I have some Linux servers running with CentOS 5 (WHM/cPanel) and a Windows 2008 server (Plesk 9).
Frequently our costumers have yours websites invaded and sometimes we need to restore the backup of them.
At the logs i can see what the invader does, he catch the FTP password of costumer, download the files, put a malicious code inside of them (or change all the contents, but it they do only sometimes) and upload back to the server.
What i need is, an AntiVirus who gives a "Permission Denied" when the invader try to send a infected file to the server.
I found some AntiViruses, but them remove the file after it back to the server.
At the end, the website of the costumers is not infected but, them still not with the files and the website will come be offline.
Someone here knows an good antivirus who works like this?
The files contain a simple iframe which is just normal html code; if you would strip everything with iframe you might get other problems as well.
The reason behind this is because your customers do not run a (up to date) virus scanner and have malware installed on their computers; so you are right, a good anti-virus would solve your problem; but only if it is running at your clients computers
Suggest this to the client; and make sure you change the ftp password after they have scanned the complete pc first.
Well, we have 400 accounts at each server, and every costumer who contact us with this injection our team says to them "scan your local computer and change the FTP password" but i need solve this by server side.
We are using some rules at lfd (CSF component, an IPTables interface manager) to block the IP with some access tries failures, and some ranges are blocked at our firewall.
I know at 99% of the website infections is because the computer is already infected, but the end costumer did not think it and access the FTP account at friend's house, lan houses, and another public internet stations.
What you're looking for would be a great idea, and I for one, applaud you for trying to be so proactive for your clients. However, I don't think anything like that exists. If it did, you'd have to either install it on the server and let every website access the executable/binary, which could be a security issue, or let everyone install it for their site and have it be a huge resource issue.
And then you have to worry about the tech support for false positives and cybercriminals using new obfuscation techniques, etc.
I've always been a supporter of nightly antivirus scans on shared hosting systems, or web servers in general. If more web hosts ran nightly scans on their www dirs it would help catch defaced websites and drive by downloaders.. it's the responsible thing to do.
Sure you're running Linux and there's no fear of your system becoming infected with common day windows malware, but what about the users who visit your sites? On popular hacked site can result in many infected end-user machines. It's something to think about..
And as far as I know, none of them will detect defacements.
The main solution is that the customers use powerful antivirus programs unfortunately. But we use clamdscan to prevent some harmful files via ftp.
clamscan will not catch these infections. It's directly related to the customers machine being infected. They will continue to blame you, but there really is no way for you to prevent these server side. My suggestion to you is to find a great malware scanner/antivirus and begin recommending customers to scan with the latest versions of each.