How to virus scan FTP uploads

To help protect your server, you may want to scan your users FTP uploads.  Here is a great way of doing this, if you are using Pure-FTP and ClamAV.  Pure-FTP has an option to run a file after an upload, called the pure-uploadscript.  What you do, is tie the virus scanner into this script, so that when a file gets uploaded, it will get scanned.  As long as you have your virus scanner up to date, this will pick up most of the main stream virii, as well as the dreaded php shell scripts.

Here is how we do it.  We first need to ssh into our server, and then switch user to root.  Now, execute the following from the command line:

echo \#\!/bin/sh > /etc/pure-ftpd/

This command will create a file called, and place an interpreter call on the first line.  Next, we add the action line to the file, by executing this command:

echo /usr/bin/clamdscan –move=/root/badfiles/ –quiet –no-summary –log=/var/log/clamscan.log “\$1” >> /etc/pure-ftpd/

This will insert the second line in the upload-check script.  This line calls the virus scanner, clamdscan, and passes some information to it.  The first one, tells the scanner to move the file, if it has found a problem with it.  I always find it usefull to see what people are trying to upload, instead of just deleting the file as soon as its scanned.  The other important parameter here, is the log value.  We are telling the scanner to log all activity to the clamscan.log file, which is usefull to view every so often, to see if anyone was trying to upload something nasty.  Now, chmod the script:

chmod 700 /etc/pure-ftpd/

The next step, is to ensure that when your server starts up, that the pure-uploadscript binary is running, using the newly created script:

echo /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/ >> /etc/rc.d/rc.local

This places a line at the bottom of your rc.local file, telling it to run the pure-uploadscript, with the parameters you have assigned to it.

Next, we tell pure-ftpd to use the upload scanner, use what ever editor you prefer:

vi /etc/pure-ftpd.conf

Search for – CallUploadScript, and uncomment the line.  Save your changes, and exit.

Now, all we need to do, is start the pure-uploadscript daemon, and restart pure-ftpd:

/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/

service pure-ftpd restart

Once done, you should now be scanning all files uploaded through ftp.  To check if you have found any virii, you can check the log file, running this command only displays the lines that have reported a virus:

tail -n 1000 /var/log/clamscan.log | grep FOUND

The files found to have virii’s, will also have been moved to /root/badfiles, so that you can take a look at them, and if it is a false positive, move the file back to the users directory.