Clamav

timur

Member
Hallo,

habe heute in den Logs das hier entdeckt:

Code:
Thu Jan 28 00:00:17 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 00:43:14 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 00:43:14 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 00:43:28 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 01:43:33 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 01:43:33 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 01:43:49 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 02:43:49 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 02:43:50 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 02:44:06 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 03:10:01 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 03:10:02 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(6246e02f12d69ce72105e6c73e62d0ad:13744149) FOUND
Thu Jan 28 03:10:02 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 03:10:03 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(6246e02f12d69ce72105e6c73e62d0ad:13744149) FOUND
Thu Jan 28 03:44:08 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 03:44:10 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 03:44:27 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 04:44:46 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 04:44:46 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 04:44:59 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 05:45:02 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 05:45:03 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 05:45:20 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 06:00:31 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 06:00:31 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(6246e02f12d69ce72105e6c73e62d0ad:13744149) FOUND
Thu Jan 28 06:00:31 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 06:00:32 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(6246e02f12d69ce72105e6c73e62d0ad:13744149) FOUND
Thu Jan 28 06:28:41 2021 -> /var/lib/amavis/tmp/amavis-20210128T061106-31297-pbDTJYy2/parts/p001: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(5f9170061bada6bdb78859e3b97db8ab:2965) FOUND
Thu Jan 28 06:45:33 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 06:45:36 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 06:45:55 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 07:46:07 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 07:46:08 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 07:46:21 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 08:46:23 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 08:46:24 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 08:46:36 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 09:00:52 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 09:00:53 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(6246e02f12d69ce72105e6c73e62d0ad:13744149) FOUND
Thu Jan 28 09:00:53 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 09:00:54 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(6246e02f12d69ce72105e6c73e62d0ad:13744149) FOUND
Thu Jan 28 09:46:50 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 09:46:52 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 09:47:34 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 10:47:35 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 10:47:36 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 10:47:48 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 11:47:50 2021 -> SelfCheck: Database modification detected. Forcing reload.
Thu Jan 28 11:47:51 2021 -> Reading databases from /var/lib/clamav
Thu Jan 28 11:48:05 2021 -> Database correctly reloaded (8723675 signatures)
Thu Jan 28 12:00:59 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 12:00:59 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(6246e02f12d69ce72105e6c73e62d0ad:13744149) FOUND
Thu Jan 28 12:01:00 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(306e3f6d02bc292209d96aa088da4a5c:3080223) FOUND
Thu Jan 28 12:01:00 2021 -> fd[10]: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL(6246e02f12d69ce72105e6c73e62d0ad:13744149) FOUND
Hab ich eine ein bösen code der mir meine DB ändert ? Ich verstehe dieses fd[10] nicht...
 

Till

Administrator
Wie nutzt Du clamav denn? Für mcih sieht das so aus als ob clamav genutzt wird sein eigenes signaturfile oder verzeichnis zu scannen oder sowas, was dann zu false positives führt.
 

timur

Member
Habe zwar mein System bis jetzt geupdatet bin aber damals nach dieser Anleitung gegangen


Hab nun debian 10 drauf

Meine /etc/clamav/clamd.conf:

Code:
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
PidFile /var/run/clamav/clamd.pid
OnAccessMaxFileSize 5M
 
Zuletzt bearbeitet:

Till

Administrator
Du nutzt clamav bzw. clamscan nicht manuell, um den server zu scannen? Im perfect server setup, wird clamav nur für email genutzt.
 

timur

Member
Nein, Till

ich nutze es nicht manuell. Kann es hiermit zusammen hängen?
(Habe das befolgt)

 

Till

Administrator
Du hast doch einen ISPConfig server, oder? Denn das Tutorial ist nicht für ISPConfig systeme.
 

timur

Member
Ja, klar! Ispconfig Server :) Ok das erklärt wahscheinlich alles..

Das heisst ich mache die Schritte rückgängig und schaue mal dann in die logs ob es dann behoben ist
 

Till

Administrator
Jein, das muss nicht unbedingt damit zusammen hängen, kann aber die Ursache für mailserver Probleme jeglicher Art sein bis hin zu verlorenen mails. Problem ist einfach, ISPConfig nutzt auch amavis, setzt aber auf ein detaillierteres setup und wenn Du da in der Art was dran änderst und inkompatibel machst, kann Dir das alels um die Ohren fliegen beim nächsten Update.
 

Till

Administrator
Ich denke mal ClamAV hat da nur irgend ein problem mit dieser signatur, ich würde es also einfach so lassen wie es ist, solange Du weiter mails bekommst im Moment.
 

timur

Member
Wenn es nicht dramatisch ist ok dann lass ich es! (Email technisch funktioniert soweit alles)
Kann es vielleicht zusammen hängen mit der Malware? (Falls du dich erinnern kannst hatten wir am Tele. mal kurz vor ein paar Tagen gesprochen) darauf hin hatte ich mir ja die 1 Jahres Lizenz für Ispprotect geholt.

Dort kommen auch Meldungen nicht immer nur manchmal :

Code:
Scanned /var/www and found 14 suspect files.
===========================

/var/www/clients/client1/web2/web/wordpress2/wp-content/plugins/shapepress-dsgvo/includes/lib/tcpdf/include/barcodes/qrcode.php    {ISPP}suspect.crypted.chars       
/var/www/clients/client1/web3/web/callback/rsmartsepa/library/phpqrcode/bindings/tcpdf/qrcode.php    {ISPP}suspect.crypted.chars       
/var/www/clients/client1/web3/web/callback/rsmartsepa/library/phpqrcode/phpqrcode.php    {ISPP}suspect.crypted.chars       
/var/www/clients/client1/web3/web/callback/rsmartsepa/library/phpqrcode/qrmask.php    {ISPP}suspect.crypted.chars       
/var/www/clients/client1/web3/web/includes/classes/phpseclib/Crypt/Hash.php    {ISPP}suspect.char.shift       
/var/www/clients/client1/web3/web/vendor/phpseclib/phpseclib/phpseclib/Crypt/Hash.php    {ISPP}suspect.char.shift       
/var/www/clients/client1/web3/web/vendor/smarty/smarty/libs/sysplugins/smarty_cacheresource_custom.php    {ISPP}suspect.post.eval       
/var/www/clients/client1/web3/web/vendor/smarty/smarty/libs/sysplugins/smarty_cacheresource_keyvaluestore.php    {ISPP}suspect.post.eval       
/var/www/clients/client2/web12/web/tachostop/callback/rsmartsepa/library/phpqrcode/bindings/tcpdf/qrcode.php    {ISPP}suspect.crypted.chars       
/var/www/clients/client2/web12/web/tachostop/callback/rsmartsepa/library/phpqrcode/phpqrcode.php    {ISPP}suspect.crypted.chars       
/var/www/clients/client2/web12/web/tachostop/callback/rsmartsepa/library/phpqrcode/qrmask.php    {ISPP}suspect.crypted.chars       
/var/www/clients/client2/web12/web/tachostop/includes/classes/phpseclib/Crypt/Hash.php    {ISPP}suspect.char.shift       
/var/www/clients/client2/web12/web/tachostop/vendor/smarty/smarty/libs/sysplugins/smarty_cacheresource_custom.php    {ISPP}suspect.post.eval       
/var/www/clients/client2/web12/web/tachostop/vendor/smarty/smarty/libs/sysplugins/smarty_cacheresource_keyvaluestore.php    {ISPP}suspect.post.eval       
===========================
 

Werbung

Top
Unsere Website wird durch die Anzeige von Online-Werbung für unsere Besucher ermöglicht.
Bitte ziehe es in Betracht, uns zu unterstützen, indem du deinen Werbeblocker deaktivierst.