[Clamav-users] Runaway clamav-milter

Soeren Thing Andersen Thu, 22 Apr 2004 04:59:33 -0700

Hello.

About my setup: OpenBSD 3.4 stable on i386, Jerome's port from 
www.fatbsd.com, ClamAV 0.70, sendmail+clamav-milter+clamd:
> clamd --version
clamd / ClamAV version 0.70
> clamav-milter --version
ClamAV version 0.70, clamav-milter version 0.70j


Two days in a row I have seen several clamav-milters suck up all
available CPU-power. Clamd still works with clamdscan. A few mails did 
get through after the first clamav-milter "hung".

Below are outputs from ps, gdb, logfiles etc.

[EMAIL PROTECTED]:~> ps ax -O lstart| grep -e clam -e sendmail | cut -c-84
  PID STARTED                      TT   STAT      TIME COMMAND
21472 Tue Apr 20 10:41:18 2004     ??  Is      0:05.65 sendmail: rejecting connectio
  930 Wed Apr 21 11:13:15 2004     ??  Is      0:10.09 /usr/local/sbin/clamd
14546 Wed Apr 21 11:13:20 2004     ??  Is      0:02.22 /usr/local/sbin/clamav-milter
14496 Wed Apr 21 13:56:56 2004     ??  R      98:41.40 /usr/local/sbin/clamav-milter
25574 Wed Apr 21 13:57:54 2004     ??  R      98:17.59 /usr/local/sbin/clamav-milter
29185 Wed Apr 21 14:00:31 2004     ??  R      97:22.44 /usr/local/sbin/clamav-milter
13584 Wed Apr 21 14:05:36 2004     ??  R      95:42.91 /usr/local/sbin/clamav-milter
26025 Wed Apr 21 14:12:14 2004     ??  R      94:16.91 /usr/local/sbin/clamav-milter
16485 Wed Apr 21 14:22:06 2004     ??  R      92:17.35 /usr/local/sbin/clamav-milter
17487 Wed Apr 21 14:22:09 2004     ??  R      92:21.99 /usr/local/sbin/clamav-milter
 6193 Wed Apr 21 14:22:21 2004     ??  R      92:59.21 /usr/local/sbin/clamav-milter
31450 Wed Apr 21 14:28:09 2004     ??  R      91:59.44 /usr/local/sbin/clamav-milter
19058 Wed Apr 21 14:33:23 2004     ??  R      92:06.55 /usr/local/sbin/clamav-milter
   44 Wed Apr 21 14:33:35 2004     ??  R      92:36.04 /usr/local/sbin/clamav-milter
10025 Wed Apr 21 14:34:52 2004     ??  R      92:44.65 /usr/local/sbin/clamav-milter
 3158 Thu Apr 22 09:01:43 2004     ??  I       0:00.03 sendmail: i3M71hod003158 fupA
26972 Thu Apr 22 09:01:44 2004     ??  R       0:08.71 /usr/local/sbin/clamav-milter

I tried to gdb process 14496, and here is the output:
[EMAIL PROTECTED]:~> sudo gdb /usr/local/sbin/clamav-milter 14496
GNU gdb 4.16.1
Copyright 1996 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd3.4"...(no debugging symbols found)...

/datavol/home/thing/14496: No such file or directory.
Attaching to program `/usr/local/sbin/clamav-milter', process 14496
Reading symbols from /usr/local/lib/libclamav.so.1.4...done.
Reading symbols from /usr/lib/libz.so.2.0...done.
Reading symbols from /usr/local/lib/libbz2.so.10.2...done.
Reading symbols from /usr/local/lib/libgmp.so.6.2...done.
Reading symbols from /usr/lib/libpthread.so.2.1...done.
Reading symbols from /usr/lib/libc.so.30.1...done.
Reading symbols from /usr/libexec/ld.so...done.
0x7b6000 in ?? ()
(gdb) info shared
>From        To          Syms Read   Shared Object Library
0x0ff86000  0x2ff92b40  Yes         /usr/local/lib/libclamav.so.1.4
0x02c5c000  0x22c61940  Yes         /usr/lib/libz.so.2.0
0x0ea09000  0x2ea0d880  Yes         /usr/local/lib/libbz2.so.10.2
0x0dc36000  0x2dc3bc00  Yes         /usr/local/lib/libgmp.so.6.2
0x0767c000  0x27685ae0  Yes         /usr/lib/libpthread.so.2.1
0x0f04f000  0x2f0870b0  Yes         /usr/lib/libc.so.30.1
0x07756000  0x2775b640  Yes         /usr/libexec/ld.so
(gdb) shared .
Symbols already loaded for /usr/local/lib/libclamav.so.1.4
Symbols already loaded for /usr/lib/libz.so.2.0
Symbols already loaded for /usr/local/lib/libbz2.so.10.2
Symbols already loaded for /usr/local/lib/libgmp.so.6.2
Symbols already loaded for /usr/lib/libpthread.so.2.1
Symbols already loaded for /usr/lib/libc.so.30.1
Symbols already loaded for /usr/libexec/ld.so
(gdb) info thr
(gdb) bt
#0  0x7b6000 in ?? ()
#1  0xf08e100 in popen ()
#2  0x1c004dba in getopt_long_only ()
#3  0x1c00852f in getopt_long_only ()
#4  0x1c007b88 in getopt_long_only ()
#5  0x1c007859 in getopt_long_only ()
#6  0x1c0070f5 in getopt_long_only ()
#7  0x7682c5d in _thread_start ()
#8  0x1f in ?? ()
Error accessing memory address 0xffffffff: Invalid argument.
(gdb)


clamav-milter was started using these parameters:
> sudo /usr/local/sbin/clamav-milter --local --outgoing --postmaster-only --headers 
> /var/run/clamd/clmilter.sock


clamd still runs fine:
[EMAIL PROTECTED]:~> clamdscan -v eicar.com
/datavol/home/thing/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.146 sec (0 m 0 s)


Nothing unusual in /var/log/clamd (via syslog, local6.debug):
Apr 21 12:30:26 turquoise clamd[930]: Reading databases from /usr/local/share/clamav
Apr 21 12:30:28 turquoise clamd[930]: Database correctly reloaded (21162 viruses)
Apr 21 12:54:45 turquoise clamd[930]: stream: Worm.SomeFool.Q FOUND
Apr 21 12:59:07 turquoise clamd[930]: stream: Worm.SomeFool.P FOUND
Apr 21 12:59:08 turquoise clamd[930]: stream: Worm.SomeFool.P FOUND
Apr 21 13:09:49 turquoise clamd[930]: stream: Worm.SomeFool.P FOUND
Apr 21 13:21:30 turquoise clamd[930]: SelfCheck: Database status OK.
Apr 21 13:26:37 turquoise clamd[930]: stream: Worm.SomeFool.P FOUND
Apr 21 13:43:18 turquoise clamd[930]: stream: Worm.SomeFool.P FOUND
Apr 21 13:54:18 turquoise clamd[930]: stream: Worm.SomeFool.P FOUND
Apr 21 14:00:31 turquoise last message repeated 4 times
Apr 21 14:12:14 turquoise last message repeated 2 times
Apr 21 14:21:45 turquoise clamd[930]: SelfCheck: Database status OK.


But, in /var/log/sendmail (only relevant lines):
Apr 21 13:56:56 turquoise sm-mta[1870]: i3LButod001870: from=<[EMAIL PROTECTED]>, 
size=41239, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, 
relay=fupA.post.tele.dk [195.41.53.68]
Apr 21 13:56:56 turquoise clamav-milter[14546]: i3LButod001870: stream: 
Worm.SomeFool.P FOUND Intercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]>
Apr 21 14:00:56 turquoise sm-mta[1870]: i3LButod001870: Milter (clmilter): timeout 
before data read
Apr 21 14:00:56 turquoise sm-mta[1870]: i3LButod001870: Milter (clmilter): to error 
state
Apr 21 14:00:56 turquoise sm-mta[1870]: i3LButod001870: Milter: data, reject=451 4.7.1 
Please try again later
Apr 21 14:00:56 turquoise sm-mta[1870]: i3LButod001870: to=<[EMAIL PROTECTED]>, 
delay=00:04:00, pri=30501, stat=Please try again later

Same story for the other 11 runaway clamav-milters. 

Other mails did get through:
Apr 21 14:34:09 turquoise sm-mta[21282]: i3LCY9od021282: from=<[EMAIL PROTECTED]>, 
size=1328, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, 
relay=fupA.post.tele.dk [195.41.53.68]
Apr 21 14:34:09 turquoise sm-mta[21282]: i3LCY9od021282: Milter add: header: 
X-Virus-Scanned: clamd / ClamAV version 0.70, clamav-milter version 0.70j
Apr 21 14:34:09 turquoise clamav-milter[14546]: i3LCY9od021282: clean message from 
<[EMAIL PROTECTED]>
Apr 21 14:34:09 turquoise sm-mta[5743]: i3LCY9od021282: to="|exec 
/usr/local/bin/procmail", ctladdr=<[EMAIL PROTECTED]> (1000/1000), delay=00:00:00, 
xdelay=00:00:00, mailer=prog, pri=31611, dsn=2.0.0, stat=Sent

I hope this provides enough info for you. Otherwise please ask for 
more.
Since I started writing this mail another ~15 clamav-milters have 
gone runaway....

Best regards,
Søren Thing, Denmark.

PS: When starting clamav-milter it prints this text:
  When using Localsocket in /etc/clamav.conf
  you may improve performance if you use the --quarantine_dir option
Shouldn't this go to the logfile or only be printed in verbose mode? I
mostly expect my unix-tools to be "the strong silent type" - they do
not say anything unless there is an error.


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Runaway clamav-milter

Reply via email to