Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

New Virus - W32.Novarg.A@mm / Mydoom

Discussion in 'General Discussion' started by alareach, Jan 27, 2004.

  1. Drew Nichols

    Drew Nichols Well-Known Member

    Joined:
    May 5, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    SC
    What's the best tactic to filter this at the server level to prevent customer complaints?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    install mailscanner + clamav which will fileter this virus and others. It work greats
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Drew Nichols

    Drew Nichols Well-Known Member

    Joined:
    May 5, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    SC
    Thanks, I'll look for information on how to do this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Devil Inside

    Devil Inside Well-Known Member

    Joined:
    Apr 4, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    166
    Speaking of mailscanner...

    when I make changes to the MailScanner.config - do I have to restart it?

    And how?
     
  5. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    318
    Yes you need to restart:

    Killall -9 Mailscanner
    /usr/mailscanner/bin/check_mailscanner
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Budwron

    Budwron Member

    Joined:
    Aug 25, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    151
    Is mail scanner and clamav and add-on to exim our it's a switch ?
     
  7. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    318
    Its an addon. Exim is still the MTA, Mailscanner scans and clamav is the AV system.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Drew Nichols

    Drew Nichols Well-Known Member

    Joined:
    May 5, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    SC
    As terribly lazy as it sounds, is there a how-to or install guide on how to do this anywhere that anyone is aware of? I'd love to offer this feature to clients. Thanks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    318
    How to install mail scanner from layer1:

    wget http://layer1.cpanel.net/mailscanner-autoinstall-1.5.tar.gz

    tar zxvf mailscanner-autoinstall-1.5.tar.gz

    cd mailscanner*
    ./install

    If you find it pauses on installing perl mods for to long, you will need to install these manually.

    First Ctrl c out of the installer

    pico -w install

    Comment out these lines w/ a #

    Code:
    print "Installing Perl Modules...";
    ssystem("/scripts/perlinstaller","MIME::Base64","File::Spec","HTML::Tagset","HTML::Parser","MIME::Tools","File::Temp","Convert::TNEF");
    print "Done\n";
    So they look like this:

    Code:
    #print "Installing Perl Modules...";
    #ssystem("/scripts/perlinstaller","MIME::Base64","File::Spec","HTML::Tagset","HTML::Parser","MIME::Tools","File::Temp","Convert::TNEF");
    #print "Done\n";
    Then install the above modules via WHM's Perl Module installer, and finish the install ./install
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Drew Nichols

    Drew Nichols Well-Known Member

    Joined:
    May 5, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    SC
    Thank you so much!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. mfragoso

    mfragoso Active Member

    Joined:
    Oct 17, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Mexico City
    cPanel Access Level:
    Root Administrator
    Another way to get rid of it...

    Since last thursday I installed the following rule inside antivirus.exim:



    if $message_body: contains "Windows-1252"
    then
    fail text "Message rejected, looks like Novarg Virus"
    seen finish
    endif


    It looks that will catch more than that virus, however is rare to see a charset definition inside the body, especially withe the windows-1252 value.
    Worked for me, I hope works for you to.
     
  12. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    416
    Likes Received:
    2
    Trophy Points:
    318
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    Re: Another way to get rid of it...

    When you say it's 'rare', what type of mail is that? Junk? Or International?

    Seems a bit of a broad stroke. Though, if it works, it might be good.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. mfragoso

    mfragoso Active Member

    Joined:
    Oct 17, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Mexico City
    cPanel Access Level:
    Root Administrator
    About the charset

    Rare in all senses....

    Windows 1252 is used on European languages (french, spanish, dutch, etc.). However I run several servers in latin america and none of them use it as default (maybe because our spanish and your american english is is iso 8859-1 based by default).

    Additionaly, the charset header is commonly used not in the body but in the header. So the rule won't catch most of the "European" messages.

    I have filtered those messages and this rule has been working flawlessly with over 1000 domains and no false bounces at all....

    I am not saying this is a replacement for an antivirus solution... just a quick and dirty fix, and that you can save some bandwith and resources while looking for another solution.
     
  14. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    416
    Likes Received:
    2
    Trophy Points:
    318
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    Thanks

    I'll give it a try till I can get my ClamAV to scan zip files.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    166
    Hi,

    Great install tip!

    In case mailscanner does not work or srews something up, what is a procedure to uninstall it?

    Regards,
    Cretu
     
  16. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    166
    I had to uninstall it yesterday and just browsed to the directory and ran the uninstall script "./uninstall".

    IF YOU ARE RUNNING A FREEBSD SERVER, WHATEVER YOU DO, DO NOT INSTALL THIS SCRIPT!!!!!!!!!
     
  17. wills

    wills Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    202
    Likes Received:
    1
    Trophy Points:
    168
    Is there a way to disregard the infected messages, rather then clean them up and still send it to the recipient?
     
  18. tomsyer

    tomsyer Active Member

    Joined:
    Aug 5, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    151
    /usr/mailscanner/etc/MailScanner.conf is the config file

    you can disable it there
     
  19. tomsyer

    tomsyer Active Member

    Joined:
    Aug 5, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    151
    # Notify the local system administrators ("Notices To") when any infections
    # are found?
    # This can also be the filename of a ruleset.
    Send Notices = no
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice