store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Sep 02, 2014 5:17 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Clam issue [SOLVED]
Unread postPosted: Wed Jun 22, 2011 7:29 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 14, 2008 8:29 am
Posts: 301
Location: Rhode Island
This morning at 4:18 EST, we started getting the following notification every minute from our server, i tried to restart clamd but it fails. It seems to be a issue with the clam honeypot DB i think becuase of the message but not sure how to clear it out or get it to re-download the rule. I rebooted a couple times but it still has the issue & we have not done any updates or anything else to the server since the clam update last week when it came out. It seems to have started when the rules were updated this morning.

Code:
[psmon/xxx-1.xxxxxxxxxx.com] Failed to spawn 'clamd' with '/sbin/service clamd restart'
Command executed: /sbin/service clamd restart Exit value: 1 Signal number: 0 Dumped core?: 0

Stopping Clam AntiVirus Daemon: [FAILED]

Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned".
LibClamAV Error: cli_loadhash: Problem parsing database at line 183974 LibClamAV Error: Can't load /var/clamav/ASL-honeypot.hdb: Malformed database
ERROR: Malformed database
[FAILED]


Also getting this message but not as much as the one above.

Code:
OSSEC HIDS Notification.
2011 Jun 22 07:30:11

Received From: xxx-1->/var/log/psa/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jun 22 07:30:10 xxx-1 X-Qmail-Scanner-2.08st: [xxx-1.xxxxxxxxxx.com130874220979828301] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2


Last edited by JnascECSI on Wed Jun 22, 2011 2:53 pm, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: Clam issue
Unread postPosted: Wed Jun 22, 2011 8:14 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 14, 2008 8:29 am
Posts: 301
Location: Rhode Island
This also now seems to be affecting customers from sending and receiving mail thru the server now.


Top
 Profile  
 
 Post subject: Re: Clam issue **Critical** Affecting mail services
Unread postPosted: Wed Jun 22, 2011 9:00 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 770
Location: Sweden
Have you tried removing the offending file, /var/clamav/ASL-honeypot.hdb?


Top
 Profile  
 
 Post subject: Re: Clam issue **Critical** Affecting mail services
Unread postPosted: Wed Jun 22, 2011 9:24 am 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 520
Location: United Kingdom
You could also try updating the clamav signatures (includes Honeynet)... run:
Code:
clamav_updater.sh
freshclam
service clamd restart


Top
 Profile  
 
 Post subject: Re: Clam issue **Critical** Affecting mail services
Unread postPosted: Wed Jun 22, 2011 9:49 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 14, 2008 8:29 am
Posts: 301
Location: Rhode Island
Well i downloaded the honetpot file and removed the text on line 183974, the line was only partial filled with data which looks like it crapped out some how when it updated and did'nt not complete writing the string.

Once i did that and re-uploaded the file clamd started finally and i also updated the sigs like kalimari recommended and so far seems ok. The only thing is i never noticed that new message now when restarting clam "Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned". " is this something new?


Top
 Profile  
 
 Post subject: Re: Clam issue **Critical** Affecting mail services
Unread postPosted: Wed Jun 22, 2011 11:49 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I'm seeing Bytecode: Security mode set to "TrustSigned" since the upgrade from 0.97 to 0.97.1.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group