Package: p3scan Version: 2:2.3.2-7 Severity: important
hy,
if I try to start p3scan it dies:
r...@fw-1:[/etc/p3scan] > /etc/init.d/p3scan start
Starting transparent pop3 virus- and spam-scanner: p3scan.
r...@fw-1:[/etc/p3scan] > *** glibc detected *** /usr/sbin/p3scan: corrupted
double-linked list: 0x080bf2d0 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb7d3bbe9]
/lib/i686/cmov/libc.so.6[0xb7d3d76d]
/lib/i686/cmov/libc.so.6(__libc_calloc+0xef)[0xb7d3f2cf]
/lib/i686/cmov/libc.so.6(open_memstream+0x5d)[0xb7d3358d]
/lib/i686/cmov/libc.so.6(__vsyslog_chk+0x78)[0xb7dab0c8]
/lib/i686/cmov/libc.so.6(syslog+0x27)[0xb7dab677]
/usr/sbin/p3scan[0x804c74b]
/usr/sbin/p3scan[0x8057f29]
/usr/sbin/p3scan[0x8054a20]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7ce2775]
/usr/sbin/p3scan[0x804a421]
======= Memory map: ========
08048000-08078000 r-xp 00000000 09:00 3918033 /usr/sbin/p3scan
08078000-08079000 rw-p 0002f000 09:00 3918033 /usr/sbin/p3scan
08079000-080de000 rw-p 08079000 00:00 0 [heap]
b7b00000-b7b21000 rw-p b7b00000 00:00 0
b7b21000-b7c00000 ---p b7b21000 00:00 0
b7c4d000-b7c78000 r-xp 00000000 09:00 6135955 /lib/libgcc_s.so.1
b7c78000-b7c79000 rw-p 0002a000 09:00 6135955 /lib/libgcc_s.so.1
b7c79000-b7c83000 r-xp 00000000 09:00 6135821
/lib/i686/cmov/libnss_files-2.9.so
b7c83000-b7c84000 r--p 00009000 09:00 6135821
/lib/i686/cmov/libnss_files-2.9.so
b7c84000-b7c85000 rw-p 0000a000 09:00 6135821
/lib/i686/cmov/libnss_files-2.9.so
b7c85000-b7c8e000 r-xp 00000000 09:00 6135829
/lib/i686/cmov/libnss_nis-2.9.so
b7c8e000-b7c8f000 r--p 00008000 09:00 6135829
/lib/i686/cmov/libnss_nis-2.9.so
b7c8f000-b7c90000 rw-p 00009000 09:00 6135829
/lib/i686/cmov/libnss_nis-2.9.so
b7c90000-b7ca5000 r-xp 00000000 09:00 6135818 /lib/i686/cmov/libnsl-2.9.so
b7ca5000-b7ca6000 r--p 00014000 09:00 6135818 /lib/i686/cmov/libnsl-2.9.so
b7ca6000-b7ca7000 rw-p 00015000 09:00 6135818 /lib/i686/cmov/libnsl-2.9.so
b7ca7000-b7ca9000 rw-p b7ca7000 00:00 0
b7ca9000-b7cb0000 r-xp 00000000 09:00 6135822
/lib/i686/cmov/libnss_compat-2.9.so
b7cb0000-b7cb1000 r--p 00006000 09:00 6135822
/lib/i686/cmov/libnss_compat-2.9.so
b7cb1000-b7cb2000 rw-p 00007000 09:00 6135822
/lib/i686/cmov/libnss_compat-2.9.so
b7cb2000-b7cb3000 rw-p b7cb2000 00:00 0
b7cb3000-b7cc7000 r-xp 00000000 09:00 3941818 /usr/lib/libz.so.1.2.3.3
b7cc7000-b7cc8000 rw-p 00013000 09:00 3941818 /usr/lib/libz.so.1.2.3.3
b7cc8000-b7cca000 r-xp 00000000 09:00 6135843 /lib/i686/cmov/libdl-2.9.so
b7cca000-b7ccb000 r--p 00001000 09:00 6135843 /lib/i686/cmov/libdl-2.9.so
b7ccb000-b7ccc000 rw-p 00002000 09:00 6135843 /lib/i686/cmov/libdl-2.9.so
b7ccc000-b7e26000 r-xp 00000000 09:00 6135838 /lib/i686/cmov/libc-2.9.so
b7e26000-b7e27000 ---p 0015a000 09:00 6135838 /lib/i686/cmov/libc-2.9.so
b7e27000-b7e29000 r--p 0015a000 09:00 6135838 /lib/i686/cmov/libc-2.9.so
b7e29000-b7e2a000 rw-p 0015c000 09:00 6135838 /lib/i686/cmov/libc-2.9.so
b7e2a000-b7e2d000 rw-p b7e2a000 00:00 0
b7e2d000-b7f67000 r-xp 00000000 09:00 3940667
/usr/lib/i686/cmov/libcrypto.so.0.9.8
b7f67000-b7f7d000 rw-p 0013a000 09:00 3940667
/usr/lib/i686/cmov/libcrypto.so.0.9.8
b7f7d000-b7f81000 rw-p b7f7d000 00:00 0
b7f81000-b7fc3000 r-xp 00000000 09:00 3940666
/usr/lib/i686/cmov/libssl.so.0.9.8
b7fc3000-b7fc7000 rw-p 00042000 09:00 3940666
/usr/lib/i686/cmov/libssl.so.0.9.8
b7fc7000-b7ff7000 r-xp 00000000 09:00 3940739 /usr/lib/libpcre.so.3.12.1
b7ff7000-b7ff8000 rw-p 0002f000 09:00 3940739 /usr/lib/libpcre.so.3.12.1
b7ffb000-b7ffd000 rw-p b7ffb000 00:00 0
b7ffd000-b8019000 r-xp 00000000 09:00 6135968 /lib/ld-2.9.so
b8019000-b801a000 r--p 0001b000 09:00 6135968 /lib/ld-2.9.so
b801a000-b801b000 rw-p 0001c000 09:00 6135968 /lib/ld-2.9.so
bff06000-bff1b000 rw-p bffeb000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
The p3scan.conf is attached
Ruben
--
Ruben Puettmann
ru...@puettmann.net
http://www.puettmann.net
########################################################################## # # # P3Scan Version 2.3.2 # # # # default configuration file # # all params are set to default # # # ########################################################################## # # PID File # # where to write a pid-file # # default: /var/run/p3scan/p3scan.pid # pidfile = /var/run/p3scan/p3scan.pid # # Max Child's # # The maximum number of connections we will handle at once. Any further # connections will be dropped. Keep in mind that a number of 10 also # means that 10 viruscanners can run at once. # # default: 10 # maxchilds = 10 # # IP Address # # The IP Address we listen on default: 0.0.0.0 (any address) # ip = 127.0.0.1 # # Port # # The tcp port on we should listen. If you need a privileged port you # need to start p3scan as root (but don't set username to root, # that's not necessary, because first after opening the port we will # switch to that user). # # default: 8110 # port = 8110 # # TargetIP, TargetPort # # targetip and targetport are the ip and port to connect - # default is 0.0.0.0 (transparent proxy mode) and 8110 respectively # # default: targetport is ignored in transparent proxy mode # # targetip = 0.0.0.0 # targetport = 8110 # # Useurl # # Parse username for destination url vice using iptables redirection. # # To use this you should have your email clients replace the username # in the email client username field with "username#destinationurl:port" # and replace the destination url/port with the url/port of p3scan. # # Example: # From: # username: laitcg host: pop.gmail.com port: 110 # To: # username: laitcg#pop.gmail.com:110 host: <url of p3scan machine> port: 8110 # # default: <none> # # useurl # # Email (SMTP) Port # # The port we should listen on to scan outgoing email messages. # # default: 25 # # emailport = 25 # # Username # # The username the daemon should run as. Takes no effect when you # start as a non-root user. # # default: mail # user = p3scan # # Notify Directory # # Create notification mails in <DIR>. Also used for temporary storage. # # default: /var/spool/p3scan/notify notifydir = /var/spool/p3scan/notify # # Virus Directory # # The directory in which infected mails will be stored. It is also # used for temporary storing. Ensure that the above specified user is # allowed to write into! # # default: /var/spool/p3scan # virusdir = /var/spool/p3scan # # Just Delete # # Instead of keeping an infected message in the Virus Directory, delete # it after reporting it to the user. # # default: Keep infected messages in Virus Directory # # justdelete # # Extra Notification Recipient # # When an infection message is sent to the client, send a copy of the # message to the address(s) specified here, separated by a space. # # NOTE: If there is a file named "p3scan.extra" it will be treated just # like p3scan.mail (see "template") and sent to the recipients listed here. # For example: # /etc/p3scan/p3scan.mail -> /etc/p3scan/p3scan-en.mail # /etc/p3scan/p3scan.extra -> /etc/p3scan/p3scan-ru.mail # # default: Do not notify anyone else # # extra = r...@localhost postmas...@localhost # # Extra Notification Recipient mail program # # Use this program to send Extra Notification. # # default: /bin/mail # # xmail = # # Bytes Free # # The number of KB's there must be free before processing any mail. # If there is less than this amount, p3scan will notify the emergency # contact address and then terminate itself. # # NOTE: p3scan could need (2 * msgsize) * children disk space free. # Being this is dynamic (not all space is needed all the time), # you should ensure you have more than enough disk space. # # default: bytesfree = 10000 (10MB) # Sample: If you want to ensure 100MB are free # bytesfree = 100000 # # Emergency Contact # # In the event p3scan encounters a catastrophic problem and has to terminate, # it will send an email to these email addresses just before setting up to # close down on the next iteration of a child process. # # default: r...@localhost postmas...@localhost # # emergcon = # # Scanner Type # # Select here which type of scanner you want to use. # # Basic: # # This is the default. The configured executable (set in variable # "scanner") will be invoked. You can also specify parameters (we are # using /bin/sh). At the end the path to the mail and a "2>&1" is # appended. The program can tell us if it's a virus returning Scanner # Returncode (see below) or exit code 0 means, with all ok, all # others are reported to syslog, but mails will be delivered unless # justdelete is enabled above. The output is scanned using a regular # expression which describes where the virusname can be found # (see virusregexp). # # If demime is not set 'path to mail' is the full filename to the # rfc822 message, which you MUST NOT DELETE or MODIFY (except if you know # how to modify)! If your scanner can not handle rfc822 messages (e.g. # McAfee uvscan) set demime and 'path to mail' is a directory which # contains all MIME-Parts splitted into separate files. That files are # not needed after scanning, so p3scan deletes them. # # You will find a sample-configuration for McAfee's uvscan # (http://www.mcafee.com/) in the below sections. # # # AVPD: # # AVPD is a frontend to 'Kaspersky Anti-Virus for Linux' # (http://www.kaspersky.com/) , which provides a daemon named # 'kavdaemon'. Once the daemon has been started we connect to # kavdaemons socket and tell what files to scan. This gives a rapid # speed increase since the virus-definitions and other # scanner-initialization has only to be done once! Here a result from # a speedtest which I've made: Running kavdaemon, quallcomms qpopper # and p3scan on an Intel P1 with 133MHz and 64MB RAM a client using # Netscape-Mail was able to fetch 500 mails (including POP3- UIDL- # setting) in 62 seconds (each mail sized 2kByte)! # # We just need to know in which directory your kavdaemon writes the # socket 'AvpCtl' and file 'AvpPid', default is '/var/run', which is # ok using AVP-default installation, leave in that case the below # variable scanner commented, otherwise set there the path. Parameter # viruscode and virusregexp will not be used. # # Actual versions of avpd can't handle rcf822, so set demime (this is # not standard, it's possible that Kaspersky Labs includes rfc822 # checking in further releases). # # Important note about using kavdaemon: # # Ensure that virusdir (/var/spool/p3scan) is included in AVPs # 'enabled path list', otherwise the mails will not be scanned, but # kavdaemon returns ok (I've found no way to check if the mail has # been scanned or not). Mail yourself the eicar.com testvirus (from # http://www.eicar.com ) to check it!). The 'enabled path' can be set # in /opt/AVP/defUnix.prf in the 'Names' line (add # ';*/var/spool/p3scan'). Also check if there is a config file in # /root/.AVP/ which has higher precedence (if kavdaemon runs a root, # otherwise check that users $HOME/.AVP ). # scannertype = avpd # # If you are using version 5, then instead of scannertype = avpd, use # scannertype = avpd_new # # TROPHIE: # # Trophie is an OpenSource Anti-Virus Daemon, which uses the # virus-scanengine and database from Trend Antivirus. Trophie can be # found at http://www.vanja.com/tools/trophie/ . Configuration is very # simple, just set scannertype to 'trophie' and it should work. If you # don't use trophies standard-config you have to set scanner to the # trophie socket. # scannertype = trophie # # FRISK F-Prot Antivirus: http://www.f-prot.com # # Un-comment appropriate options below. # Use default scannertype = basic #scannertype = basic # # Clam Anti-Virus: http://www.clamav.net # # This program must run as the same user as p3scan is running so that # it can access the mail files for scanning. Either compile with the # options --with-user=mail --with-group=mail (if p3scan is using the # the default user/group of "mail") or change "User" in clamav.conf # to the user p3scan is running as. If you get a return code other # than a 0 or 1, see the clamav documentation for the reason. # # Un-comment "ScanMail" in clamav.conf/clamd.conf as we are scanning mail # files so demime does not need to be set below. # # You should start clamd before starting p3scan. # # Un-comment appropriate options below. # Use default scannertype = basic # # If using the tcp/ip mode of clamd, then use scannertype = clamd # This will allow using the clamav scanner even when it is not running on # the same server as p3scan. # # Bash # # This scanner type allows you to do whatever you want with the # variables passed to it and can also allow you to call multiple # scanners, etc... See p3scan.sh for an example of all the variables. # scannertype = bash # # default: basic # # scannertype = avpd # scannertype = avpd_new # scannertype = bash # scannertype = basic scannertype = clamd # scannertype = trophie # Virusscanner # # Depends on scannertype. Read the above section of that scannertype # you're going to use and you do not need to ask what to fill in here. # # default: depending on scannertype: # basic : <no default> # bash: : /path/to/filename # avpd : /var/run/ # avpd_new: /var/run/ # trophie : /var/run/trophie # clamd : tcp/ip connection # # # Sample: scannertype basic using McAfee UVSCAN: # scanner = /usr/local/uvscan/uvscan # Sample: scannertype basic using FRISK F-Prot Antivirus: # scanner = /usr/local/bin/f-prot -archive=5 -ai # Sample: scannertype basic using ClamAV: # scanner = /usr/bin/clamdscan --no-summary # Sample: scannertype clamd using ClamAV in TCPSocket mode: # scanner = 127.0.0.1:3310 # Sample: scannertype bash using p3scan.sh for testing: # scanner = /usr/local/sbin/p3scan.sh #scanner = /usr/bin/clamdscan --no-summary # # Scanner Returncode # # Specify the returncode(s) which the scanner returns when the mail is # infected. P3Scan does its part (sending the notification and not the # infected mail) only when it gets the specified returncode(s). # A returncode value of 0 from the scanner is assumed to mean that the # message is clean. Any other unspecified value will add warning lines # to your logfiles but THE MESSAGE WILL BE DELIVERED! # # Only used from scannertype 'basic'. # # default: 1 # # Sample: scannertype basic using McAfee UVSCAN: # viruscode = 13 # Sample: scannertype basic using FRISK F-Prot Antivirus: # viruscode = 3,8 # # Good Scanner return codes # # Some scanners can report more than good or infected. Place valid return # codes here that will enable the message to be delivered without a # warning. For example, Kaspersky Anti-Virus reports code 10 for an # encrypted .zip file. # # default: none # Sample: goodcode = 10 # goodcode = # # Regular Expression for Virusname # # Specify here a regular expression which describes where the name of the # virus can be found. If not specified, the first substring is used; # specify it appending '/' and the substring number (1-9) at the end. # PerlCompatibleRegularExpressions are used, case sensitive and the # ungreedy option. Only used by scannertype 'basic'. # # default: <none> # # Sample: McAfee UVSCAN # virusregexp = ^[[:space:]]*Found( the|:)[[:space:]]*(.*)[[:space:]]*(|virus[^a-z.]*)$/2 # Sample: FRISK F-Prot Antivirus # virusregexp = (?=Infection\:)[[:space:]]*(.*)$ # Sample: ClamAV #virusregexp = .*: (.*) FOUND # # deMIME Setting # # Uncomment this if we should parse all MIME-sections instead of passing # the message as-is to the scanner. This is used for viruscanners that cannot # natively handle email attachments. # # default: <no demime> #demime # # Broken email clients # # Some email clients may require special processing. If this # option is enabled the client will receive whole lines (vice # single characters) while processing a large email message. # # The reason for leaving two types of large email processing # is that when this option is disabled, the possibility exists # that the client will not see any "X-P3Scan: Due to an # extremely large attachment you see this message line." in # the received message header. # # Note: As of the introduction of this parameter, only some # instances of the use of the Outlook/Outlook Express clients # warrent enabling of this feature. # # default: send characters during large message processing. # broken # # Timeout # # Change the default timeout for sending characters/lines to the # client while processing a message. # # default: 30 seconds timeout = 30 # # ISP Spam # # This option allows you to set the string your ISP uses if # it processes your email for SPAM. If this string is found # in the subject line of the incoming message, it will not # perform any spam processing so that the message gets to # the client faster. # # default: <none> # Sample for cox.net: # ispspam = -- Spam -- # # ispspam = # Enable Spam checking # # If set, will scan for Spam before scanning for a virus. # # P3scan has been tested with both dspam-3.0.0-rc2 and # Mail::SpamAssassin v2.6. # # The DSPAM implementation uses the virtual-users capability # of the mysql backend to dspam. Mysql is the recommended # interface due to speed and stability (and in our case, the # virtual-users interface). # # P3scan and SpamAssassin uses the interface spamd/spamc. # You should start spamd before running p3scan. For example: # "spamd -L -d" (run in local mode only, daemonize) # man spamd for more information. # # default: no checking of spam # checkspam # # Mail::SpamAssassin # # Where to find spamc, the link to the Mail::SpamAssassin daemon spamd. # # spamcheck = /usr/bin/spamc # # DSPAM # # This line gives SpamAssassin like functionality to dspam. All # users mail is scanned against a single database of "mail". #spamcheck = /usr/bin/dspam --user mail --mode=teft --stdout --deliver=innocent,spam --feature=ch,no,wh # # This line enables each virtual user to have their own database # of message traffic 'tokens' and is much more accurate than the # procedure above after training. The user 'dspamuser' will be # replaced by the actual user calling p3scan. #spamcheck = /usr/bin/dspam --user dspamuser --mode=teft --stdout --deliver=innocent,spam --feature=ch,no,wh # # Of course change the options in the above lines to your preferences. # # Rename Attachments # # If renattach is installed and this option is un-commented, we # will execute renattach to rename dangerous attachments. # (See README for more information) # # default: none # #renattach = /usr/bin/renattach # # Overwrite (disable) HTML # # If a person views an HTML message, not only can the client # download pictures automatically, it enables someone viewing # the remote log file to confirm the email address is valid, # making it "worth" keeping/selling, etc... # # p3scan comes with a separate program p3pmail that can be # installed for this purpose. # # default: do not disable HTML # # overwrite = /usr/bin/p3pmail # # Quiet # # Disable reporting of normal operating messages. Only report errors # or critical information. # # default: display all less debug info # # quiet # # Template # # Where to look for an email-template when our own mail has to be send # instead of an infected mail. That file has to be exist, otherwise # p3scan will send an RFC unconform -ERR and closes the connections. # The email-template should start after the header with the content-type, and # so on. Also the leading dot is necessary (just a dot and return, no more in # the last line). You can use some key- words which will be replaced # when sending, e.g. %MAILDATE%. See the existing p3scan-en.mail for examples # of keywords. # # p3scan.mail is normally a sym-link to your default language email template. # You can of course just put the actual name of your template here. # # default: /etc/p3scan/p3scan.mail # # template = /etc/p3scan/p3scan.mail # # Alternate virus notification email # # In the event you wish to modify the virus notification email on the # fly, as in using the bash scanner, uncomment this to allow a copy of the # p3scan.mail virus template to be placed in: # $virusdir/<pid>/vnmsg or /var/spool/p3scan/children/<pid>/vnmsg # # default: use template defined in template= w/out modification. # # altvnmsg # # Subject # # This option can be used to change the default subject line when reporting # a virus infected message. In the default below, everything between the quotes # can be changed and are not part of the actual default subject line and # <virus name> will be replaced by the actual name of the detected virus. # # default: Subject: "[Virus] found in a mail to you:" <virus name> # # subject = # # Notify # # This option can be used to change the default file deleted notification that # is displayed in the virus notification message when the "justdelete" option # is used. # # default: Per instruction, the message has been deleted. # # notify = # # SMTP Reject # # This option can be used to change the default SMTP Reject message that is sent # to the client in the event a message is rejected due to a virus. # The error message will have a prefix of "554". # # default: Virus detected! P3scan rejected message! # # smtprset = # # Check SMTP size # # This option can be used to set the maximum message size (in KBytes) that # p3scan will use to determine if it should scan an smtp submission. If a # message is greater than this size, it will not be scanned to help alleviate # smtp timeouts. # # default: none # # checksize = # # SSL/POP3S messages # # Check for SSL/POP3S protocol on a different port. # # default: 995 # # sslport = # # Insert SMTP message virus scanner information. # # This option is used to add the virus definition info from your scanner # to an smtp message. It will only be added as a footer if the message # is not signed cryptographically and is only a text message. # # It is used in conjunction with the file /etc/p3scan/p3scan.footer in the # following fashion: # # /etc/p3scan/p3scan.footer: # # 1) If file does not exist and "footer" is defined: # No footer information will added to outgoing messages, but the p3scan # version and scanner info will be added to the header. # # 2) If file exists but blank and "footer" is defined: # P3Scan version/host info and scanner info will be added to end of # message and header. # # 3) If file contains information and "footer" is defined: # All lines of this file will be added to the end of the smtp message and # then p3scan version/host info and scanner info will be appended. # # 4) If file does not exist and "footer" is not defined: # P3Scan will only insert p3scan version info into the header. # # Sample: FRISK F-Prot Antivirus: # footer = /usr/local/bin/f-prot -verno # Sample: ClamAV: # footer = /usr/bin/clamdscan -V # # TOP command processing # # This command may cause p3scan to hang when the client does not # disconnect after using the TOP command. It is now disabled by # default. If it was working for you in the past, then go ahead # and enable it below. # # NOTE: This command will be removed in the future as it is only # a work-around until the problem can be resolved. # # enabletop # END of configuration
signature.asc
Description: Digital signature
