Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: icpix on December 07, 2004, 12:45:14 PM
-
My own box has suddenly started putting all, seemingly *OK*, emails into the*problems area*. These include my test emails sent from one account to another account right here. I've already deleted a *problem* email thinking it was well-named spoof.
For the last two months my server has withstood a daily feed of about 10 detections of <Worm.Mydoom.I> from a dialup nest whose IPs get attributed to NTL here in the UK and about which they have yet to do anything effective. I am a bit concerned that something has been allowed to bite... Hopefully something is amiss with the antivirus functionality(?) but not TOO amiss;~/
The last freshclam update is cited as being...
Virus patterns last updated: Tue, 7 Dec 2004 08:35:02 +0000
There is an error report in the Control Panel (Antivirus) citing...
Cannot connect to /var/lib/clamav/clamd.sock.
...anyone an idea what might be going on?
----Robert
-
[amavis-ng/amavis-ng.log]
Dec 6 19:48:37 systa amavis[22230]: Starting AMaViS 0.1.6.4
Dec 6 19:48:38 systa amavis[22230]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b4b796-56d6
Dec 6 19:48:38 systa amavis[22230]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 6 19:48:38 systa amavis[22230]: AMAVIS: Determined 00000001 to be type text/plain
Dec 6 19:48:38 systa amavis[22230]: Not attempting to unpack 00000001
Dec 6 19:48:38 systa amavis[22230]: AMAVIS::MTA::Qmail: Accepting message
Dec 6 19:48:38 systa amavis[22230]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 6 19:48:38 systa amavis[22230]: AMAVIS: Cleaning up.
Dec 6 19:48:38 systa amavis[22230]: AMAVIS: Done.
Dec 6 21:22:59 systa amavis[24926]: Starting AMaViS 0.1.6.4
Dec 6 21:23:02 systa amavis[24926]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b4cdb3-615e
Dec 6 21:23:02 systa amavis[24926]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 6 21:23:02 systa amavis[24926]: AMAVIS: Determined 00000001 to be type text/plain
Dec 6 21:23:02 systa amavis[24926]: Not attempting to unpack 00000001
Dec 6 21:23:02 systa amavis[24926]: AMAVIS: Determined 00000002 to be type application/x-zip
Dec 6 21:23:02 systa amavis[24926]: AMAVIS: Determined 00000003 to be type application/octet-stream
Dec 6 21:23:02 systa amavis[24926]: Not attempting to unpack 00000003
Dec 6 21:23:02 systa amavis[24926]: CLAMD found:
Dec 6 21:23:02 systa amavis[24926]: Worm.Mydoom.I
Dec 6 21:23:02 systa amavis[24926]: AMAVIS::MTA::Qmail: Dropping message
Dec 6 21:23:02 systa amavis[24926]: Quarantining infected message to /var/spool/amavis-ng/quarantine/41b4cdb6-615e
Dec 6 21:23:03 systa amavis[24926]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 6 21:23:03 systa amavis[24926]: AMAVIS: Cleaning up.
Dec 6 21:23:03 systa amavis[24926]: AMAVIS: Done.
Dec 6 21:44:32 systa amavis[25581]: Starting AMaViS 0.1.6.4
Dec 6 21:44:33 systa amavis[25581]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b4d2c1-63ed
Dec 6 21:44:33 systa amavis[25581]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 6 21:44:33 systa amavis[25581]: AMAVIS: Determined 00000001 to be type text/plain
Dec 6 21:44:33 systa amavis[25581]: Not attempting to unpack 00000001
Dec 6 21:44:33 systa amavis[25581]: AMAVIS::MTA::Qmail: Accepting message
Dec 6 21:44:33 systa amavis[25581]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 6 21:44:33 systa amavis[25581]: AMAVIS: Cleaning up.
Dec 6 21:44:33 systa amavis[25581]: AMAVIS: Done.
Dec 6 23:13:26 systa amavis[28058]: Starting AMaViS 0.1.6.4
Dec 6 23:13:26 systa amavis[28058]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b4e796-6d9a
Dec 6 23:13:26 systa amavis[28058]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 6 23:13:26 systa amavis[28058]: AMAVIS: Determined 00000001 to be type text/plain
Dec 6 23:13:26 systa amavis[28058]: Not attempting to unpack 00000001
Dec 6 23:13:26 systa amavis[28058]: AMAVIS::MTA::Qmail: Accepting message
Dec 6 23:13:26 systa amavis[28058]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 6 23:13:26 systa amavis[28058]: AMAVIS: Cleaning up.
Dec 6 23:13:26 systa amavis[28058]: AMAVIS: Done.
Dec 6 23:44:41 systa amavis[28918]: Starting AMaViS 0.1.6.4
Dec 6 23:48:42 systa amavis[28918]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b4eeea-70f6
Dec 6 23:48:42 systa amavis[28918]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 6 23:48:42 systa amavis[28918]: AMAVIS: Determined 00000001 to be type text/plain
Dec 6 23:48:42 systa amavis[28918]: Not attempting to unpack 00000001
Dec 6 23:48:42 systa amavis[28918]: AMAVIS: Determined 00000002 to be type application/octet-stream
Dec 6 23:48:42 systa amavis[28918]: Not attempting to unpack 00000002
Dec 6 23:48:42 systa amavis[28918]: CLAMD found:
Dec 6 23:48:42 systa amavis[28918]: Worm.Mydoom.I
Dec 6 23:48:42 systa amavis[28918]: AMAVIS::MTA::Qmail: Dropping message
Dec 6 23:48:42 systa amavis[28918]: Quarantining infected message to /var/spool/amavis-ng/quarantine/41b4efda-70f6
Dec 6 23:48:42 systa amavis[28918]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 6 23:48:42 systa amavis[28918]: AMAVIS: Cleaning up.
Dec 6 23:48:42 systa amavis[28918]: AMAVIS: Done.
Dec 6 23:53:42 systa amavis[29247]: Starting AMaViS 0.1.6.4
Dec 6 23:53:54 systa amavis[29247]: AMAVIS::MTA::Qmail: Wrong recipient line format ()
Dec 6 23:53:54 systa amavis[29247]: AMAVIS: Abandoning message
Dec 6 23:53:54 systa amavis[29247]: AMAVIS: Cleaning up.
Dec 6 23:53:54 systa amavis[29247]: AMAVIS: Done.
Dec 6 23:57:12 systa amavis[29353]: Starting AMaViS 0.1.6.4
Dec 6 23:57:12 systa amavis[29353]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b4f1d8-72a9
Dec 6 23:57:12 systa amavis[29353]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 6 23:57:12 systa amavis[29353]: AMAVIS: Determined 00000001 to be type text/plain
Dec 6 23:57:12 systa amavis[29353]: Not attempting to unpack 00000001
Dec 6 23:57:13 systa amavis[29353]: AMAVIS::MTA::Qmail: Accepting message
Dec 6 23:57:13 systa amavis[29353]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 6 23:57:13 systa amavis[29353]: AMAVIS: Cleaning up.
Dec 6 23:57:13 systa amavis[29353]: AMAVIS: Done.
Dec 7 03:50:52 systa amavis[30735]: Starting AMaViS 0.1.6.4
Dec 7 03:50:53 systa amavis[30735]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b5289d-780f
Dec 7 03:50:53 systa amavis[30735]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 7 03:50:53 systa amavis[30735]: AMAVIS: Determined 00000001 to be type text/plain
Dec 7 03:50:53 systa amavis[30735]: Not attempting to unpack 00000001
Dec 7 03:50:53 systa amavis[30735]: AMAVIS: Determined 00000002 to be type application/rtf
Dec 7 03:50:53 systa amavis[30735]: Not attempting to unpack 00000002
Dec 7 03:50:54 systa amavis[30735]: AMAVIS::MTA::Qmail: Accepting message
Dec 7 03:50:54 systa amavis[30735]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 7 03:50:54 systa amavis[30735]: AMAVIS: Cleaning up.
Dec 7 03:50:54 systa amavis[30735]: AMAVIS: Done.
Dec 7 08:11:50 systa amavis[5778]: Starting AMaViS 0.1.6.4
Dec 7 08:13:54 systa amavis[5778]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b565c6-1692
Dec 7 08:13:54 systa amavis[5778]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 7 08:13:54 systa amavis[5778]: AMAVIS: Determined 00000001 to be type text/plain
Dec 7 08:13:54 systa amavis[5778]: Not attempting to unpack 00000001
Dec 7 08:13:54 systa amavis[5778]: AMAVIS: Determined 00000002 to be type application/x-zip
Dec 7 08:13:54 systa amavis[5778]: AMAVIS: Determined 00000003 to be type application/octet-stream
Dec 7 08:13:54 systa amavis[5778]: Not attempting to unpack 00000003
Dec 7 08:13:54 systa amavis[5778]: CLAMD found:
Dec 7 08:13:54 systa amavis[5778]: Worm.Mydoom.I
Dec 7 08:13:54 systa amavis[5778]: AMAVIS::MTA::Qmail: Dropping message
Dec 7 08:13:54 systa amavis[5778]: Quarantining infected message to /var/spool/amavis-ng/quarantine/41b56642-1692
Dec 7 08:13:56 systa amavis[5778]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 7 08:13:56 systa amavis[5778]: AMAVIS: Cleaning up.
Dec 7 08:13:56 systa amavis[5778]: AMAVIS: Done.
Dec 7 08:54:54 systa amavis[6992]: Starting AMaViS 0.1.6.4
Dec 7 08:54:54 systa amavis[6992]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b56fde-1b50
Dec 7 08:54:55 systa amavis[6992]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 7 08:54:55 systa amavis[6992]: AMAVIS: Determined 00000001 to be type text/plain
Dec 7 08:54:55 systa amavis[6992]: Not attempting to unpack 00000001
Dec 7 08:54:55 systa amavis[6992]: AMAVIS: Determined 00000002 to be type text/html
Dec 7 08:54:55 systa amavis[6992]: Not attempting to unpack 00000002
Dec 7 08:54:55 systa amavis[6992]: AMAVIS: Determined 00000003 to be type image/jpeg
Dec 7 08:54:55 systa amavis[6992]: Not attempting to unpack 00000003
Dec 7 08:54:55 systa amavis[6992]: AMAVIS::AV::CLAMD: Cannot connect to /var/lib/clamav/clamd.sock.
Dec 7 08:54:55 systa amavis[6992]: Error while scanning for viruses with AMAVIS::AV::CLAMD:
Dec 7 08:54:55 systa amavis[6992]: AMAVIS::MTA::Qmail: Freezing message
Dec 7 08:54:55 systa amavis[6992]: Quarantining infected message to /var/spool/amavis-ng/problems/41b56fdf-1b50
Dec 7 08:54:55 systa amavis[6992]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 7 08:54:55 systa amavis[6992]: AMAVIS: Cleaning up.
Dec 7 08:54:55 systa amavis[6992]: AMAVIS: Done.
Dec 7 11:09:24 systa amavis[10781]: Starting AMaViS 0.1.6.4
Dec 7 11:09:25 systa amavis[10781]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b58f65-2a1d
Dec 7 11:09:25 systa amavis[10781]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 7 11:09:25 systa amavis[10781]: AMAVIS: Determined 00000001 to be type text/plain
Dec 7 11:09:25 systa amavis[10781]: Not attempting to unpack 00000001
Dec 7 11:09:25 systa amavis[10781]: AMAVIS::AV::CLAMD: Cannot connect to /var/lib/clamav/clamd.sock.
Dec 7 11:09:25 systa amavis[10781]: Error while scanning for viruses with AMAVIS::AV::CLAMD:
Dec 7 11:09:25 systa amavis[10781]: AMAVIS::MTA::Qmail: Freezing message
Dec 7 11:09:25 systa amavis[10781]: Quarantining infected message to /var/spool/amavis-ng/problems/41b58f65-2a1d
Dec 7 11:09:25 systa amavis[10781]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 7 11:09:25 systa amavis[10781]: AMAVIS: Cleaning up.
Dec 7 11:09:25 systa amavis[10781]: AMAVIS: Done.
Dec 7 11:17:42 systa amavis[11039]: Starting AMaViS 0.1.6.4
Dec 7 11:17:42 systa amavis[11039]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b59156-2b1f
Dec 7 11:17:42 systa amavis[11039]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 7 11:17:42 systa amavis[11039]: AMAVIS: Determined 00000001 to be type text/plain
Dec 7 11:17:42 systa amavis[11039]: Not attempting to unpack 00000001
Dec 7 11:17:42 systa amavis[11039]: AMAVIS::AV::CLAMD: Cannot connect to /var/lib/clamav/clamd.sock.
Dec 7 11:17:42 systa amavis[11039]: Error while scanning for viruses with AMAVIS::AV::CLAMD:
Dec 7 11:17:42 systa amavis[11039]: AMAVIS::MTA::Qmail: Freezing message
Dec 7 11:17:42 systa amavis[11039]: Quarantining infected message to /var/spool/amavis-ng/problems/41b59156-2b1f
Dec 7 11:17:42 systa amavis[11039]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 7 11:17:42 systa amavis[11039]: AMAVIS: Cleaning up.
Dec 7 11:17:42 systa amavis[11039]: AMAVIS: Done.
Dec 7 11:29:48 systa amavis[11425]: Starting AMaViS 0.1.6.4
Dec 7 11:29:49 systa amavis[11425]: Unpacking message in /var/spool/amavis-ng/amavis-unpack-41b5942d-2ca1
Dec 7 11:29:49 systa amavis[11425]: AMAVIS: Determined 00000000 to be type message/rfc822
Dec 7 11:29:49 systa amavis[11425]: AMAVIS: Determined 00000001 to be type text/plain
Dec 7 11:29:49 systa amavis[11425]: Not attempting to unpack 00000001
Dec 7 11:29:49 systa amavis[11425]: AMAVIS::AV::CLAMD: Cannot connect to /var/lib/clamav/clamd.sock.
Dec 7 11:29:49 systa amavis[11425]: Error while scanning for viruses with AMAVIS::AV::CLAMD:
Dec 7 11:29:49 systa amavis[11425]: AMAVIS::MTA::Qmail: Freezing message
Dec 7 11:29:49 systa amavis[11425]: Quarantining infected message to /var/spool/amavis-ng/problems/41b5942d-2ca1
Dec 7 11:29:49 systa amavis[11425]: AMAVIS::MTA::Qmail: /var/qmail/bin/qmail-queue exited: 0
Dec 7 11:29:49 systa amavis[11425]: AMAVIS: Cleaning up.
Dec 7 11:29:49 systa amavis[11425]: AMAVIS: Done.
-
• (as per above) email checking worked at 08:13:54 when it dropped one of my daily ingestions of Worm.Mydoom.I emails from the NTL ISP.
• There apparently was an update to clam at 08:35 and thereafter it's not really been working properly...
[clamav/freshclam.log]
ClamAV update process started at Tue Dec 7 04:35:00 2004
main.cvd is up to date (version: 28, sigs: 26630, f-level: 3, builder: tomek)
daily.cvd is up to date (version: 618, sigs: 1521, f-level: 3, builder: ccordes)
--------------------------------------
ClamAV update process started at Tue Dec 7 05:35:00 2004
main.cvd is up to date (version: 28, sigs: 26630, f-level: 3, builder: tomek)
daily.cvd is up to date (version: 618, sigs: 1521, f-level: 3, builder: ccordes)
--------------------------------------
ClamAV update process started at Tue Dec 7 06:35:01 2004
main.cvd is up to date (version: 28, sigs: 26630, f-level: 3, builder: tomek)
daily.cvd updated (version: 619, sigs: 1522, f-level: 3, builder: ccordes)
Database updated (28152 signatures) from db.uk.clamav.net (68.142.86.21).
Clamd successfully notified about the update.
--------------------------------------
ClamAV update process started at Tue Dec 7 07:35:00 2004
main.cvd is up to date (version: 28, sigs: 26630, f-level: 3, builder: tomek)
daily.cvd is up to date (version: 619, sigs: 1522, f-level: 3, builder: ccordes)
--------------------------------------
ClamAV update process started at Tue Dec 7 08:35:00 2004
main.cvd is up to date (version: 28, sigs: 26630, f-level: 3, builder: tomek)
daily.cvd updated (version: 620, sigs: 1527, f-level: 3, builder: ccordes)
Database updated (28157 signatures) from db.uk.clamav.net (193.19.98.136).
ERROR: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.sock
--------------------------------------
ClamAV update process started at Tue Dec 7 09:35:00 2004
main.cvd is up to date (version: 28, sigs: 26630, f-level: 3, builder: tomek)
daily.cvd is up to date (version: 620, sigs: 1527, f-level: 3, builder: ccordes)
--------------------------------------
ClamAV update process started at Tue Dec 7 10:35:00 2004
main.cvd is up to date (version: 28, sigs: 26630, f-level: 3, builder: tomek)
daily.cvd is up to date (version: 620, sigs: 1527, f-level: 3, builder: ccordes)
--------------------------------------
ClamAV update process started at Tue Dec 7 11:35:00 2004
main.cvd is up to date (version: 28, sigs: 26630, f-level: 3, builder: tomek)
daily.cvd is up to date (version: 620, sigs: 1527, f-level: 3, builder: ccordes)
--------------------------------------
• So, is anyone else having a problem like this with clamav (update flavour) 620?
-
Oh dear, I just tried invoking a manual run of clamav and got this...
----------------------
[root@systa problems]# clamscan -r /home --quiet
LibClamAV Error: hex2int() translation problem (33)
LibClamAV Error: Problem parsing signature at line 23688
LibClamAV Error: Problem parsing database at line 23688
LibClamAV Error: Malformed database file /tmp/clamav-eca71e6b83e5c4c6/main.db
Segmentation fault
[root@systa problems]#
----------------------
Looking further at /tmp I see that there are a whole bunch of /tmp/clamav-(goobledegook) subdirectories each holding a file called textportion(six chars)...
Will now attempt a manual reboot of the box. If you don't hear from me for a while then you can guess that the above *Segmentation fault* was a drive error report in the making and that I'm having an even more fun time than I have been enjoying [sic] recently;~)
If the reboot *is* successful I will await the scheduled clam update (~35mins past the hour) after which I'd better research how to re-install clamav over the top...
----Robert
-
It was no surprise to see clamd give a FAILED message on the shutdown sequence.
Reboot was apparently successful, IOW I see nothing amiss that is terribly noticeable.
Had earlier manually cleaned out all the strange, residual, /tmp/clamav-(goobledegook) subdirectories and there are none building up there anymore. Test emails via local accounts are being delivered, outside emails unknown but at least nothing is building up in the *problems area*! A manual clamscan run has now finished OK.
Awaited scheduled freshclam, update performed OK, am now on flavour 621. Now waiting for the finish of repeat manual clamscan run (using new flavour 621).
Hopefully that's that...
----Robert
-
ERROR: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.sock
I had the same problem last Friday. There was a large number of virus infected emails bouncing back to me due to my domain being used in the virus mail from: address.
A quick reboot, then manual freshclam and inject the valid messages back into the queue was all that was required.