Topic: ClamAV and rkhunter errors on SME Server 7.3 - Help Needed

[ScottieDog]

I am running SME Server 7.3. I always install the latest updates within 24 hours of being notified. For the past few weeeks, I have been receiving the following error messages.

This is the first error message;
_______________________________________________________________________________
2008-02-21 20:30:37.337590500 ClamAV update process started at Thu Feb 21 20:30:37 2008
2008-02-21 20:30:37.338174500 WARNING: Your ClamAV installation is OUTDATED!
2008-02-21 20:30:37.338198500 WARNING: Local version: 0.92 Recommended version: 0.92.1
2008-02-21 20:30:37.338202500 DON'T PANIC! Read http://www.clamav.net/support/faq
2008-02-21 20:30:37.338456500 main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
2008-02-21 20:30:37.450703500 ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
2008-02-21 20:30:37.450727500 ERROR: getpatch: Can't apply patch
2008-02-21 20:30:37.450799500 WARNING: Incremental update failed, trying to download daily.cvd
2008-02-21 20:30:39.811291500 WARNING: Mirror 193.1.193.64 is not synchronized.
2008-02-21 20:30:39.816544500 Giving up on database.clamav.net...
2008-02-21 20:30:39.816580500 Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.
_____________________________________________________________________________________________

This is the second error message;
_____________________________________________________________________________________________
/etc/cron.daily/01-rkhunter:

Warning: The following processes are using deleted files:
         Process: /usr/bin/freshclam    PID: 3947    File: /var/clamav/clamav-3ba21ac2c79001b0e9062faa857950de
Warning: Process '/sbin/pppoe' (PID 3392) is listening on the network.
Warning: Process '/sbin/pppoe' (PID 3392) is listening on the network.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
_____________________________________________________________________________________________


Any help would be greatly appreciated.

[chris burnat]

1) I am also experiencing problems with Clamav over past day on all of our servers, they are in NSW.
 Are you with TPG? 

2) The errors you see with RKH are a result of the latest upgrade to 7.3.
Please fill a bug report at Bugzilla about this, there are already a few but it is best having one report per type of bugs.  The error you are seeing have not been reported to date AFAIK.  Doing so will ensure this issue is either fixed or documented.
Thanks,

[igardiner]

I have been receiving the same error messages as well as of Wed 20/2/08. Our servers are currently located in NSW as well, hosted with Exetel!

[chris burnat]

I have been receiving the same error messages as well as of Wed 20/2/08. Our servers are currently located in NSW as well, hosted with Exetel!

Thanks, same here with TPG as of 20/2/08.
Is your connection working through a proxy at exetel?
To find out, go to a browser and type:

http://stuff.daniel15.com/php/testproxy.php

Thanks.
chris

[igardiner]

We don't have a proxy server. We currently have an IPCop box connecting to our modem which is using PPOE to connect to exetel. The results of your link say:

No proxy server detected!
Your IP address: 220.233.160.205

[StephenHodgman]

I have also been getting ClamAV errors on the system we have on TPG.
Our other system using Netspeed is not getting the errors.
TPG proxy everything so this is what I get when testing for the proxy.

Proxy server detected!
Proxy server IP Address: 203.26.16.67
Proxy server details:

   1. Server HTTP version: 1.1
      Server address: cbr-pow-pr2.tpgi.com.au (port: 3128)
      Server version: squid
 .....

Do you have any ideas as to why this is failing?

[Tib]

I'm getting these errors as well .... I'm not with TPG

Server HTTP version: 1.0
Server address: proxy1.bne.dft.com.au (port: 80)
Server version: squid/2.6.STABLE18

[chris burnat]

Thanks, this make me feel better, at least it does not appear to be related to our ISP or proxy issue.  (I may live to regret saying this...)
Have posted a bug report, check:
http://bugs.contribs.org/show_bug.cgi?id=3962
Best would be to provide iadditional comments at Bugzilla about this issue from now on, so that all information is found at one place, and one place only.
Thanks
chris

[ScottieDog]

My server is connected through aaNet (eftel) in Victoria, Australia.

I know for a fact they use transparent proxy, as I have had issues with my Windows servers as well due to proxy issues.

My proxy testing came back as follows;

Proxy server detected!
Proxy server IP Address: 203.171.70.222
Proxy server details:
Server HTTP version: 1.1
Server address: glasgow.shields.net.au (port: 3128)
Server version: squid/2.5.STABLE14
Server reports IP address as: 10.50.4.100

Server HTTP version: 1.0
Server address: proxy4.mel.dft.com.au (port: 80)
Server version: squid/2.6.STABLE18
Server reports IP address as: 203.171.70.222

Raw HTTP X_Forwarded_For header: 10.50.4.100, 203.171.70.222
Raw HTTP Via header: 1.1 glasgow.shields.net.au:3128 (squid/2.5.STABLE14), 1.0 proxy4.mel.dft.com.au:80 (squid/2.6.STABLE18)


I know, due to the windows problem, that I can request from aaNet to bypass the proxy. I might try that & see what happens.

Chris - maybe it is your ISP.......

[chris burnat]

Scottie,

I know, due to the windows problem, that I can request from aaNet to bypass the proxy. I might try that & see what happens.
Chris - maybe it is your ISP.......

Hmmmm.  I have requested proxy to be disabled on one of the affected service from TPG, needs to be in written form,  lets see. Please let us know what you find after your proxy is disabled. 
Thanks.

[idp_qbn]

Hi,
I had the same problem and it reminded me that it had also occurred about 18 months ago (more or less). It was solved then by issuing the following commands (which I found in the forums somewhere).

sv d freshclam
rm -f /var/clamav/mirrors.dat
sv u freshclam

I think the upshot of these is to :
1 stop freshclam service
2. delete the mirrors list (which preseumably has become corrupted somehow)
3. restart freshclam

Anyhoooo... I did this again this afternoon and have had no "freshclam failures" since.

Cheers
Ian

[chris burnat]

Hi,
I had the same problem and it reminded me that it had also occurred about 18 months ago (more or less). It was solved then by issuing the following commands (which I found in the forums somewhere).

sv d freshclam
rm -f /var/clamav/mirrors.dat
sv u freshclam

I think the upshot of these is to :
1 stop freshclam service
2. delete the mirrors list (which preseumably has become corrupted somehow)
3. restart freshclam

Anyhoooo... I did this again this afternoon and have had no "freshclam failures" since.

Cheers
Ian

idp, I have arrived at path.  Check: http://bugs.contribs.org/show_bug.cgi?id=3962

[jokiin]

My server is connected through aaNet (eftel) in Victoria, Australia.

Likewise, aaNet but NSW

I know, due to the windows problem, that I can request from aaNet to bypass the proxy. I might try that & see what happens.

Keep in mind if you have them take you off the proxy you will get a new IP address as part of the procedure, just mentioning it in case you need to keep your IP


I recall last time this happened the proxy took a few days to get the update before the newer version came through, was a while ago though

[william_syd]

How often does freshclam update?

I'm with Optus cable in NSW and I get one or two failures a day every couple of days.

SME 7.3 fully updated. Actually, just did the smeupdates-testing update of clamav to get rid of the version warning.

[jokiin]

How often does freshclam update?

Not sure how often it updates but I think it checks for updates daily, occasionally the new version seems to need to be fixed to suit SME and it takes a bit longer to get sorted, this happened a while ago also but has been for ages