Atomicorp

Security for Everyone
https://forums.atomicorp.com/

Clam issue [SOLVED]

https://forums.atomicorp.com/viewtopic.php?t=5124

Page 1 of 1

Clam issue [SOLVED]

Posted: Wed Jun 22, 2011 7:29 am
by JnascECSI
This morning at 4:18 EST, we started getting the following notification every minute from our server, i tried to restart clamd but it fails. It seems to be a issue with the clam honeypot DB i think becuase of the message but not sure how to clear it out or get it to re-download the rule. I rebooted a couple times but it still has the issue & we have not done any updates or anything else to the server since the clam update last week when it came out. It seems to have started when the rules were updated this morning.

Code: Select all

[psmon/xxx-1.xxxxxxxxxx.com] Failed to spawn 'clamd' with '/sbin/service clamd restart'
Command executed: /sbin/service clamd restart Exit value: 1 Signal number: 0 Dumped core?: 0

Stopping Clam AntiVirus Daemon: [FAILED]

Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned".
LibClamAV Error: cli_loadhash: Problem parsing database at line 183974 LibClamAV Error: Can't load /var/clamav/ASL-honeypot.hdb: Malformed database
ERROR: Malformed database
[FAILED]
Also getting this message but not as much as the one above.

Code: Select all

OSSEC HIDS Notification.
2011 Jun 22 07:30:11

Received From: xxx-1->/var/log/psa/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jun 22 07:30:10 xxx-1 X-Qmail-Scanner-2.08st: [xxx-1.xxxxxxxxxx.com130874220979828301] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2

Re: Clam issue

Posted: Wed Jun 22, 2011 8:14 am
by JnascECSI
This also now seems to be affecting customers from sending and receiving mail thru the server now.

Re: Clam issue **Critical** Affecting mail services

Posted: Wed Jun 22, 2011 9:00 am
by biggles
Have you tried removing the offending file, /var/clamav/ASL-honeypot.hdb?

Re: Clam issue **Critical** Affecting mail services

Posted: Wed Jun 22, 2011 9:24 am
by Kalimari
You could also try updating the clamav signatures (includes Honeynet)... run:

Code: Select all

clamav_updater.sh
freshclam
service clamd restart

Re: Clam issue **Critical** Affecting mail services

Posted: Wed Jun 22, 2011 9:49 am
by JnascECSI
Well i downloaded the honetpot file and removed the text on line 183974, the line was only partial filled with data which looks like it crapped out some how when it updated and did'nt not complete writing the string.

Once i did that and re-uploaded the file clamd started finally and i also updated the sigs like kalimari recommended and so far seems ok. The only thing is i never noticed that new message now when restarting clam "Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned". " is this something new?

Re: Clam issue **Critical** Affecting mail services

Posted: Wed Jun 22, 2011 11:49 am
by breun
I'm seeing Bytecode: Security mode set to "TrustSigned" since the upgrade from 0.97 to 0.97.1.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited