Malware detection after update of custombuild/directadmin

A

AudiAddict

Verified User
Joined
Oct 10, 2008
Messages
85
Hello, I'm having a strange issue and I hope you can help because the nature of the error is keeping me awake in the evening.

After updating my directadmin custom build installation yesterday I got two package updates.

Code: 
Installing dovecot 2.3.14 ...
Found /usr/local/directadmin/custombuild/dovecot-2.3.14.tar.gz

and

Code: 
updating PHP 7.4
Found /usr/local/directadmin/custombuild/php-7.4.16.tar.gz

After I'm getting a virus logs on my bitdefender ( bitdefender total security version 25.0.14.58) antivirus on my pc (sorry it's in dutch - it says malware infected webpage found and is going to be blocked).

wSkYs8V.png

Do any of you know how to troubleshoot this further? I've tried an online URL malware scanner and input the dovecot URL of this server and the directadmin login page - but no malware found there. Is there another tool or antivirus/anti malware that I could install on this directadmin server to scan? I'm using CLAMAV but this is only for email..

Also do any of you know if there is anything related to these package updates that could be causing this issue?

Version of the server/da is:
Linux 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

DA version:
1.61.5
 
I've tried restarting both the pc with this bitdefender client and the DA server. The only way to not get the error is by adding this URL to my safelist on the local pc but that doesn't give me a very good feeling.
 
Dovecot won't infect web pages, so the only thing could be the php update. However I doubt that this is the cause.
You might best post your url so we can verify or check it. And investigate what can be causing this.

Alternative: try running maldetect on your system, especially for that website.
 
maxi32 said:
Do you mean this caused by the DA update? What is the name of the infected file ?
Click to expand...

After updating the custom build packages in Directadmin -> two packages came up (dovecot and php). After updating these my bitdefender antivirus starting giving me this error / malware warning. So it must be related to this update for some reason as this didn't happen before these updates. There is no infected file really- If i go to the website the warning pops up (either the webmail or the da login).

Richard G said:
Dovecot won't infect web pages, so the only thing could be the php update. However I doubt that this is the cause.
You might best post your url so we can verify or check it. And investigate what can be causing this.

Alternative: try running maldetect on your system, especially for that website.
Click to expand...

I'm running clamav now on the complete system to see if anything comes up. I'm only getting hits on imap files which is normal I guess, many users get spam/virus e-mails etc.

I also tried online malware scanning website virustotal.com and that didn't give any hits, so I'm hoping its a false positive from BitDefender.

edit: removed link to prevent it from being indexed.
 
Last edited:
I am also using BD and never had a warning with these 2 updates.
Are you sure that the AV is alerting because of the update ?
Maybe an other malware/virus is on your site as well, please scan you whole site for this kind of infections
 
Active8 said:
I am also using BD and never had a warning with these 2 updates.
Are you sure that the AV is alerting because of the update ?
Maybe an other malware/virus is on your site as well, please scan you whole site for this kind of infections
Click to expand...
Can you check the link above and see if you also get the error? It's coming from the Bitdefender malware part (Bit defender total security).
The strange thing is that it didn't pop up before - only after these two custombuild package updates?

I am scanning the whole server with clamav (is this the right approach)?
 
I have scanned your website URL of your webmail with VirusTotal, but i don't see a danger...
** removed URL **

But an update of dovecot or PHP cannot just put a virus in a site.
I think it is very likely that it is all a coincidence.

A scan with ClamAV can of course never hurt. ;-)
 
Last edited:
I have checked your site with some other virus/malware scanners both online and offline and didn't get any results
Have to admit all our connections are filtered with private filtered pi-hole DNS servers but I don't think it will change the outcome

This is an false warning and can be ignored, just an side note there are some things not well configured with your DNS server records
I recommend to check this for errors and correct them
 
Aar said:
I have scanned your website URL of your webmail with VirusTotal, but i don't see a danger...

But an update of dovecot or PHP cannot just put a virus in a site.
I think it is very likely that it is all a coincidence.

A scan with ClamAV can of course never hurt. ;-)
Click to expand...
Thanks - can you remove the url and results please? I rather not have my server indexed in google through this forum.

Active8 said:
I have checked your site with some other virus/malware scanners both online and offline and didn't get any results
Have to admit all our connections are filtered with private filtered pi-hole DNS servers but I don't think it will change the outcome

This is an false warning and can be ignored, just an side note there are some things not well configured with your DNS server records
I recommend to check this for errors and correct them
Click to expand...

That's what I think too.. still strange right? Any tips on what you mean with dns? can you be more specific?
 
Last edited:
Which issues do you see? this server doesn't have ipv6 or different subnets :).

Are you talking about :
All name servers returned by the parent name servers should have an NS record at your name servers ?

Should I make A records for the secondary name servers? AS they are from transip (thirdparty), they change their ip;s some times so I didn't want to hardcode them in as A records.. what do you think?

Back on topic: I still don't understand why bitdefender is giving the virus warning :(
 
Last edited:
AudiAddict said:
Here is the link to validate / see if you also get the error.
Click to expand...
I don't get any issue, neither does the Google safety check does. Maybe BD does odd because your main domain redirects to Google?
Seems really a wrong BD issue, false positive.

Clamav is nice, but Maldetect is easy to install, also makes use of Clamav but also has it's own routines, specialized for malware. However, I did a couple of tests too and still think it's a false positive.
It's not always understandable why a scanner triggers a false positive, in this case only the BD support can explain or fix this.

AudiAddict said:
Should I make A records for the secondary name servers? AS they are from transip (thirdparty), they change their ip;s some times so I didn't want to hardcode them in as A records.. what do you think?
Click to expand...
Did you look at the link? Seems you got your own nameservers running there while you are using Transip nameservers.
If you only use the ones from Transip, you should not create them in Transip's dns for your domain. Remove them there.
Or use your own, but then do not use the Transip nameservers. You have to create a choice here.
If you want, pm me in Dutch, ik ben ook Nederlander. ;)
 
You must log in or register to reply here.
Back
Top