Trojan infect all mail in the server

Hello,

Because of trojans that are infected my server, all of mails in the server infects and deleted and gone to /tmp/clamav… directory. So how can i prevent this trojan infect all the mails. What must i do.

Please help. Most of the mail accounts down because of these.

I’m not sure. I think maybe you’re still misinterpreting what the problem or problems are on your system. I don’t believe the symptoms you describe indicate the problem you think they do. It sounds like you’re a recovering Windows user with a belief that everything weird that happens on your system is due to a virus…that’s not the right problem-solving approach on a well-maintained Linux system. Viruses and trojans and rootkits are rare, but misconfigurations are very common. You may very well have security issues on your system, but so far, the only evidence we have of that is that you had some PHP scripts that had been abused by a script kiddie. Disabling those scripts until you know you’ve corrected the security issues in them would be step one for solving that problem. If that problem was exacerbated by a local privilege escalation hole on your system, then it could have permitted a rootkit to be installed (but again, we have no evidence of that).

Some tools that are helpful in determining whether your system has been exploited (to a more serious degree than just having a PHP script exploited):

chkrootkit does a nice job of spotting most common rootkits and their side effects: http://www.chkrootkit.org/

Use your package manager to insure your system is up to date. If it isn’t, then you probably do have security holes that could be (and maybe already have been) exploited.

Use your package manager to detect changes to files that shouldn’t have been changed…like the ps, top, ls, w, who, locate, lsof, login.

With RPM, you could do:

rpm -V procps

For example, to see if ps and top have been tampered with.

If you have been infected with a rootkit, the most cost effective solution is almost certainly to backup your data (particularly user data, but also /etc and any other useful data on the system, though no binaries from the old system can be trusted), and start fresh. The only way to be sure a system can be trusted after an exploit is extremely time consuming and requires pretty serious expertise. I used to do this kind of work on contract and generally charged $1600 for the approximately two days worth of work it required to be sure the system was clean (and I wouldn’t do it that cheaply today). You will have no trouble finding someone who will take your money for such a task, but a very hard time finding someone who has the knowledge necessary to actually accomplish it. It is one of the more challenging IT tasks, and requires a lot of patience and a lot of knowledge of the OS in question. I don’t know anyone off-hand who does this kind of work, so I can’t recommend anyone.

In short, the only good solution to a security problem is to avoid having one. If history thwarts you on avoiding it, you’ll probably need to start over, and be more careful about security in the future.

Anyway, you need to stop for a moment, and get a better grasp of how your system works before deciding you know what is wrong with it. Read some documentation, check some logs (maillog, procmail.log, etc.), and follow the above tips for figuring out if you have a rootkit to deal with or not.

You can certainly use clamav to scan your whole system for viruses, but it’s kind of nonsensical to do so. If you really have a security problem, you can’t trust the clamav installation to tell you the truth.

Oh, yeah, I should add that 99.99% of the viruses that ClamAV detects are Windows viruses, and would have no effect on a Linux box–security problems that do occur on Linux are far more dramatic than a simple virus and “scanning for viruses” in the Windows sense isn’t really a productive use of your time. (Windows has rootkits, too, it’s just rarely necessary to go to such lengths for crackers to get what they want out of a Windows system.)

Maybe this problem is connected with http://www.virtualmin.com/index.php?option=com_flyspray&Itemid=82&do=details&task_id=3460. If so how can solve tihs problem?

Also i see some error messages on my new version Virtualmin 3.56. i will send it with an e-mail.

Thank you.

i have some problems on my web server. Firstly i must say that, i noticed some of trojans and viruses effect my server. Ä° saw that when loading my web pages, i saw a foreign link in the status bar while pages loading. When i search this pages, i saw that some codes that insert a hidden iframe with connected some other sites. This is iframe injection problem.

This is a wholly separate problem from clam and mail delivery. Completely unrelated. PHP security issues are in no way effected by the use or lack of use of clamav. Utterly unrelated. We should start another thread about PHP security (with no mention of mail or clamav in that thread, as they are wholly unrelated issues), if you’d like to continue working on it (that’d probably be wise). I can tell you’re having a hard time believing me when I say that clamav and PHP security have no relation, but I assure you that it is true. :wink:

Now, on to the problem. Here it is (right in the log, where we thought it would be!):

procmail: Error while writing to "/var/log/procmail.log" procmail: Quota
exceeded while writing

Your quotas are set too tight to allow processing of emails. ClamAV requires 10MB of free disk space, or more, to process messages, plus whatever space is required for the mailbox. It requires much more, if it is processing big files–note that compressed attachments can blow up to several times the size of the original message, so even if you’re only processing files up to, say, 1MB, you could still need 10 or 20 extra MB for ClamAV to work in. Raise your quotas for the effected users and this problem will either go away or reveal new errors.

There is an alternative, which is to set clam to use a working directory on another partition that is not subject to quotas. You could remount /tmp on a large extra disk, for example, and allow clam to use that.

Probably easier just to give folks enough room. (Virtualmin Professional checks for this kind of problem, but Virtualmin GPL doesn’t know about spam and AV filtering. This will probably change in the future.)

ok. i can try again to install after the changes that you say.

But i must to take an help to mount /tmp a new partition. And configure the clamAv with it. Because i do not know what must i do this? Can you say step by step what must i do this installation and /tmp change.

Before this i want to say some information about my server.
i upgrade my OS to Centos Linux 4.6, and i upgrade the Virtualmin to Virtualmin 3.56 Pro, i have two disk in my server. The second one is using for backup. The first one have two partition 40GB+40GB. My /tmp directory is in the first partiton. It is possible to mount it to second partiton.

i have 264 virtual servers on the server. 216 of the virtual servers uses Mysql DB. But only 2-3 virtual servers are most active. There are 701 mail users on the system. And there are 1357 mail alias. And 60% of first partition is full. There is 2GB memory.

And most of the users in the system have 10MB disk quota. But most of the other users that their’s quota larger than 10MB like 30-60MB faced to same quota problem when i install the ClamAv new version. Maybe their mail traffic effected in this.

But i have too little experience about server management and also Virtualmin interface. So i have some help to make this installation.

Firstly how can i mount the /tmp to the second partition?
And how must i configure the ClamAv and which version or which rpm i must use? Do you say a resource?

if you say step by step how must i do this operation, i am very glad.

Thank a lot for your help again.

ClamAv Upgrade and Intallation Problem

This is the my problem.From the beginnig to now.

i have some problems on my web server. Firstly i must say that, i noticed some of trojans and viruses effect my server. Ä° saw that when loading my web pages, i saw a foreign link in the status bar while pages loading. When i search this pages, i saw that some codes that insert a hidden iframe with connected some other sites. This is iframe injection problem.

And after search i saw that this codes are infect most of index.php, index.html, index.htm and footer.php, footer.htm and footer.html pages on my server.

After this i clean all the infected files and activate the php safe mode that is OFF before. And i disable some system functions from php.ini

But more important than this, i realize that my ClamAv antivirus out of date. But when i want to update ClamAv with yum update clamav, i faced some errors about yum. And i take a help from my hosting firm to solve this problem.

And after this, i update my ClamAv 0.88 to ClamAv 0.92. And after this installation i scan my system with clamscan and remove 1250-1300 trojan and viruses from users mail directories

After this clean operation, i scaned the system again and no other trjans or viruses found.

But, after the ClamAv update to ClamAv 092 version there is a big problem again.

When a mail user sent a mail to anyone, everyhing is shown normal on mail program (Outlook, Thunderbird…) as sent, but mail is not delivered to recipient. And at the same time a clamav… directory is created in the /tmp directory. And this directories fill the user’s mailbox quota. When i clean this directory from /tmp directory the quota turn to normal size. This problem occurs most of the mail users traffic. But this problem is begun after the ClamAv update process

But this problem is not shown all mail accounts.

This clamav… directory that is created in /tmp directory have 4 files: main.db, mainmdb, main.ndb and copying files.

And the message that is returned from user that mail quota’s exceeded is shown below.
And some times message is not return.

< mail_address> (expanded from
    < mail_address>): can’t create user output file. Command
    output: LibClamAV Error: cli_untgz: Wrote 0 instead of 512
    (/tmp/clamav-d342a5c0705d099fd95b1b0793092e0b/main.ndb) LibClamAV Error:
    cli_cvdload(): Can’t unpack CVD file. LibClamAV Error: Can’t load
    /var/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure
    procmail: Error while writing to “/var/log/procmail.log” procmail: Quota
    exceeded while writing
    “/home/domain/homes/mail_user/Maildir/tmp/1209623791.26249_0.ns1.site.com.tr”
    procmail: Quota exceeded while writing
    “/home/domain/homes/mail_user/Maildir/tmp/1209623791.26249_1.ns1.site.com.tr”
    Time:1209623791 From: To: User: mail_adresi Size:248
    Dest:/etc/webmin/virtual-server/clam-wrapper.pl /usr/bin/clamscan Mode:None

Shortly, after updating of ClamAv on my server, all the mails in server mail traffic has a clamav… directory in /tmp directory and this directories have main.db, main.mdb,main.ndb and copying files.

What is the wrong, or what must i do to solve this?

if i remove Clamav from system, everything turn to normal in the mail traffic.

Also i install chkrootkit and scaned the system. There is no bad result shown. All results said â

ClamAv Upgrade and Intallation Problem

This is the my problem.From the beginnig to now.

i have some problems on my web server. Firstly i must say that, i noticed some of trojans and viruses effect my server. Ä° saw that when loading my web pages, i saw a foreign link in the status bar while pages loading. When i search this pages, i saw that some codes that insert a hidden iframe with connected some other sites. This is iframe injection problem.

And after search i saw that this codes are infect most of index.php, index.html, index.htm and footer.php, footer.htm and footer.html pages on my server.

After this i clean all the infected files and activate the php safe mode that is OFF before. And i disable some system functions from php.ini

But more important than this, i realize that my ClamAv antivirus out of date. But when i want to update ClamAv with yum update clamav, i faced some errors about yum. And i take a help from my hosting firm to solve this problem.

And after this, i update my ClamAv 0.88 to ClamAv 0.92. And after this installation i scan my system with clamscan and remove 1250-1300 trojan and viruses from users mail directories

After this clean operation, i scaned the system again and no other trjans or viruses found.

But, after the ClamAv update to ClamAv 092 version there is a big problem again.

When a mail user sent a mail to anyone, everyhing is shown normal on mail program (Outlook, Thunderbird…) as sent, but mail is not delivered to recipient. And at the same time a clamav… directory is created in the /tmp directory. And this directories fill the user’s mailbox quota. When i clean this directory from /tmp directory the quota turn to normal size. This problem occurs most of the mail users traffic. But this problem is begun after the ClamAv update process

But this problem is not shown all mail accounts.

This clamav… directory that is created in /tmp directory have 4 files: main.db, mainmdb, main.ndb and copying files.

And the message that is returned from user that mail quota’s exceeded is shown below.
And some times message is not return.

< mail_address> (expanded from
    < mail_address>): can’t create user output file. Command
    output: LibClamAV Error: cli_untgz: Wrote 0 instead of 512
    (/tmp/clamav-d342a5c0705d099fd95b1b0793092e0b/main.ndb) LibClamAV Error:
    cli_cvdload(): Can’t unpack CVD file. LibClamAV Error: Can’t load
    /var/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure
    procmail: Error while writing to “/var/log/procmail.log” procmail: Quota
    exceeded while writing
    “/home/domain/homes/mail_user/Maildir/tmp/1209623791.26249_0.ns1.site.com.tr”
    procmail: Quota exceeded while writing
    “/home/domain/homes/mail_user/Maildir/tmp/1209623791.26249_1.ns1.site.com.tr”
    Time:1209623791 From: To: User: mail_adresi Size:248
    Dest:/etc/webmin/virtual-server/clam-wrapper.pl /usr/bin/clamscan Mode:None

Shortly, after updating of ClamAv on my server, all the mails in server mail traffic has a clamav… directory in /tmp directory and this directories have main.db, main.mdb,main.ndb and copying files.

What is the wrong, or what must i do to solve this?

if i remove Clamav from system, everything turn to normal in the mail traffic.

Also i install chkrootkit and scaned the system. There is no bad result shown. All results said â

ClamAv Upgrade and Intallation Problem

This is the my problem.From the beginnig to now.

i have some problems on my web server. Firstly i must say that, i noticed some of trojans and viruses effect my server. Ä° saw that when loading my web pages, i saw a foreign link in the status bar while pages loading. When i search this pages, i saw that some codes that insert a hidden iframe with connected some other sites. This is iframe injection problem.

And after search i saw that this codes are infect most of index.php, index.html, index.htm and footer.php, footer.htm and footer.html pages on my server.

After this i clean all the infected files and activate the php safe mode that is OFF before. And i disable some system functions from php.ini

But more important than this, i realize that my ClamAv antivirus out of date. But when i want to update ClamAv with yum update clamav, i faced some errors about yum. And i take a help from my hosting firm to solve this problem.

And after this, i update my ClamAv 0.88 to ClamAv 0.92. And after this installation i scan my system with clamscan and remove 1250-1300 trojan and viruses from users mail directories

After this clean operation, i scaned the system again and no other trjans or viruses found.

But, after the ClamAv update to ClamAv 092 version there is a big problem again.

When a mail user sent a mail to anyone, everyhing is shown normal on mail program (Outlook, Thunderbird…) as sent, but mail is not delivered to recipient. And at the same time a clamav… directory is created in the /tmp directory. And this directories fill the user’s mailbox quota. When i clean this directory from /tmp directory the quota turn to normal size. This problem occurs most of the mail users traffic. But this problem is begun after the ClamAv update process

But this problem is not shown all mail accounts.

This clamav… directory that is created in /tmp directory have 4 files: main.db, mainmdb, main.ndb and copying files.

And the message that is returned from user that mail quota’s exceeded is shown below.
And some times message is not return.

< mail_address> (expanded from
    < mail_address>): can’t create user output file. Command
    output: LibClamAV Error: cli_untgz: Wrote 0 instead of 512
    (/tmp/clamav-d342a5c0705d099fd95b1b0793092e0b/main.ndb) LibClamAV Error:
    cli_cvdload(): Can’t unpack CVD file. LibClamAV Error: Can’t load
    /var/clamav/main.cvd: CVD extraction failure ERROR: CVD extraction failure
    procmail: Error while writing to “/var/log/procmail.log” procmail: Quota
    exceeded while writing
    “/home/domain/homes/mail_user/Maildir/tmp/1209623791.26249_0.ns1.site.com.tr”
    procmail: Quota exceeded while writing
    “/home/domain/homes/mail_user/Maildir/tmp/1209623791.26249_1.ns1.site.com.tr”
    Time:1209623791 From: To: User: mail_adresi Size:248
    Dest:/etc/webmin/virtual-server/clam-wrapper.pl /usr/bin/clamscan Mode:None

Shortly, after updating of ClamAv on my server, all the mails in server mail traffic has a clamav… directory in /tmp directory and this directories have main.db, main.mdb,main.ndb and copying files.

What is the wrong, or what must i do to solve this?

if i remove Clamav from system, everything turn to normal in the mail traffic.

Also i install chkrootkit and scaned the system. There is no bad result shown. All results said â