About This Script

I wrote this script for keep away FTP/Gumblar attackers from my servers..

Script is FREEWARE. You can use, distribute or change this code.

If you have different patterns about gumblar or similar attacks please send me.  I want to enhance pattern list in script.

Feel free to send bugs to my mail ;)

Some facts and tips about Gumblar Attacks;

  • Gumblar attacks generally maded with infected windows pcs
  • Some viruses sniffing your pc’s traffic to network or internet and stealing password. Sending your passwords to his boss…
  • There are no known password steal from saved passwords in FTP clients.
  • Explorer is not a FTP client. Do not use Explorer as FTP client. Use Filezilla or similar ftp clients for FTP operations.
  • Do not use regular FTP connection. Use FTPS, FTPES or SFTP ( which is usable at server ).  If your server is windows SFTP may not work.
  • Do not store your passwords in plain text files. If you don’t want to save passwords in FTP client use Password Keeper utilities like KeePass.
  • Use updated antivirus.  Some people saying “AV Slows my machine”. There is a simple rule. Slow and working pc is better than infected and crashed pc ;)


Release Changelog – 2009.11.15

  • Wordscan patterns moved to ftp_clamscan_patterns.php file. You can add your own patterns ( don’t forget to send me your patterns )…
  • Darkmailer.cgi patterns added
  • Some minor bugs fixed

Release Changelog – 2009.09.02

  • ftp_clamscan.sh.sh file REMOVED. We don’t need to ftp_clamscan.sh file anymore. Please change
    $DAEMONIZE /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.sh line to
    $DAEMONIZE /usr/sbin/pure-uploadscript -B -r /root/ftp_clamscan.php in /etc/init.d/pure-ftpd file

  • Username finding mechanism fixed
  • Kill IDLE connection function renewed
  • Config file separated
  • Log file located to /var/log/ftp_clamscan.log ( or wherever you want )
  • Quarantine directory located to /quarantine/clamav/ ( or wherever you want )
  • Some minor bugs fixed

Release Changelog – 2009.08.13

  • First release


  • I’m planning add plesk and proftpd support
  • I will add auto install function
  • I will add auto update function

    1. Ali Yamaner diyor ki:


      Bu iyi niyetle ve acemice yazılmış kod parçası sunucunuzu her türlü tehlikeye açık konuma getirmektedir.

    2. admin diyor ki:

      Sayin Yamaner,

      Bahsettiginiz hata ile ilgili denemler yaptim ancak dediginiz sekilde olmuyor. Bize gelene kadar pure-ftp dosya adinin komut olarak algilanmamasi icin gereken körlemeyi zaten yapiyor. En az 10-15 degisik alternatif denedim ama hic biri komut olarak calistirilmadi…

      Uyariniz icin tesekkurler..

      Hidayet Ok

    3. Linkslave diyor ki:

      Doing some browsing and noticed your blog appears a bit messed up in my K-meleon browser. But luckily hardly anybody uses it anymore but you might want to check it out.

    4. admin diyor ki:

      I’ve checked site with k-meleon 1.5.3 and everything fine…

    5. netlynx diyor ki:

      There are few scripts, which creates .PL files which sends throwing mails from server, will this help there also ?

    Yorum yapın

    hit counter