Morning,
I use Clamav as well but if you can't download your last signature, you should
check your configuration file /etc/clamav/freshclam.conf where you should add
at the bottom of this file your proxy settings (if you have a proxy).
For instance, you should have the 2 following lines:
HTTPProxyServer a.b.c.d
HTTPProxyPort ProxyPortNumber
Hope it helps.
Regards,
Thomas Nguyen-Van
Senior IT Security Consultant - CEH
Jumper Consulting Investment Ltd
St. Doolaghs Park House
Malahide Road
Balgriffin
Dublin 17
Tel. +353 1 8770338
Fax. +353 1 847 7785
Mob. +353 87 905 5041
----- Original Message -----
From: "Arancaytar" <arancaytar.ilya...@gmail.com>
To: clamav-users@lists.clamav.net
Sent: Thursday, April 2, 2009 8:45:33 AM GMT +00:00 GMT Britain, Ireland,
Portugal
Subject: [Clamav-users] DNS server "blocks" database.clamav.net?
Hi, this is my first time here so I'm sorry if I post my question in the
wrong place.
A few days ago, I noticed ClamAV failing to download its signature
update. I put this down to a network or server problem, but after
several failures I got suspicious and found something odd in the log:
Clam was trying to download its update from 127.0.0.1, which naturally
failed.
Further investigation showed that the primary DNS server in my settings
(85.255.112.204) inexplicably resolves database.clamav.net to 127.0.0.1,
which effectively blocks the domain from being accessed. You can see
this for yourself by running nslookup database.clamav.net 85.255.112.204:
$ nslookup database.clamav.net 85.255.112.204
Server: 85.255.112.204
Address: 85.255.112.204#53
Non-authoritative answer:
Name: database.clamav.net
Address: 127.0.0.1
Since all other domains I tried are resolved properly, there appears to
be a specific attack against the update functionality of ClamAV.
Suspecting that the DNS server had been infected, I sent an email to the
ISP's abuse@ - though even while examining the whois I saw the server
belonged to a Ukrainian ISP I'd never had anything to do with. I don't
specifically remember setting this as my primary DNS server, but it
might have been on a list of OpenNic DNS servers at one point, which I
tend to use. So I wouldn't necessarily assume a virus actually messed
with my DNS settings without other evidence (scanning with an updated
clamav revealed no infections).
Has anyone else ever experienced such a "DNS spoofing" attack against
database.clamav.net?
Regards,
Aran
--
eternity lies ahead of us, and behind.
have you drunk your fill?
* * *
PGP: http://ermarian.net/downloads/0x27CA5C74
XMPP: arancaytar.ilya...@gmail.com
AOL: 282026638 @icq / RealArancaytar @aim
URL: http://ermarian.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
