Atomicorp

Security for Everyone
https://forums.atomicorp.com/

MSRBL-SPAM.Meds.35.UNOFFICIAL

https://forums.atomicorp.com/viewtopic.php?t=5328

Page 1 of 1

MSRBL-SPAM.Meds.35.UNOFFICIAL

Posted: Fri Aug 26, 2011 4:59 am
by Kalimari
Since yesterday @ 2.30 (GMT) clamav rules updated MSRBL-SPAM.Meds.35.UNOFFICIAL, which has stopped virtually every single in bound message since. Ran updates/etc, still no good and messages blocked. Deleted the matching (last) line in /var/clamav/MSRBL-SPAM.ndb and set chattr +i /var/clamav/MSRBL-SPAM.ndb until the problem is resolved. Any one else having problem with this clamav sig?

Re: MSRBL-SPAM.Meds.35.UNOFFICIAL

Posted: Fri Aug 26, 2011 5:19 am
by Kalimari
In an effort to locate the source of the issue, took a look at /usr/bin/clamav_updater.sh and get_update MSRBL-SPAM.ndb http://www.atomicorp.com/signatures/clamav/msrbl/ is the source so commented that line and reset file permissions chattr -i /var/clamav/MSRBL-SPAM.ndb (cron was complaining about changing ownership of `/var/clamav/MSRBL-SPAM.ndb').

Re: MSRBL-SPAM.Meds.35.UNOFFICIAL

Posted: Fri Aug 26, 2011 1:26 pm
by mikeshinn
We don't use that cronjob or script anymore, so you should disable it. ASL is also not setup to download that rule family, and I want to say we dropped it at least a year ago (the MSRBL project doesnt seem to have updated its rules since 2010).

Re: MSRBL-SPAM.Meds.35.UNOFFICIAL

Posted: Sat Aug 27, 2011 5:32 am
by Kalimari
mikeshinn wrote:We don't use that cronjob or script anymore, so you should disable it. ASL is also not setup to download that rule family, and I want to say we dropped it at least a year ago (the MSRBL project doesnt seem to have updated its rules since 2010).
OK, thanks. Never set it up manually (been running ASL for years) and have been upgrading as major versions came along. How best to remove? Delete /etc/cron.hourly/freshclam and /usr/bin/clamav_updater.sh and everything from /var/clamav? Why wasn't this handled as part of the ASL upgrade which
replaced the cron/script mechanism?

Re: MSRBL-SPAM.Meds.35.UNOFFICIAL

Posted: Sun Aug 28, 2011 3:58 am
by Kalimari
Have the following rules in /var/clamav/ - some of which should be kept and some deleted?

Code: Select all

drwxr-xr-x  2 root root 4.0K Aug 28 08:32 .
drwxr-xr-x 26 root root 4.0K Apr 12  2010 ..
-rw-r--r--  1 root root 4.1M Aug 24 19:15 ASL-blacklist.ldb
-rw-r--r--  1 root root  20K Aug 24 19:15 ASL.hdb
-rw-r--r--  1 root root  38K Aug 24 19:15 ASL-h.ndb
-rw-r--r--  1 root root  43M Aug 24 19:15 ASL-honeypot.hdb
-rw-r--r--  1 root root 452K Aug 24 19:15 ASL-honeypot-hex.ndb
-rw-r--r--  1 root root 1.3K Aug 24 19:15 ASL.ldb
-rw-r--r--  1 root root 467K Jul 14 21:01 bytecode.cld
-rw-r--r--  1 root root  11M Aug 28 04:01 daily.cld
-rw-r--r--  1 root root  52K Apr  7  2010 honeynet.hdb
-rwxr-xr-x  1 root root 6.0K Jun 16 04:02 index.php
-rw-r--r--  1 root root 4.8M Aug 17 16:54 junk.ndb
-rw-r--r--  1 root root 236K Aug 15 16:54 lott.ndb
-rw-r--r--  1 root root  26M Jul 27 17:49 main.cvd
-rw-r--r--  1 root root 111K Apr  6  2010 mbl.db
-rw-------  1 root root 1.5K Aug 28 08:01 mirrors.dat
-rw-r--r--  1 root root  19M Apr 21  2010 MSRBL-Images-FULL-SoN.hdb [REMOVED]
-rw-r--r--  1 root root 5.4K Aug 26 09:37 MSRBL-SPAM.ndb [REMOVED]
-rw-r--r--  1 root root 2.8M Aug 19 11:53 phish.ndb
-rw-r--r--  1 root root 155K Aug 23 17:55 rogue.hdb
-rw-r--r--  1 root root  30M Aug 28 08:01 safebrowsing.cld
-rw-r--r--  1 root root 1.7M Aug 21 20:54 scam.ndb
-rw-r--r--  1 root root  11M Apr  7  2010 securiteinfo.hdb
-rw-r--r--  1 root root  56K Jun 23 16:53 spamimg.hdb
-rw-r--r--  1 root root  19K Apr 11 12:53 spam.ldb
-rw-r--r--  1 root root 1.8M Aug 23 22:53 spear.ndb
-rw-r--r--  1 root root 708K Apr  7  2010 vx.hdb
Assume /etc/cron.hourly/freshclam is OK to keep?

Re: MSRBL-SPAM.Meds.35.UNOFFICIAL

Posted: Sun Aug 28, 2011 9:16 am
by faris
You have the same old stuff left over from ages ago as I had on most of my systems before I removed it a year or so ago.

Keep the following:

Code: Select all

ASL-blacklist.ldb
ASL-h.ndb
ASL-honeypot-hex.ndb
ASL-honeypot.hdb
ASL.hdb
ASL.ldb
bytecode.cld
daily.cld
main.cvd
mirrors.dat
safebrowsing.cld
And in case of finger trouble, do a freshclam immediately afterwards.

Re: MSRBL-SPAM.Meds.35.UNOFFICIAL

Posted: Sun Aug 28, 2011 2:14 pm
by Kalimari
Many thanks faris :D removed those files (and daily.cron) ran freshclam and all is good.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited