Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Server under Virus Attack - Please help it's URGENT !!!

Discussion in 'General Discussion' started by checked, Aug 3, 2004.

  1. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Hi Guys,

    I'm under a BIG problem as my Redhat 9.0 server is badly under a Virus Attack even after having a mailscanner (clamav) installed and having setting under the exim to remove the attachments like : .pif .exe .scr or something similar but still loads of virus mails are not detectable by the mailscanner.

    Here is list of Virus from which my server is affected :

    1. Worm.SomeFool.P (90% of the Virus mails are affected by this virus)
    2. Worm.SomeFool.Z
    3. Worm.SomeFool.Gen-1
    4. Worm.SomeFool.Gen-2
    5. Worm.Bagle.AG
    6. Worm.Bagle.AG.2
    7. Worm.Bagle.AC
    8. Worm.Gibe.F

    and many other also but these are the major ones affecting mails daily


    Below are my few problems with it and I need your help :

    1) Mailscanner is very much capable of removing the attachments but I want him to simply remove the mail from the queue when it detect it as a virus mail.

    2) I want to stop the mailscanner not to send any return mail when it detect a virus. Actually what it does whenever it found a virus it immediately send areturn mail to the sender. Most of the time the sender address is fake but sometime it is set to any email of my clients and they got a return mail they were trying to send a virus mail which they actually not.

    Please help me to get out of this big problem.
     
    #1 checked, Aug 3, 2004
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    All your questions have already been answered on these forums. I'd suggest using the search button :)

    The biggest problem you're having is most likely that you are running an old version of MailScanner and an old version of ClamAV - you need to upgrade both to the latest releases.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 chirpy, Aug 3, 2004
  3. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    Yes I think you are right and it seems that after updating it is solved (looks so). Actually I was so tensed and did a search in a hurry and didn't find anything. But now I did it and looked around many threads and I think I got it.

    Once again thanks for your kind advice :)
     
    #3 checked, Aug 3, 2004
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    7
    Trophy Points:
    318
    Location:
    back woods of NC, USA
    Just curious ..what did you find out? I tried mailscanner before. It was so resource intensive I elected to git rid of it. That was back when I had 500 sites on 2 boxes. Now I have 700 on 6 boxes that have more ram. Some of these viruses are fooling people ..like the ones they say hey: "I am youdomain admin. you need to run this script so your email will work". I mean thses bastards are sneeky!! I have had customers send me replies saying "now what? , I ran your file" and I am wondering what they are talking about. I tell you ..if it wasn't for virus and spam we would have 75% less work load!!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 rpmws, Aug 3, 2004
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    I've never had a virus get through MailScanner+ClamAV. So long as you have freshclam run regularly and keep MailScanner up to date, it's as good a solution as any.
    I would suspect that you weren't using the clamavmodule which uses Mail::ClamAV, but instead usng the standard clamav which is a resource hog.

    There's no denying that it will put load on your server - it's doing a lot of work for you. But if it is well configured on a server that doesn't already have performance issues, there really should not be any problems.

    A lot of people like Exiscan, but if you want a very flexible and configurable solution, it'd be very difficult to find anything better, IMHO ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 chirpy, Aug 3, 2004
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    7
    Trophy Points:
    318
    Location:
    back woods of NC, USA
    was using clamavmodule ..loads on dual boxes were kept average of about 1.2 -1.8 and maxxed out at 3 for breif periods like backups and stuff like that. mailscanner took it to a constant of about 3-4 on loads. This was at a time that we were seeing soooo many new ones hit.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 rpmws, Aug 3, 2004
  7. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    156
    I tell you, All I did is just upgrade the Mailscanner as directed at the following thread :

    http://forums.cpanel.net/showthread.php?t=21290

    and after updating it I updated the Clamav to 0.75 (latest version).

    The thing which actually did the trick is setting under the mailscanner.conf which were not available under the old verion which I had and I just set few option like : denying to send a return mail whenever gets the virus (most of the time it is fake address) and few other similar options.

    It is not like that my server is not receiving virus mails now. It is still receiveing virus infected mails right now but it not delivering them and not even sending the return mail to the Email ID set in the reply-to field (which is actually fake)

    I hope this helps :)
     
    #7 checked, Aug 3, 2004
(You must log in or sign up to post here.)
Loading...
Similar Threads - Server under Virus
  1. DrKnuth

    Multiple WHM servers under the same domain

    DrKnuth, Feb 16, 2018, in forum: General Discussion
    Replies:
    5
    Views:
    387
    cPanelMichael
    Feb 19, 2018
  2. NguyenCong

    How to disable send an email: lfd on server: Suspicious process running under user

    NguyenCong, Nov 6, 2016, in forum: Security
    Replies:
    3
    Views:
    6,807
    cPanelMichael
    Nov 7, 2016
  3. postcd

    New Thread How to sync data between old and successor server?

    postcd, Aug 20, 2018 at 6:32 AM, in forum: General Discussion
    Replies:
    0
    Views:
    7
    postcd
    Aug 20, 2018 at 6:32 AM
  4. Samet Chan

    New Thread Updated kernel & rebooted server after won't back

    Samet Chan, Aug 19, 2018 at 7:53 PM, in forum: General Discussion
    Replies:
    0
    Views:
    20
    Samet Chan
    Aug 19, 2018 at 7:53 PM
  5. swbrains

    Server migration global settings

    swbrains, Aug 16, 2018 at 1:14 PM, in forum: General Discussion
    Replies:
    2
    Views:
    56
    cPanelMichael
    Aug 17, 2018 at 12:12 PM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice