Clam AV problem

pickledbushman · 05-21-2008, 08:13 AM

Hey,

A client of ours has a OpenNA rpm based linux distribution. Basically its cut down and everything is locked down by default, but anyways. The client phones me today to tell me that their email is not sending and they cant access the world wide web.

So to give you a break down of the packages I am working with here:

- The Exim MTA
- Dansguardian (this had a "cant connect to clam AV socket error)
- ClamAV/Freshclam

So I went into the config file for dansguardian, #`d out the ClamAV reference and it worked... however.. exim did not work. Meaning the client was still unable to send an email.

The problem here is that whoever setup this server used a custom IPTABLES rule set called Giptables. And I am not very very familiar with this, or IPTABLES yet... so because they have dansguardian, it looks like just about every port is firewalled out to be pushed through dansguardian and it looks like exim is the only SMTP server allowed.

Below is a copy of the logs that show the problems I am having and the errors I am getting, so I am hoping that someone out there will be able to help me with this.

When I start clam I get this error:

/var/log/clamav/clamav.log

Code:

Wed May 21 15:00:07 2008 -> Running as user mail (UID 8, GID 12)
Wed May 21 15:00:07 2008 -> Log file size limited to 2097152 bytes.
Wed May 21 15:00:07 2008 -> Reading databases from /var/lib/clamav
Wed May 21 15:00:07 2008 -> Not loading PUA signatures.
Wed May 21 15:00:17 2008 -> ERROR: Malformed database
Wed May 21 15:00:55 2008 -> +++ Started at Wed May 21 15:00:55 2008
Wed May 21 15:00:55 2008 -> clamd daemon 0.92 (OS: linux-gnu, ARCH: i386, CPU: i686)

These are the exim logs

/var/log/maillog

Code:

May 21 12:56:38 mail exim[16137]: [9\20] T To: <david@bat.co.za>
May 21 12:56:38 mail exim[16137]: [10\20]   Subject: test
May 21 12:56:38 mail exim[16137]: [11\20]   Date: Wed, 21 May 2008 12:30:01 +0200
May 21 12:56:38 mail exim[16137]: [12\20]   MIME-Version: 1.0
May 21 12:56:38 mail exim[16137]: [13\20]   Content-Type: multipart/alternative;
May 21 12:56:38 mail exim[16137]: [14\20] ^Iboundary="----=_NextPart_000_0010_01C8BB3E.63BD5CA0"
May 21 12:56:38 mail exim[16137]: [15\20]   X-Priority: 3
May 21 12:56:38 mail exim[16137]: [16\20]   X-MSMail-Priority: Normal
May 21 12:56:38 mail exim[16137]: [17\20]   X-Mailer: Microsoft Outlook Express 6.00.2900.2180
May 21 12:56:38 mail exim[16137]: [18\20]   X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
May 21 12:56:38 mail exim[16137]: [19\20]   X-SA-Do-Not-Run: Yes
May 21 12:56:38 mail exim[16137]: [20/20]   X-Broken-Reverse-DNS: no host name for IP address 192.168.1.110
May 21 12:56:38 mail exim[16137]: 2008-05-21 12:56:38 SMTP connection from (Wks6) [192.168.1.110]:1222 I=[192.168.1.254]:25 lost
May 21 12:56:38 mail pop3-login: Login: shantele [192.168.1.110]
May 21 12:56:38 mail pop3-login: SSL_read() syscall failed: EOF [192.168.1.110]
May 21 13:02:05 mail exim[17410]: 2008-05-21 13:02:05 cwd=/ 3 args: send-mail -i root
May 21 13:02:05 mail exim[17410]: 2008-05-21 13:02:05 1Jym57-0004Wo-PE SA: Action: Not running SA because SAEximRunCond expanded to false (Message-Id: 1Jym57-0004Wo-PE). From <root@arb.co.za> (local) for root@arb.co.za
May 21 13:02:05 mail exim[17410]: 2008-05-21 13:02:05 1Jym57-0004Wo-PE <= root@arb.co.za U=root P=local S=13490 T="mail.arb.co.za 05/21/08:13.00 ACTIVE SYSTEM ATTACK!" from <root@arb.co.za> for root
May 21 13:02:05 mail exim[8298]: 2008-05-21 13:02:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Jym57-0004Wo-PE
May 21 13:02:09 mail exim[8298]: 2008-05-21 13:02:09 1Jym57-0004Wo-PE => support@bat.co.za (postmaster@arb.co.za) <root@arb.co.za> F=<root@arb.co.za> R=smarthost T=remote_smtp S=13423 H=smtp.isdsl.net [196.26.208.200] C="250 OK id=1Jym5A-0009JD-AE"
May 21 13:02:09 mail exim[8298]: 2008-05-21 13:02:09 1Jym57-0004Wo-PE Completed
May 21 13:11:38 mail exim[11662]: 2008-05-21 13:11:38 SMTP connection from [192.168.1.110]:1225 I=[192.168.1.254]:25 (TCP/IP connection count = 1)
May 21 13:11:38 mail exim[3202]: 2008-05-21 13:11:38 no IP address found for host wks6 (during SMTP connection from [192.168.1.110]:1225 I=[192.168.1.254]:25)
May 21 13:11:40 mail exim[3202]: 2008-05-21 13:11:40 1JymEO-0000pe-LZ malware acl condition: unable to connect to sophie UNIX socket (/var/run/sophie). errno=2
May 21 13:11:40 mail exim[3202]: 2008-05-21 13:11:40 1JymEO-0000pe-LZ malware acl condition: unable to connect to sophie UNIX socket (/var/run/sophie). errno=2
May 21 13:11:40 mail exim[3202]: 2008-05-21 13:11:40 1JymEO-0000pe-LZ H=(Wks6) [192.168.1.110]:1225 I=[192.168.1.254]:25 F=<shantele@arb.co.za> temporarily rejected after DATA

And in case you need it this is /var/log/messages

Code:

May 21 12:18:13 mail dansguardian: Error connecting to ClamD socket
May 21 12:18:13 mail dansguardian: scanFile/Memory returned error: -1
May 21 12:18:13 mail dansguardian: Error connecting to ClamD socket
May 21 12:18:13 mail dansguardian: scanFile/Memory returned error: -1
May 21 12:19:23 mail dansguardian: Error connecting to ClamD socket
May 21 12:19:23 mail dansguardian: scanFile/Memory returned error: -1
May 21 12:19:24 mail dansguardian: Error connecting to ClamD socket
May 21 12:19:24 mail dansguardian: scanFile/Memory returned error: -1

unSpawn · 05-21-2008, 08:34 AM

Refresh the ClamAV database (freshclam?) then restart clamd. If it restarts OK, then see if Sophie wants to run too?

pickledbushman · 05-21-2008, 09:09 AM

Quote:

Originally Posted by unSpawn

Refresh the ClamAV database (freshclam?) then restart clamd. If it restarts OK, then see if Sophie wants to run too?

Hi,

Thanks for responding!

I ran freshclam and it seems to update fine:

[ocde][root@mail autoupdate]# freshclam
ClamAV update process started at Wed May 21 16:06:17 2008
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.92.1 Recommended version: 0.93
DON'T PANIC! Read http://www.clamav.net/support/faq
main.inc is up to date (version: 46, sigs: 231834, f-level: 26, builder: sven)
daily.inc is up to date (version: 7197, sigs: 63992, f-level: 26, builder: arnaud)
[/code]

I am not sure what sophie is or how I would go about fiddling with that. I still get that clamav database error when I do an update and restart clam.

Thanks for the help!

pickledbushman · 05-21-2008, 09:37 AM

On a side note... how would I "remove" the old database and start from scratch again?

predatorz · 05-21-2008, 09:46 AM

I think there should be a db folder under clamav folder or check your clamav conf on the location?

pickledbushman · 05-21-2008, 09:53 AM

Hey,

I found the folders not to hard, but I dont know what would happen if I just deleted or renamed or moved these files

Code:

[root@mail clamav]# ls

clamav-df7c0c25dd96a98e  daily.cvd   main.cvd  main.fp   main.inc/  main.mdb  main.zmd
COPYING                  daily.inc/  main.db   main.hdb  main.info  main.ndb  mirrors.dat

[root@mail clamav]cd main.inc
[root@mail main.inc]# ls

COPYING  main.db  main.fp  main.hdb  main.info  main.mdb  main.ndb  main.zmd

Should I just delete them, and then update or install the rpm again?

pickledbushman · 05-21-2008, 11:32 AM

So.. I "think" I have resolved the problem, but will only be able to test in the morning.

What I did:

backed up:

cp -pr /var/lib/clamav to /var/lib/clamav_backup
cp -p /etc/clamd.conf /tmp/clamd.conf.backup

Then just to be sure...

rm -rf /var/lib/clamav

Then I installed the rpm: rpm -i --force clam.rpm

Copied the conf file back, update the db with freshclam and started the service.

Have restarted dansguardian and exim.

Im not sure if there are any other files I should modify... but there does not seem to be any error messages in any of the log files.

unSpawn · 05-21-2008, 12:00 PM

Heh. Not like I would have done it but, hey, if it works, it works...