POST data to clamd, read the result, and decide what to do about it. These references may help: perldoc perlipc http://www.google.com/#hl=ennum=100q=%22unix+socket%22+examplemeta=aq=oq=%22unix+socket%22+example This may be a start: [r...@mail3 ~]# echo PING | socat unix-connect:/var/run/clam/clamd.sock stdio PONG -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How can i scan the POST data
Hi there, On Tue, 9 Feb 2010 beshoo wrote: i need to scan the post data , not the POST uploaded files man clamd Look for 'INSTREAM'. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml