LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-02-2008, 08:00 AM   #1
nihal
LQ Newbie
 
Registered: Jan 2008
Posts: 6

Rep: Reputation: 0
Question Clamav Update and Installation Problem


Hello,

i have some problems on my web server. Firstly i must say that, i noticed some of trojans and viruses effect my server. İ saw that when loading my web pages, i saw a foreign link in the status bar while pages loading. When i search this pages, i saw that some codes that insert a hidden iframe with connected some other sites. This is iframe injection problem.

And after search i saw that this codes are infect most of index.php, index.html, index.htm and footer.php, footer.htm and footer.html pages on my server.

After this i clean all the infected files and activate the php safe mode that is OFF before. And i disable some system functions from php.ini

But more important than this, i realize that my ClamAv antivirus out of date. But when i want to update ClamAv with yum update clamav, i faced some errors about yum. And i take a help from my hosting firm to solve this problem.

And after this, i update my ClamAv 0.88 to ClamAv 0.92. And after this installation i scan my system with clamscan and remove 1250-1300 trojan and viruses from users mail directories

After this clean operation, i scaned the system again and no other trjans or viruses found.



But, after the ClamAv update to ClamAv 092 version there is a big problem again.



When a mail user sent a mail to anyone, everyhing is shown normal on mail program (Outlook, Thunderbird...) as sent, but mail is not delivered to recipient. And at the same time a clamav... directory is created in the /tmp directory. And this directories fill the user's mailbox quota. When i clean this directory from /tmp directory the quota turn to normal size. This problem occurs most of the mail users traffic. But this problem is begun after the ClamAv update process

But this problem is not shown all mail accounts.

This clamav.. directory that is created in /tmp directory have 4 files: main.db, mainmdb, main.ndb and copying files.

And the message that is returned from user that mail quota's exceeded is shown below.
And some times message is not return.

< mail_address> (expanded from
*** < mail_address>): can't create user output file. Command
*** output: LibClamAV Error: cli_untgz: Wrote 0 instead of 512
*** (/tmp/clamav-d342a5c0705d099fd95b1b0793092e0b/main.ndb) LibClamAV Error:
*** cli_cvdload(): Can't unpack CVD file. LibClamAV Error: Can't load
*** /var/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure
*** procmail: Error while writing to "/var/log/procmail.log" procmail: Quota
*** exceeded while writing
*** "/home/domain/homes/mail_user/Maildir/tmp/1209623791.26249_0.ns1.site.com.tr"
*** procmail: Quota exceeded while writing
*** "/home/domain/homes/mail_user/Maildir/tmp/1209623791.26249_1.ns1.site.com.tr"
*** Time:1209623791 From: To: User: mail_adresi Size:248
*** Dest:/etc/webmin/virtual-server/clam-wrapper.pl /usr/bin/clamscan Mode:None

Shortly, after updating of ClamAv on my server, all the mails in server mail traffic has a clamav... directory in /tmp directory and this directories have main.db, main.mdb,main.ndb and copying files.

What is the wrong, or what must i do to solve this?

if i remove Clamav from system, everything turn to normal in the mail traffic.

Also i install chkrootkit and scaned the system. There is no bad result shown. All results said “not infected”

As a result i can not find how i can run the ClamAv on my system. Is it solve reinstall old version again.Or do you advice to install a new program? if yes, which one?

My Os is CentOS 4.6, Mail Server Postfix Mail Server 2.2.10, Spam filter SpamAssassin Mail Filter 3.1.9


Thanks your advice and your help.
 
Old 05-02-2008, 01:37 PM   #2
686plus
Member
 
Registered: Nov 2004
Location: Portland, Oregon
Distribution: Ubuntu
Posts: 114

Rep: Reputation: 17
A more secure solution... wipe your drive and start fresh. But develop a security plan before going live. Installing rootkit detection and anti-virus software after a problem might not fix anything if a rootkit was installed. Are you using SELinux?

I would upgrade to CentOS 5.x Even with the current versions, CentOS is slow with ClamAv updates. I use CentOS currently, but am considering switching to Ubuntu Server.

As far as your current situation... I haven't used ClamAV with Postfix, but this might help:
http://wiki.linuxquestions.org/wiki/..._clamav-milter
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ClamAV Update Problems carlosinfl Linux - Server 9 04-15-2008 09:09 PM
How can I update ClamAV? clpl1980 Fedora 2 03-27-2007 07:01 AM
Clamav installation problem shipon_97 Linux - Newbie 1 05-16-2006 11:21 AM
ClamAV installation problem - Cannot find libmilter ddaas Linux - Software 6 07-05-2005 10:55 AM
cannot update clamAV izquierdista Linux - Security 3 06-10-2005 08:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration