Welcome to Centmin Mod Community
Register Now

Featured Maldet - Linux Malware Detect Addon (discussion)

Discussion in 'Add Ons' started by eva2000, Jul 17, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    it's a daily cronjob at /etc/cron.daily/maldet but doing what you propose still will be problematic if you are low on memory as you run the risk of swapping to disk anyway if you do not have enough memory. It's either upgrade memory or disable clamav :)
     
    • Like Like x 1
  2. Sunka

    Sunka Well-Known Member

    1,103
    299
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +481
    Local Time:
    11:03 AM
    Nginx 1.15.8
    MariaDB 10.3.12
    @eva2000 please instruct how to completely uninstall clamav and maldet from server.
    Thank you
     
    Last edited: Jan 19, 2017
  3. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    why not leave maldet without clamav ?
     
  4. Sunka

    Sunka Well-Known Member

    1,103
    299
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +481
    Local Time:
    11:03 AM
    Nginx 1.15.8
    MariaDB 10.3.12
    Hm..
    If it without clamav 4x times slowier, should it then be more cpu hungry (and ram too).

    If it can be left installed, where to set to scan once a day only or every 2 days.

    Also, how to completely stop and than uninstall clamav?
     
  5. Sunka

    Sunka Well-Known Member

    1,103
    299
    83
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +481
    Local Time:
    11:03 AM
    Nginx 1.15.8
    MariaDB 10.3.12
    OK, I did that and then
    Code (Text):
    yum remove clamav
    yum remove clamd


    Hope that is correct and enough
     
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    should be :)
     
    • Like Like x 1
  7. hitman

    hitman Member

    126
    11
    18
    Jul 18, 2014
    Ratings:
    +15
    Local Time:
    12:03 PM
    hello
    is it possible to make it send an email regardless of founding an infection, so you can know that it indeed run?
     
  8. DaB

    DaB New Member

    19
    2
    3
    Aug 10, 2016
    Ratings:
    +2
    Local Time:
    10:03 AM
    Current
    Current
    I am getting the following error after i have just installed this.......
    Code:
    WARNING: [LibClamAV] cli_ac_addsig: Signature for Win.Worm.Fadok-6328944-0 is too short [...] ERROR: Failed to load new database: Malformed database
    WARNING: Database load exited with status 55
    ERROR: Failed to load new database
    
    Any ideas?
     
  9. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    not that i no of though
    corrupted clamav database it seems, you should have more lines for the error message that you cut off ?

    guess not from test i just did
    Code (Text):
    ClamAV update process started at Thu Jun 15 07:48:43 2017
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.98.4 Recommended version: 0.99.2
    DON'T PANIC! Read http://www.clamav.net/support/faq
    Downloading main-55.cdiff [100%]
    Empty script main-56.cdiff, need to download entire database
    Downloading main.cvd [100%]
    main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    WARNING: getfile: daily-15077.cdiff not found on remote server (IP: 69.12.162.28)
    WARNING: getpatch: Can't download daily-15077.cdiff from db.local.clamav.net
    WARNING: getfile: daily-15077.cdiff not found on remote server (IP: 69.163.100.14)
    WARNING: getpatch: Can't download daily-15077.cdiff from db.local.clamav.net
    connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out
    Can't connect to port 80 of host db.local.clamav.net (IP: 64.6.100.177)
    Trying host db.local.clamav.net (155.98.64.87)...
    WARNING: getfile: daily-15077.cdiff not found on remote server (IP: 155.98.64.87)
    WARNING: getpatch: Can't download daily-15077.cdiff from db.local.clamav.net
    WARNING: Incremental update failed, trying to download daily.cvd
    connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out
    Can't connect to port 80 of host db.local.clamav.net (IP: 207.57.106.31)
    Trying host db.local.clamav.net (194.8.197.22)...
    Downloading daily.cvd [100%]
    ERROR: During database load : WARNING: [LibClamAV] cli_ac_addsig: Signature for Win.Worm.Fadok-6328944-0 is too short [...] ERROR: Failed to load new database: Malformed database
    WARNING: Database load exited with status 55
    ERROR: Failed to load new database
    
    real    2m13.400s
    user    0m17.448s
    sys     0m7.815s
    
    maldet + clamav installed...
    

    find clamav-db package location at /var/clamav
    Code (Text):
    rpm -ql clamav-db
    /etc/cron.daily/freshclam
    /etc/logrotate.d/freshclam
    /var/clamav
    /var/clamav/daily.cvd
    /var/clamav/main.cvd
    /var/log/clamav
    /var/log/clamav/freshclam.log
    

    /var/log/clamav/freshclam.log shows
    Code (Text):
    Downloading daily.cvd [100%]
    WARNING: [LibClamAV] cli_ac_addsig: Signature for Win.Worm.Fadok-6328944-0 is too short
    WARNING: [LibClamAV] cli_parse_add(): Problem adding signature (3).
    WARNING: [LibClamAV] Problem parsing database at line 2793
    WARNING: [LibClamAV] Can't load daily.ldb: Malformed database
    WARNING: [LibClamAV] cli_tgzload: Can't load daily.ldb
    WARNING: [LibClamAV] Can't load /var/clamav/clamav-2d6c2e0f88c5230a90f59b731816ae75.tmp/clamav-0bc785292d6f2b01497c1a87a0a70f48.cvd: Malformed database
    ERROR: Failed to load new database: Malformed database
    ERROR: During database load : WARNING: [LibClamAV] cli_ac_addsig: Signature for Win.Worm.Fadok-6328944-0 is too short [...] ERROR: Failed to load new database: Malformed database
    WARNING: Database load exited with status 55
    ERROR: Failed to load new database
    

    looks like clamav package from rpmforge no longer supported so need to update clamav to other yum repo versions - problem in past is other clamav 3rd party repos have different file paths etc

    will have to figure this out !

    current installed clamav
    Code (Text):
    yum history info 30
    Loaded plugins: fastestmirror, priorities
    Transaction ID : 30
    Begin time     : Thu Jun 15 07:48:36 2017
    Begin rpmdb    : 751:72ad9ce497ed762a143bcdded1905de40851de29
    End time       :            07:48:38 2017 (2 seconds)
    End rpmdb      : 754:ad81e8d6d62e825e6099d616ae988bb64df8844b
    User           : root <root>
    Return-Code    : Success
    Command Line   : -y install clamav clamd --disablerepo=epel
    Transaction performed with:
        Installed     rpm-4.11.3-21.el7.x86_64                      @base
        Installed     yum-3.4.3-150.el7.centos.noarch               @base
        Installed     yum-metadata-parser-1.1.4-10.el7.x86_64       @anaconda
        Installed     yum-plugin-fastestmirror-1.1.31-40.el7.noarch @base
    Packages Altered:
        Install     clamav-0.98.4-1.el7.rf.x86_64    @rpmforge
        Dep-Install clamav-db-0.98.4-1.el7.rf.x86_64 @rpmforge
        Install     clamd-0.98.4-1.el7.rf.x86_64     @rpmforge
    history info
    

    clamav package files
    Code (Text):
    rpm -ql clamav
    /etc/freshclam.conf
    /usr/bin/clambc
    /usr/bin/clamscan
    /usr/bin/freshclam
    /usr/bin/sigtool
    /usr/lib64/libclamav.so
    /usr/lib64/libclamav.so.6
    /usr/lib64/libclamav.so.6.1.23
    /usr/lib64/libclamunrar.so
    /usr/lib64/libclamunrar.so.6
    /usr/lib64/libclamunrar.so.6.1.23
    /usr/lib64/libclamunrar_iface.so
    /usr/lib64/libclamunrar_iface.so.6
    /usr/lib64/libclamunrar_iface.so.6.1.23
    /usr/share/doc/clamav-0.98.4
    /usr/share/doc/clamav-0.98.4/AUTHORS
    /usr/share/doc/clamav-0.98.4/BUGS
    /usr/share/doc/clamav-0.98.4/COPYING
    /usr/share/doc/clamav-0.98.4/ChangeLog
    /usr/share/doc/clamav-0.98.4/FAQ
    /usr/share/doc/clamav-0.98.4/INSTALL
    /usr/share/doc/clamav-0.98.4/NEWS
    /usr/share/doc/clamav-0.98.4/README
    /usr/share/doc/clamav-0.98.4/clamav-mirror-howto.pdf
    /usr/share/doc/clamav-0.98.4/clamdoc.pdf
    /usr/share/doc/clamav-0.98.4/freshclam.conf.sample
    /usr/share/doc/clamav-0.98.4/phishsigs_howto.pdf
    /usr/share/doc/clamav-0.98.4/signatures.pdf
    /usr/share/man/man1/clambc.1.gz
    /usr/share/man/man1/clamscan.1.gz
    /usr/share/man/man1/clamsubmit.1.gz
    /usr/share/man/man1/freshclam.1.gz
    /usr/share/man/man1/sigtool.1.gz
    /usr/share/man/man5/freshclam.conf.5.gz
    

    clamd package files
    Code (Text):
    rpm -ql clamd
    /etc/clamd.conf
    /etc/logrotate.d/clamav
    /etc/rc.d/init.d/clamd
    /usr/bin/clamconf
    /usr/bin/clamdscan
    /usr/bin/clamdtop
    /usr/sbin/clamd
    /usr/share/doc/clamd-0.98.4
    /usr/share/doc/clamd-0.98.4/clamd.conf.sample
    /usr/share/man/man1/clambc.1.gz
    /usr/share/man/man1/clamconf.1.gz
    /usr/share/man/man1/clamdscan.1.gz
    /usr/share/man/man1/clamdtop.1.gz
    /usr/share/man/man5/clamd.conf.5.gz
    /usr/share/man/man8/clamd.8.gz
    /var/clamav
    /var/log/clamav
    /var/log/clamav/clamd.log
    /var/run/clamav
    


    rpmforge available clamav, clamav-db, clamd, clamav-devel packages
    Code (Text):
    yum list clamd clamav clamav-devel clamav-db
    Loaded plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
     * base: mirror.aarnet.edu.au
     * epel: fedora.uberglobalmirror.com
     * extras: mirror.aarnet.edu.au
     * rpmforge: mirror.ventraip.net.au
     * updates: mirror.aarnet.edu.au
    356 packages excluded due to repository priority protections
    Installed Packages
    clamav.x86_64                                                                                                             0.98.4-1.el7.rf                                                                                                        @rpmforge
    clamav-db.x86_64                                                                                                          0.98.4-1.el7.rf                                                                                                        @rpmforge
    clamd.x86_64                                                                                                              0.98.4-1.el7.rf                                                                                                        @rpmforge
    Available Packages
    clamav-devel.x86_64                                                                                                       0.98.4-1.el7.rf                                                                                                        rpmforge
    

    epel repo has own clamav packages excluded by centmin mod not to conflict
    Code (Text):
    yum list clamd clamav clamav-devel clamav-db --disableexclude=epel --disableplugin=priorities
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.aarnet.edu.au
     * epel: fedora.uberglobalmirror.com
     * extras: mirror.aarnet.edu.au
     * rpmforge: mirror.ventraip.net.au
     * updates: mirror.aarnet.edu.au
    Installed Packages
    clamav.x86_64                                                                                                             0.98.4-1.el7.rf                                                                                                        @rpmforge
    clamav-db.x86_64                                                                                                          0.98.4-1.el7.rf                                                                                                        @rpmforge
    clamd.x86_64                                                                                                              0.98.4-1.el7.rf                                                                                                        @rpmforge
    Available Packages
    clamav.x86_64                                                                                                             0.99.2-1.el7                                                                                                           epel
    clamav-devel.x86_64                                                                                                       0.99.2-1.el7                                                                                                           epel
    


    use yum history list command to find transaction id of clamav install for me it was transaction id 30 to remove and reverse install
    Code (Text):
    yum history undo 30
    Loaded plugins: fastestmirror, priorities
    Undoing transaction 30, from Thu Jun 15 07:48:36 2017
        Install     clamav-0.98.4-1.el7.rf.x86_64    @rpmforge
        Dep-Install clamav-db-0.98.4-1.el7.rf.x86_64 @rpmforge
        Install     clamd-0.98.4-1.el7.rf.x86_64     @rpmforge
    Resolving Dependencies
    --> Running transaction check
    ---> Package clamav.x86_64 0:0.98.4-1.el7.rf will be erased
    ---> Package clamav-db.x86_64 0:0.98.4-1.el7.rf will be erased
    ---> Package clamd.x86_64 0:0.98.4-1.el7.rf will be erased
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================================================================================================================================================================================
     Package                                                     Arch                                                     Version                                                           Repository                                                   Size
    ==========================================================================================================================================================================================================================================================
    Removing:
     clamav                                                      x86_64                                                   0.98.4-1.el7.rf                                                   @rpmforge                                                   8.8 M
     clamav-db                                                   x86_64                                                   0.98.4-1.el7.rf                                                   @rpmforge                                                    34 M
     clamd                                                       x86_64                                                   0.98.4-1.el7.rf                                                   @rpmforge                                                   680 k
    
    Transaction Summary
    ==========================================================================================================================================================================================================================================================
    Remove  3 Packages
    
    Installed size: 44 M
    Is this ok [y/N]: y
    Downloading packages:
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Erasing    : clamd-0.98.4-1.el7.rf.x86_64                                                                                                                                                                                                           1/3
    warning: /etc/clamd.conf saved as /etc/clamd.conf.rpmsave
      Erasing    : clamav-0.98.4-1.el7.rf.x86_64                                                                                                                                                                                                          2/3
    warning: /etc/freshclam.conf saved as /etc/freshclam.conf.rpmsave
      Erasing    : clamav-db-0.98.4-1.el7.rf.x86_64                                                                                                                                                                                                       3/3
    warning: /var/clamav/main.cvd saved as /var/clamav/main.cvd.rpmsave
      Verifying  : clamd-0.98.4-1.el7.rf.x86_64                                                                                                                                                                                                           1/3
      Verifying  : clamav-0.98.4-1.el7.rf.x86_64                                                                                                                                                                                                          2/3
      Verifying  : clamav-db-0.98.4-1.el7.rf.x86_64                                                                                                                                                                                                       3/3
    
    Removed:
      clamav.x86_64 0:0.98.4-1.el7.rf                                                   clamav-db.x86_64 0:0.98.4-1.el7.rf                                                   clamd.x86_64 0:0.98.4-1.el7.rf                                              
    
    Complete!
    

    install epel yum repo's clamav instead disabling rpmforge repo on command line
    Code (Text):
    yum -y install clamav --disablerepo=rpmforge --disableexclude=epel --disableplugin=priorities
    

    Code (Text):
    yum -y install clamav --disablerepo=rpmforge --disableexclude=epel --disableplugin=priorities
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.aarnet.edu.au
     * epel: fedora.uberglobalmirror.com
     * extras: mirror.aarnet.edu.au
     * updates: mirror.aarnet.edu.au
    Resolving Dependencies
    --> Running transaction check
    ---> Package clamav.x86_64 0:0.99.2-1.el7 will be installed
    --> Processing Dependency: clamav-lib = 0.99.2-1.el7 for package: clamav-0.99.2-1.el7.x86_64
    --> Processing Dependency: libclamav.so.7(CLAMAV_PUBLIC)(64bit) for package: clamav-0.99.2-1.el7.x86_64
    --> Processing Dependency: libclamav.so.7(CLAMAV_PRIVATE)(64bit) for package: clamav-0.99.2-1.el7.x86_64
    --> Processing Dependency: data(clamav) for package: clamav-0.99.2-1.el7.x86_64
    --> Processing Dependency: libclamav.so.7()(64bit) for package: clamav-0.99.2-1.el7.x86_64
    --> Running transaction check
    ---> Package clamav-data.noarch 0:0.99.2-1.el7 will be installed
    --> Processing Dependency: clamav-filesystem = 0.99.2-1.el7 for package: clamav-data-0.99.2-1.el7.noarch
    ---> Package clamav-lib.x86_64 0:0.99.2-1.el7 will be installed
    --> Running transaction check
    ---> Package clamav-filesystem.noarch 0:0.99.2-1.el7 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================================================================================================================================================================================
     Package                                                             Arch                                                     Version                                                        Repository                                              Size
    ==========================================================================================================================================================================================================================================================
    Installing:
     clamav                                                              x86_64                                                   0.99.2-1.el7                                                   epel                                                   845 k
    Installing for dependencies:
     clamav-data                                                         noarch                                                   0.99.2-1.el7                                                   epel                                                   111 M
     clamav-filesystem                                                   noarch                                                   0.99.2-1.el7                                                   epel                                                    20 k
     clamav-lib                                                          x86_64                                                   0.99.2-1.el7                                                   epel                                                   3.8 M
    
    Transaction Summary
    ==========================================================================================================================================================================================================================================================
    Install  1 Package (+3 Dependent packages)
    
    Total download size: 115 M
    Installed size: 124 M
    Downloading packages:
    (1/4): clamav-filesystem-0.99.2-1.el7.noarch.rpm                                                                                                                                                                                   |  20 kB  00:00:00  
    (2/4): clamav-0.99.2-1.el7.x86_64.rpm                                                                                                                                                                                              | 845 kB  00:00:01  
    (3/4): clamav-lib-0.99.2-1.el7.x86_64.rpm                                                                                                                                                                                          | 3.8 MB  00:00:03  
    (4/4): clamav-data-0.99.2-1.el7.noarch.rpm                                                                                                                                                                                         | 111 MB  00:00:44  
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total                                                                                                                                                                                                                     2.6 MB/s | 115 MB  00:00:44  
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : clamav-filesystem-0.99.2-1.el7.noarch                                                                                                                                                                                                  1/4
      Installing : clamav-data-0.99.2-1.el7.noarch                                                                                                                                                                                                        2/4
      Installing : clamav-lib-0.99.2-1.el7.x86_64                                                                                                                                                                                                         3/4
      Installing : clamav-0.99.2-1.el7.x86_64                                                                                                                                                                                                             4/4
      Verifying  : clamav-filesystem-0.99.2-1.el7.noarch                                                                                                                                                                                                  1/4
      Verifying  : clamav-lib-0.99.2-1.el7.x86_64                                                                                                                                                                                                         2/4
      Verifying  : clamav-data-0.99.2-1.el7.noarch                                                                                                                                                                                                        3/4
      Verifying  : clamav-0.99.2-1.el7.x86_64                                                                                                                                                                                                             4/4
    
    Installed:
      clamav.x86_64 0:0.99.2-1.el7                                                                                                                                                                                                                        
    
    Dependency Installed:
      clamav-data.noarch 0:0.99.2-1.el7                                                clamav-filesystem.noarch 0:0.99.2-1.el7                                                clamav-lib.x86_64 0:0.99.2-1.el7                                            
    
    Complete!

    clamav epel package files
    Code (Text):
    rpm -ql clamav
    /usr/bin/clambc
    /usr/bin/clamconf
    /usr/bin/clamdscan
    /usr/bin/clamdtop
    /usr/bin/clamscan
    /usr/bin/clamsubmit
    /usr/bin/sigtool
    /usr/share/doc/clamav-0.99.2
    /usr/share/doc/clamav-0.99.2/AUTHORS
    /usr/share/doc/clamav-0.99.2/BUGS
    /usr/share/doc/clamav-0.99.2/COPYING
    /usr/share/doc/clamav-0.99.2/ChangeLog
    /usr/share/doc/clamav-0.99.2/FAQ
    /usr/share/doc/clamav-0.99.2/NEWS
    /usr/share/doc/clamav-0.99.2/README
    /usr/share/doc/clamav-0.99.2/UPGRADE
    /usr/share/doc/clamav-0.99.2/clamdoc.pdf
    /usr/share/doc/clamav-0.99.2/phishsigs_howto.pdf
    /usr/share/doc/clamav-0.99.2/signatures.pdf
    /usr/share/man/man1/clambc.1.gz
    /usr/share/man/man1/clamconf.1.gz
    /usr/share/man/man1/clamdscan.1.gz
    /usr/share/man/man1/clamdtop.1.gz
    /usr/share/man/man1/clamscan.1.gz
    /usr/share/man/man1/clamsubmit.1.gz
    /usr/share/man/man1/sigtool.1.gz
    /usr/share/man/man5/clamav-milter.conf.5.gz
    /usr/share/man/man5/clamd.conf.5.gz
    

    clamav-data package files
    Code (Text):
    rpm -ql clamav-data
    /var/lib/clamav/bytecode.cvd
    /var/lib/clamav/daily.cvd
    /var/lib/clamav/main.cvd
    

    clamav-filesystem package files
    Code (Text):
    rpm -ql clamav-filesystem
    /usr/share/clamav
    /var/lib/clamav
    

    clamav-lib package files
    Code (Text):
    rpm -ql clamav-lib
    /usr/lib64/libclamav.so.7
    /usr/lib64/libclamav.so.7.1.1
    

    freshclam binary is missing so where is it ? use yum provides to find it in package clamav-update
    Code (Text):
    yum provides */bin/freshclam* --disablerepo=rpmforge --disableexclude=epel --disableplugin=priorities
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.aarnet.edu.au
     * epel: fedora.uberglobalmirror.com
     * extras: mirror.aarnet.edu.au
     * updates: mirror.aarnet.edu.au
    clamav-update-0.99.2-1.el7.x86_64 : Auto-updater for the Clam Antivirus scanner data-files
    Repo        : epel
    Matched from:
    Filename    : /usr/bin/freshclam
    

    so install it
    Code (Text):
    yum -y install clamav-update --disablerepo=rpmforge --disableexclude=epel --disableplugin=priorities    
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.aarnet.edu.au
     * epel: fedora.uberglobalmirror.com
     * extras: mirror.aarnet.edu.au
     * updates: mirror.aarnet.edu.au
    Resolving Dependencies
    --> Running transaction check
    ---> Package clamav-update.x86_64 0:0.99.2-1.el7 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================================================================================================================================================================================
     Package                                                          Arch                                                      Version                                                         Repository                                               Size
    ==========================================================================================================================================================================================================================================================
    Installing:
     clamav-update                                                    x86_64                                                    0.99.2-1.el7                                                    epel                                                     95 k
    
    Transaction Summary
    ==========================================================================================================================================================================================================================================================
    Install  1 Package
    
    Total download size: 95 k
    Installed size: 213 k
    Downloading packages:
    clamav-update-0.99.2-1.el7.x86_64.rpm                                                                                                                                                                                              |  95 kB  00:00:00  
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : clamav-update-0.99.2-1.el7.x86_64                                                                                                                                                                                                      1/1
      Verifying  : clamav-update-0.99.2-1.el7.x86_64                                                                                                                                                                                                      1/1
    
    Installed:
      clamav-update.x86_64 0:0.99.2-1.el7                                                                                                                                                                                                                  
    
    Complete!
    

    clamav-update package files
    Code (Text):
    rpm -ql clamav-update
    /etc/cron.d/clamav-update
    /etc/freshclam.conf
    /etc/logrotate.d/clamav-update
    /etc/sysconfig/freshclam
    /usr/bin/freshclam
    /usr/share/clamav/freshclam-sleep
    /usr/share/man/man1/freshclam.1.gz
    /usr/share/man/man5/freshclam.conf.5.gz
    /var/lib/clamav/bytecode.cld
    /var/lib/clamav/daily.cld
    /var/lib/clamav/main.cld
    /var/lib/clamav/mirrors.dat
    /var/log/freshclam.log
    

    Code (Text):
    freshclam
    ERROR: Please edit the example config file /etc/freshclam.conf
    ERROR: Can't open/parse the config file /etc/freshclam.conf
    

    ah there's a line in /etc/freshclam.conf you need to remove
    Code (Text):
    ##
    ## Example config file for freshclam
    ## Please read the freshclam.conf(5) manual before editing this file.
    ##
    
    
    # Comment or remove the line below.
    Example
    
    # Path to the database directory.
    # WARNING: It must match clamd.conf's directive!
    # Default: hardcoded (depends on installation options)
    #DatabaseDirectory /var/lib/clamav
    

    remove line = Example

    re-run freshclam
    Code (Text):
    freshclam                 
    ClamAV update process started at Thu Jun 15 08:18:52 2017
    Downloading main-58.cdiff [100%]
    main.cld updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    WARNING: getfile: daily-21724.cdiff not found on database.clamav.net (IP: 150.214.142.197)
    WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
    WARNING: getfile: daily-21724.cdiff not found on database.clamav.net (IP: 69.12.162.28)
    WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
    nonblock_recv: recv timing out (30 secs)
    WARNING: getfile: Error while reading database from database.clamav.net (IP: 128.199.133.36): Operation now in progress
    WARNING: getpatch: Can't download daily-21724.cdiff from database.clamav.net
    WARNING: Incremental update failed, trying to download daily.cvd
    connect_error: getsockopt(SO_ERROR): fd=4 error=110: Connection timed out
    Can't connect to port 80 of host database.clamav.net (IP: 168.143.19.95)
    Trying host database.clamav.net (64.22.33.90)...
    connect_error: getsockopt(SO_ERROR): fd=4 error=110: Connection timed out
    Can't connect to port 80 of host database.clamav.net (IP: 64.22.33.90)
    Trying host database.clamav.net (194.8.197.22)...
    Downloading daily.cvd [100%]
    daily.cvd updated (version: 23475, sigs: 1736834, f-level: 63, builder: neo)
    Downloading bytecode-279.cdiff [100%]
    Downloading bytecode-280.cdiff [100%]
    Downloading bytecode-281.cdiff [100%]
    Downloading bytecode-282.cdiff [100%]
    Downloading bytecode-283.cdiff [100%]
    Downloading bytecode-284.cdiff [100%]
    Downloading bytecode-285.cdiff [100%]
    Downloading bytecode-286.cdiff [100%]
    Downloading bytecode-287.cdiff [100%]
    Downloading bytecode-288.cdiff [100%]
    Downloading bytecode-289.cdiff [100%]
    Downloading bytecode-290.cdiff [100%]
    Downloading bytecode-291.cdiff [100%]
    Downloading bytecode-292.cdiff [100%]
    Downloading bytecode-293.cdiff [100%]
    Downloading bytecode-294.cdiff [100%]
    Downloading bytecode-295.cdiff [100%]
    Downloading bytecode-296.cdiff [100%]
    Downloading bytecode-297.cdiff [100%]
    Downloading bytecode-298.cdiff [100%]
    Downloading bytecode-299.cdiff [100%]
    Downloading bytecode-300.cdiff [100%]
    Downloading bytecode-301.cdiff [100%]
    Downloading bytecode-302.cdiff [100%]
    Downloading bytecode-303.cdiff [100%]
    bytecode.cld updated (version: 303, sigs: 59, f-level: 63, builder: anvilleg)
    Database updated (6303142 signatures) from database.clamav.net (IP: 194.8.197.22)
    

    re-run freshclam again
    Code (Text):
    reshclam
    ClamAV update process started at Thu Jun 15 08:21:24 2017
    main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
    daily.cvd is up to date (version: 23475, sigs: 1736834, f-level: 63, builder: neo)
    bytecode.cld is up to date (version: 303, sigs: 59, f-level: 63, builder: anvilleg)
    

    check if maldet detects updated clamav's clamscan binary from epel yum repo
    Code (Text):
    /usr/local/maldetect/maldet -a /usr/local/nginx/html
    Linux Malware Detect v1.6.1
                (C) 2002-2017, R-fx Networks <[email protected]>
                (C) 2017, Ryan MacDonald <[email protected]>
    This program may be freely redistributed under the terms of the GNU GPL v2
    
    maldet(25657): {scan} signatures loaded: 16561 (13831 MD5 | 1951 HEX | 779 YARA | 0 USER)
    maldet(25657): {scan} building file list for /usr/local/nginx/html, this might take awhile...
    maldet(25657): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
    maldet(25657): {scan} file list completed in 0s, found 16 files...
    maldet(25657): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
    maldet(25657): {scan} scan of /usr/local/nginx/html (16 files) in progress...
    
    maldet(25657): {scan} scan completed on /usr/local/nginx/html: files 16, malware hits 0, cleaned hits 0, time 14s
    maldet(25657): {scan} scan report saved, to view run: maldet --report 170615-0846.25657
    
     
    Last edited: Jun 15, 2017
  10. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    @DaB just updated centmin mod 123.09beta01 addons/maldet.sh with updated routine. You should be able to update centmin mod via centmin.sh menu option 23 submenu option 2, exit centmin.sh and then run addons/maldet.sh again
     
    • Like Like x 1
  11. Matt

    Matt Moderator Staff Member

    848
    371
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +578
    Local Time:
    10:03 AM
    1.5.15
    MariaDB 10.2
    One of the yara rules being used by maldet is now causing false positives against the DBTech security add-on. I've tested on 2 servers, and it moves the Core.php file to quarantine.

    md5_0b1bfb0bdc7e017baccd05c6af6943ea
     
    • Informative Informative x 1
  12. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  13. Matt

    Matt Moderator Staff Member

    848
    371
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +578
    Local Time:
    10:03 AM
    1.5.15
    MariaDB 10.2
    Yes, this rule
    Code:
    rule md5_0b1bfb0bdc7e017baccd05c6af6943ea {
       /*
           eval(hnsqqh($llmkuhieq, $dbnlftqgr));?>
           eval(vW91692($v7U7N9K, $v5N9NGE));?>
       */
       strings: $ = /eval\([\w\d]+\(\$[\w\d]+, \$[\w\d]+\)\);/
       condition: any of them
    }
    
    Is catching one of the evals being used in the Core.php file

    PHP:
                            case 'vBulletin':
                                    
    // Set redirect URL
                                    
    $GLOBALS['vbulletin']->url $redirectTarget $redirectTarget : ($this->option('forumhome') . '.php');
                                    eval(
    standard_redirect($redirectMessage$forceRedirect));
                                    break;
     
  14. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  15. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  16. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    @Matt strangely i am not picking up the false positive in my maldet scans for Xenforo 1.5 and DBSEO Security
    Code (Text):
    SCAN ID:   170917-0357.28232
    STARTED:   Sep 17 2017 03:57:41 +0000
    COMPLETED: Sep 17 2017 03:59:15 +0000
    ELAPSED:   94s [find: 0s]
    
    PATH:
    RANGE:         1 days
    TOTAL FILES:   14256
    TOTAL HITS:    0
    TOTAL CLEANED: 0
    
    ===============================================
    Linux Malware Detect v1.6.2 < [email protected] >
    


    hmm could of been quarantined ! eek

    edit: nothing
    Code (Text):
    ls -lah /usr/local/maldetect/quarantine
    total 8.0K
    drwxr-x---  2 root root 4.0K Jul 15 03:31 .
    drwxr-xr-x 13 root root 4.0K Sep 17 16:55 ..
    


    Code (Text):
    grep eval /Security/Application/Core.php
                                    eval(standard_redirect($redirectMessage, $forceRedirect));
                                            eval(standard_error($error));
                                            eval(standard_error($error));
                                            eval('$navbar = "' . fetch_template('navbar') . '";');
                                            eval('print_output("' . fetch_template($containerTemplate) . '");');
    
     
    Last edited: Sep 18, 2017
  17. Matt

    Matt Moderator Staff Member

    848
    371
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +578
    Local Time:
    10:03 AM
    1.5.15
    MariaDB 10.2
    I've tested on 2 servers, and a fresh install of maldet and clanav using the maldet.sh add-on.
    Screenshot_20170917-212548.png

    Screenshot_20170917-212513.png
     
    • Informative Informative x 1
  18. eva2000

    eva2000 Administrator Staff Member

    41,386
    9,297
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,261
    Local Time:
    7:03 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    JuiceSSH :cool:

    Ah found the problem on my end, clamscan aborted early i think on a read read error in /tmp so didn't scan everything. If i scan just the xf directory, it picked it up for that Core.php file
     
    • Like Like x 1
  19. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    5:03 PM
  20. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    5:03 PM
    Anyone can tell me how to run the commands? Some looks unfamiliar to me. Is it run #!/bin/bash first and sed -i 's|^#CallUploadScript yes|CallUploadScript yes|g' /etc/pure-ftpd/pure-ftpd.conf ? Thanks.

    Code:
    #!/bin/bash
    
    sed -i 's|^#CallUploadScript yes|CallUploadScript yes|g' /etc/pure-ftpd/pure-ftpd.conf
    
    cat >/etc/pure-ftpd/clamscan.sh<< EOF
    #!/bin/bash
    /usr/bin/clamdscan --remove --quiet --no-summary "\$1" --log=/var/log/clamscan-pureftpd.log
    EOF
    
    chmod +x /etc/pure-ftpd/clamscan.sh
    
    pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh
    
    echo "pure-uploadscript -B -r /etc/pure-ftpd/clamscan.sh" >> /etc/rc.local
    
    service pure-ftpd restart