Hi, this is my first time here so I'm sorry if I post my question in the
wrong place.
A few days ago, I noticed ClamAV failing to download its signature
update. I put this down to a network or server problem, but after
several failures I got suspicious and found something odd in the log:
Clam was trying to download its update from 127.0.0.1, which naturally
failed.
Further investigation showed that the primary DNS server in my settings
(85.255.112.204) inexplicably resolves database.clamav.net to 127.0.0.1,
which effectively blocks the domain from being accessed. You can see
this for yourself by running nslookup database.clamav.net 85.255.112.204:
$ nslookup database.clamav.net 85.255.112.204
Server: 85.255.112.204
Address: 85.255.112.204#53
Non-authoritative answer:
Name: database.clamav.net
Address: 127.0.0.1
Since all other domains I tried are resolved properly, there appears to
be a specific attack against the update functionality of ClamAV.
Suspecting that the DNS server had been infected, I sent an email to the
ISP's abuse@ - though even while examining the whois I saw the server
belonged to a Ukrainian ISP I'd never had anything to do with. I don't
specifically remember setting this as my primary DNS server, but it
might have been on a list of OpenNic DNS servers at one point, which I
tend to use. So I wouldn't necessarily assume a virus actually messed
with my DNS settings without other evidence (scanning with an updated
clamav revealed no infections).
Has anyone else ever experienced such a "DNS spoofing" attack against
database.clamav.net?
Regards,
Aran
--
eternity lies ahead of us, and behind.
have you drunk your fill?
* * *
PGP: http://ermarian.net/downloads/0x27CA5C74
XMPP: arancaytar.ilya...@gmail.com
AOL: 282026638 @icq / RealArancaytar @aim
URL: http://ermarian.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
