Re: [clamav-users] New virus: Win32.Palyh.A.Worm

2003-05-20 Thread Tomasz Kojm 
> --On Monday, May 19, 2003 1:12 PM +0200 Tomasz Kojm <[EMAIL PROTECTED]> 
> is rumoured to have written:
> 
> >> I've just recieved a copy of Win32.Palyh.A.Worm which is not detected by
> >> clamscan (nor by f-prot so I had to copy it onto a Windows computer to
> >> find out it's name - yuck).
> 
> 
> This file is now identified as W32/[EMAIL PROTECTED] by f-prot.  I have another 
> file that is identified by f-prot as being the same, but is not detected by 
> clamav.  I have put a copy up at
> 

ClamAV detects the virus:

screen_temp.pif: Worm.Palyh.A FOUND

--- SCAN SUMMARY ---
Known viruses: 7792
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.05 Mb
I/O buffer size: 131072 bytes
Time: 3.260 sec (0 m 3 s)

Your database was probably not updated.

Best regards,
Tomasz Kojm
-- 
  oo.   [EMAIL PROTECTED]
 (\/)\. http://www.konarski.edu.pl/~zolw
\..._   I nie zapomnij kliknac w brzuszek... 
  //\   /\\ <- C. Amboinensiswww.pajacyk.pl

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[clamav-users] Undefined symbol error

2003-05-20 Thread Mark Anderson 
I've just installed the latest clamav source on an OpenBSD 3.2
but receive the following error when I try the test thats 
mentioned in the documentation.

$ clamscan -r -l scan.txt ../clamav-0.54
/usr/libexec/ld.so: Undefined symbol "_pthread_self" called from 
clamscan:/usr/local/lib/libclamav.so.1.2 at 0x4003127c

I haven't setup a clamav user in case that counts. Another
question I have and I don't mean to be rude when I ask -
but would ClamAV be considered stable enough to use in a
production environment ? I only ask because it uses the 
definitions from OpenAntiVirus which is not recommended
for production use.

Thanks,

Mark Anderson.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] Undefined symbol error

2003-05-20 Thread Nigel Horne 
On Tuesday 20 May 2003 1:49 pm, Mark Anderson wrote:

> $ clamscan -r -l scan.txt ../clamav-0.54
> /usr/libexec/ld.so: Undefined symbol "_pthread_self" called from
> clamscan:/usr/local/lib/libclamav.so.1.2 at 0x4003127c

Use the "--disable-threads" option to configure then rebuild.

-Nigel


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] Undefined symbol error

2003-05-20 Thread Flinn Mueller 
This is fixed in my unnofficial port.

http://www.activeintra.net/openbsd/article.php?id=5

Mark Anderson wrote:

I've just installed the latest clamav source on an OpenBSD 3.2
but receive the following error when I try the test thats 
mentioned in the documentation.

$ clamscan -r -l scan.txt ../clamav-0.54
/usr/libexec/ld.so: Undefined symbol "_pthread_self" called from 
clamscan:/usr/local/lib/libclamav.so.1.2 at 0x4003127c
I haven't setup a clamav user in case that counts. Another
question I have and I don't mean to be rude when I ask -
but would ClamAV be considered stable enough to use in a
production environment ? I only ask because it uses the 
definitions from OpenAntiVirus which is not recommended
for production use.

Thanks,

Mark Anderson.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] clamscan chokes

2003-05-20 Thread Jeff M 
> charm, until today.  It seems that clamscan chokes on certain messages,
> doing nothing but eating CPU time.  Is it a coincidence, or could this
> new Worm.Palyh.A worm have something to do with it ?

I was looking for a virus scanner today and in reading your maillist logs,
I just had to point out something interesting.  The quoted message below
is from the squirrelmail list, and the message description seems to match
Palyh, though it might've been sent just before the virus was widely
identified.  You might want to check with the sender of the message below
to find out if there's anything common between your machines.  It might
also be that there is in fact something about Palyh that messes up some
clients/MTA's.

Quoted message follows:

>From  "Bruce" <[EMAIL PROTECTED]>
Subject  [SM-USERS] Spam Message Kills Squirrels
Date  Tue, May 20, 2003 10:47
To  [EMAIL PROTECTED]




I use SquirrelMail (currently 1.4.0) to access my mail from a remote POP3
server. Generally, it works perfectly, but there is one particular
spam/virus message that will invariably choke Squirrelmail; it is those
fake messages regarding Windows bug fixes that come with attachments the
sender hopes the user will open.

These particular messages seem to do something very odd to Squirrelmail. I
have my POP3 settings for Squirrelmail to delete messages from the server,
and usually it does. However, with this particular email the message and
attachment is downloaded, but it isn't deleted from the server, so if I
check my mail again, I will have two copies of that message (and any other
messages retrieved along with it). So, for instance, if there are 5 new
messages since the last time I checked my email, and the 5th is this
spam/virus message, if I check my email again I will have 10 unread
messages, check again 15, etc. etc., it just downloads the same messages
over and over again. SM is also not able to get past the fake MS message;
any newer messages never get through.

The only way to fix this is to launch another mail client to retrieve and
delete the message from the server, following which Squirrelmail works
fine again.

When I receive one of these messages, I get the following error in the
top-left corner:

  Mail Fetch Result:
  Warning, POP3 get: Error
  [MS Public Support]

Any thoughts on what to do about this?

Thanks, Bruce


The following is the header info from the offending message:

_

Return-Path: <[EMAIL PROTECTED]>
Received: from rwcrmhc53.attbi.com ([204.127.198.39])
 by tomts21-srv.bellnexxia.net
 (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with ESMTP id
<[EMAIL PROTECTED]>
 for <[EMAIL PROTECTED]>; Mon, 19 May 2003 00:24:15 -0400
Date: Mon, 19 May 2003 04:24:05 + (GMT)
X-Comment: Sending client does not conform to RFC822 minimum requirements
X-Comment: Date has been added by Maillennium.
Received: from mypjb (12-226-245-7.client.attbi.com[12.226.245.7])
 by attbi.com (rwcrmhc53) with SMTP
 id <2003051904235305300j2vn5e>; Mon, 19 May 2003 04:24:02 +
FROM: "MS Public Support" <[EMAIL PROTECTED]>
TO: "Microsoft Consumer"
SUBJECT: Microsoft Security Pack
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="qLLHorAenYpBSfERQ"
Message-Id:
<[EMAIL PROTECTED]>

__









---
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
--
squirrelmail-users mailing list
List Address: [EMAIL PROTECTED]
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users








-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[clamav-users] Freshclam not working

2003-05-20 Thread listuser 
Is anyone else having trouble with Freshclam not working?

Checking for a new database - started at Tue May 20 14:52:05 2003
Current working dir is /usr/local/share/clamav
yes not found in the data directory.
yes not found in the data directory.
Connected to clamav.elektrapro.com.
Reading md5 sum (viruses.md5): OK
Reading md5 sum (viruses2.md5): OK
ERROR: yes not found on remote server
ERROR: Can't download yes from clamav.elektrapro.com

I just installed ClamAV today (did it before last Fall).  I had freshclam 
working last year on that other machine but this time it's giving me an 
error.  To me the error implies that the problem isn't on my end.  Well, 
actually I guess it says that flat out.  Permissions aren't the problem.  
I'm running freshclam as root for this testing.  Can anyone else reproduce 
this?

Justin


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] Freshclam not working

2003-05-20 Thread David Vasil 
On Tue, May 20, 2003 at 02:54:36PM -0500, [EMAIL PROTECTED] wrote:
> yes not found in the data directory.
> yes not found in the data directory.
> ERROR: yes not found on remote server
> ERROR: Can't download yes from clamav.elektrapro.com

Not sure if this is anything related, but 'yes' is a binary
that repeats a string until the process is killed.

Do you have the binary 'yes' installed on your system?

> actually I guess it says that flat out.  Permissions aren't the problem.  
> I'm running freshclam as root for this testing.  Can anyone else reproduce 

Secondly, running freshclam as root does not matter, freshclam
drops privs to the clamav user.  Unless you specified in the
configure script --with-uid=0 --with-gid=0 (bad idea) then
it should drop privs to the clamav user.

-- 
++
| Dave Vasil[EMAIL PROTECTED] |
| University of Tennessee Computer Science Dept. |
| UTKCS Systems Administrator   865-974-8364 |
++


pgp0.pgp
Description: PGP signature

Re: [clamav-users] Freshclam not working

2003-05-20 Thread listuser 
On Tue, 20 May 2003, David Vasil wrote:

> On Tue, May 20, 2003 at 02:54:36PM -0500, [EMAIL PROTECTED] wrote:
> > yes not found in the data directory.
> > yes not found in the data directory.
> > ERROR: yes not found on remote server
> > ERROR: Can't download yes from clamav.elektrapro.com
> 
> Not sure if this is anything related, but 'yes' is a binary
> that repeats a string until the process is killed.
> 
> Do you have the binary 'yes' installed on your system?

I believe it's required by POSIX.  Anyhow, I do have that.  I forgot to 
mention that I checked for that.

> > actually I guess it says that flat out.  Permissions aren't the problem.  
> > I'm running freshclam as root for this testing.  Can anyone else reproduce 
> 
> Secondly, running freshclam as root does not matter, freshclam
> drops privs to the clamav user.  Unless you specified in the
> configure script --with-uid=0 --with-gid=0 (bad idea) then
> it should drop privs to the clamav user.

Ah, I didn't realize it did that when run manually.  Nevertheless the 
permissions should be ok.

[EMAIL PROTECTED] ~]$> ls -la /usr/local/share/clamav/
total 1020
drwxrwxr-x2 clamav   clamav   4096 May 20 14:52 .
drwxr-xr-x   13 root root 4096 May 20 14:40 ..
-rw-rw-r--1 clamav   clamav1027045 May 20 14:40 viruses.db
-rw-rw-r--1 clamav   clamav566 May 20 14:40 viruses.db2

If I had a decent traffic analyzer handy I'd look deeper into the 
conversation.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] Freshclam not working

2003-05-20 Thread listuser 
On Tue, 20 May 2003, David Vasil wrote:

> On Tue, May 20, 2003 at 02:54:36PM -0500, [EMAIL PROTECTED] wrote:
> > yes not found in the data directory.
> > yes not found in the data directory.
> > ERROR: yes not found on remote server
> > ERROR: Can't download yes from clamav.elektrapro.com
> 
> Not sure if this is anything related, but 'yes' is a binary
> that repeats a string until the process is killed.
> 
> Do you have the binary 'yes' installed on your system?

I forgot I could use snort as a psuedo stand-in replacement for a nce GUI 
traffic analyzer.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/20-15:25:26.918868 65.66.95.179:35508 -> 62.149.225.70:80
TCP TTL:64 TOS:0x0 ID:17555 IpLen:20 DgmLen:180 DF
***AP*** Seq: 0xBF67F961  Ack: 0x4990242F  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4636161 136753927 
GET /database/yes HTTP/1.1..Host: clamav.elektrapro.com..User-Ag
ent: clamav/0.54..Cache-Control: no-cache..Connection: close

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/20-15:25:27.098580 62.149.225.70:80 -> 65.66.95.179:35508
TCP TTL:39 TOS:0x0 ID:38713 IpLen:20 DgmLen:614 DF
***AP*** Seq: 0x4990242F  Ack: 0xBF67F9E1  Win: 0x16A0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 136753944 4636161 
HTTP/1.1 404 Not Found..Date: Tue, 20 May 2003 20:26:42 GMT..Ser
ver: Apache/1.3.27 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.12 OpenSS
L/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.26..Connection: close..T
ransfer-Encoding: chunked..Content-Type: text/html; charset=iso-
8859-111c404 Not Found..No
t Found.The requested URL /database/yes was not found on th
is server...Apache/1.3.27 Server at clamav.elekt
rapro.com Port 800
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


/database/yes doesn't exist on clamav.elektrapro.com.  I guess that 
answers that question.  Now I have to ask if anyone knows when it will be 
fixed?  I'm not sure what that file contains.  Perhaps it's auto-generated 
and I just happened to catch it in the middle of that generation.  Beats 
me though.

Justin


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] Freshclam not working

2003-05-20 Thread David Vasil 
On Tue, May 20, 2003 at 03:22:15PM -0500, [EMAIL PROTECTED] wrote:
> > On Tue, May 20, 2003 at 02:54:36PM -0500, [EMAIL PROTECTED] wrote:
> > > yes not found in the data directory.
> > > yes not found in the data directory.
> > > ERROR: yes not found on remote server
> > > ERROR: Can't download yes from clamav.elektrapro.com

After looking at the source code for freshclam.c and manager.c
in the ${CLAMSOURCEDIR}/freshclam directory it looks like 'yes'
is actually a #DEFINE for the database names (in this case,
DB1NAME and DB2NAME).

The database names should be defined in the makefile with these
flags: -DDB1NAME=\"viruses.db\" -DDB2NAME=\"viruses.db2\"

How did you run your configure script?  Check your Makefile in
the freshclam directory and see what the DEFS line shows.  What
are DB1NAME and DB2NAME set to?  I think this should fix your
problem.

-- 
++
| Dave Vasil[EMAIL PROTECTED] |
| University of Tennessee Computer Science Dept. |
| UTKCS Systems Administrator   865-974-8364 |
++


pgp0.pgp
Description: PGP signature

Re: [clamav-users] Freshclam not working

2003-05-20 Thread listuser 
On Tue, 20 May 2003, David Vasil wrote:

> On Tue, May 20, 2003 at 03:22:15PM -0500, [EMAIL PROTECTED] wrote:
> > > On Tue, May 20, 2003 at 02:54:36PM -0500, [EMAIL PROTECTED] wrote:
> > > > yes not found in the data directory.
> > > > yes not found in the data directory.
> > > > ERROR: yes not found on remote server
> > > > ERROR: Can't download yes from clamav.elektrapro.com
> 
> After looking at the source code for freshclam.c and manager.c
> in the ${CLAMSOURCEDIR}/freshclam directory it looks like 'yes'
> is actually a #DEFINE for the database names (in this case,
> DB1NAME and DB2NAME).
> 
> The database names should be defined in the makefile with these
> flags: -DDB1NAME=\"viruses.db\" -DDB2NAME=\"viruses.db2\"
> 
> How did you run your configure script?  Check your Makefile in
> the freshclam directory and see what the DEFS line shows.  What
> are DB1NAME and DB2NAME set to?  I think this should fix your
> problem.

I configured it with...

./configure --prefix=/usr/local --sysconfdir=/etc/clamav 
--localstatedir=/var --disable-clamuko --with-db1 --with-db

I left the name of db1 and db2 blank which typically makes most configure 
scripts insert a default filename or path.  I reconfigured it with 

--with-db1=viruses.db --with-db2=viruses.db2

I reran freshclam and the output changed to this:

Checking for a new database - started at Tue May 20 15:59:22 2003
Current working dir is /usr/local/share/clamav
yes not found in the data directory.
yes not found in the data directory.
Connected to clamav.elektrapro.com.
Reading md5 sum (viruses.md5): OK
Reading md5 sum (viruses2.md5): OK
ERROR: yes not found on remote server
ERROR: Can't download yes from clamav.elektrapro.com


Interesting.  So it's now checking the md5sums but it still can't find 
"yes".

Ah ha!  If you don't provide a filename at all it uses the following in 
DEFS:

-DDB1NAME=\"yes\" -DDB2NAME=\"yes\"

That explains it.  It would appear in fact that you don't need to specify 
--with-db1 or --with-db2 at all unless you want to change the filenames.  
By not using them with configure it still creates the appropriate DEFS 
line.  It looks like the only way you can go wrong here is if you don't 
define the filename.

Well, that seems to have fixed my problem.  Thanks for pointing me in the 
right direction.

Justin


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]