Topic: Email.Phishing.DblDom-136 FOUND

[Bozely]

Hi all,

Not had to deal with this before but clam AV has picked up a ton of what it says are infected files, it has picked up a total of 328 occurrences!! All of which are pretty similar to the below and appeared pretty much within a day:

Code: [Select]

/var/www/sarg/weekly/2008Oct05-2008Oct11/siteuser.html: Email.Phishing.DblDom-136 FOUND
Is this a false positive or do i need to take some action? I'm not an advanced user by any stretch of the imagination and to date most infected files have just been junkmail where upon I've written and executed a delete script and forgotten about it, I'm not so inclined to do this with our log files though.

Regards

[Paul Howard]

 I don't use Sarg but it looks like false positives.

Doing a bit of google digging the location looks to be a log for sarg which details the addresses visited by your users for that time period.

This would seem to indicate the ClamAV definition is picking up a phising site within the log file for the address visited by your users / workstations which is resulting in a false positives.

The site.html simply is the log file in html format detailing all the visited urls for that time period and the machines which attempted / visited it.

Someone who uses Sarg might be able to give you more info.



 

[David Harper]

I'd say that this warrants posting a bug so the problem can be investigated further. Please post the bug number in this thread for future reference.