Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: big_gie on October 27, 2004, 08:01:29 AM

Title: Virus found in weird places
Post by: big_gie on October 27, 2004, 08:01:29 AM

Hi,

I just installed Clam AV from a guide here at contribs.org. I set it to scan each day, and send me an email with results.

I got this:

Quote

Clam Antivirus Scan Results - Wed Oct 27 00:00:01 EDT 2004

//var/log/squid/access.log: Exploit.HTML.MHT-2 FOUND
//var/log/squid/store.log: Exploit.HTML.MHT-2 FOUND
//var/spool/squid/00/12/000012D0: Exploit.HTML.MHT-2 FOUND
//var/spool/squid/00/13/000013D0: Trojan.VBS.Psyme.V FOUND

----------- SCAN SUMMARY -----------
Known viruses: 24682
Scanned directories: 10966
Scanned files: 75537
Infected files: 4
Data scanned: 2075.16 MB
I/O buffer size: 131072 bytes
Time: 1856.776 sec (30 m 56 s)

What are those? Did Clam deleted them? How can I desinfect? How did they managed to get there? What should I do?

Thank you

Title: Virus found in weird places
Post by: genzil on October 27, 2004, 07:06:24 PM

First, squid is used to cache all your requests to the internet.  If a web page has a piece of code in it that is clasified as a virus then this will be picked up, this is what is happening with the files in your squid folders.

Chances are that the first ones wont affect your server as it looks to only affect web browers.

For the last one look at:
http://securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html

Either way I wouldn't worry too much about them affecting your server, it's your clients that I would worry about.

Title: Virus found in weird places
Post by: rexgaylord on October 27, 2004, 08:57:58 PM

I've had the same kind of problem for about 6 months now, I've searched everywhere and have never found these locations, reset squid, reset cache no results.

/tmp/clamav-0d077ecce1787c5c/usr/lib/libpavdll.so.3.6.0.1: W32.GriYo FOUND
/tmp/clamav-954d8cc651b1cc67/bin/exe/libpavdll_qm.so.3.2.1.8: W32.GriYo FOUND
/tmp/clamav-954d8cc651b1cc67/bin/update/download_sf.sh: Eicar-Test-Signature FOUND
/tmp/clamav-954d8cc651b1cc67/bin/update/test_sf.sh: Eicar-Test-Signature FOUND

Title: Virus found in weird places
Post by: genzil on October 27, 2004, 10:31:10 PM

Quote from: "rexgaylord"

/tmp/clamav-0d077ecce1787c5c/usr/lib/libpavdll.so.3.6.0.1: W32.GriYo FOUND
/tmp/clamav-954d8cc651b1cc67/bin/exe/libpavdll_qm.so.3.2.1.8: W32.GriYo FOUND
/tmp/clamav-954d8cc651b1cc67/bin/update/download_sf.sh: Eicar-Test-Signature FOUND
/tmp/clamav-954d8cc651b1cc67/bin/update/test_sf.sh: Eicar-Test-Signature FOUND

The first 2 are windows viri so they wont affect , the last one is a test virus.  It doesn't do any thing and is simply a test virus.  It was designed to prove that a virus program works and you should be able to find more about it by using google.

The reason that you can't find the viri I would guess is that Clamav looks in compressed files, but to do so it has to decompress these files and it looks like some thing related.

Any ideas any one else?

Title: Virus found in weird places
Post by: rexgaylord on October 27, 2004, 10:40:43 PM

Any ideas where the compressed files could be located?
/tmp/clamav-ecce1787c5c/ and /tmp/clamav-954d8cc651b1cc67/ do not exist anywhere on my server.  There are a lot of files and folders in /tmp but none that I recognize as a compressed file.  Thanks.

Title: Virus found in weird places
Post by: genzil on October 27, 2004, 10:58:54 PM

Not a clue, you will need use your log file to find that info.
I'm only guessing at the compressed nature of the files so I could be wrong.