Eric,
We do have clamav installed and operational, but I agree this could
be from something already in a mailbox. When we configured this machine we
copied a lot of messages from POP accounts to IMAP.
The tmp directory also has "m", "m.1", "m.2" as well as "dude.txt" and all
are infected.
If this is already here, obviously we cannot check it, but I need to make
sure we do not get any others. So ClamAV should find them, correct. Could
they arrive via Web anomaly? We only have the Qmail-Toaster Admin and
Webmail active on this machine.
Cheers
-----Original Message-----
From: Eric Shubert [mailto:e...@shubes.net]
Sent: Tuesday, 12 April 2011 10:05 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Re: Perl Bot
On 04/11/2011 04:40 PM, Mike Canty wrote:
> Eric,
> Thanks for the response.
>
> The Anti-Virus I am using is removing the files, as they are detected, so
> it's a bit hard to tell. They are actioned late at night, so we are not
> looking then, however, something must be setting them there.
>
> There is one text file still in the "/tmp/" directory, that is infected
and
> this is owned by apache. So is this a Webmail item?
>
> -rw-r--r-- 1 apache apache 28026 Apr 9 22:18 dude.txt
That's what it appears to be.
I'm a little surprised that clamav did not find this one. Do you have
that turned off for some reason, or did it miss this? It's possible that
if you got one in a mailbox that sneaked in before clamav had a
signature for it, that every time it's opened by the user using webmail
that it's putting the file back in the /tmp directory.
The filename dude.txt is a little suspicious to me though. I would
expect SM to use some sort of unique name for an attachment, if that's
what it is.
I'm thinking now that it's perhaps something not even coming from email.
Could it be coming from apache via some other route? Do you have apache
running anything besides the stock QMT stuff? Roundcube perhaps?
> Trying to "cat" the file brought back information from our AV
>
> cat: dude.txt: Operation not permitted
> [root@msrverpd tmp]#
> ********************** Sophos Anti-Virus Alert ***********************
> Virus "Mal/PerlBot-A" detected in file
> "/tmp/dude.txt".
>
> Access to the file has been denied
> Please contact your IT department.
> **********************************************************************
>
> At least we know we are protected.
That's good.
> As for the AV on the mailboxes, are you talking about the server side or
the
> client side? We run Sophos AV on all clients.
Server side. /home/vpopmail/domains/*/*/Maildir/* files, recursively.
--
-Eric 'shubes'
----------------------------------------------------------------------------
-----
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
----------------------------------------------------------------------------
-----
Please visit qmailtoaster.com for the latest news, updates, and
packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
