HOWTO: ProFTPD Antivirus using CLAMAV

scsi said:
Why not just look at the code so you know what its doing and do it manually?
Click to expand...

I tried it and it gives an error:

modules/mod_xfer.o(.text+0x24ce): In function `xfer_stor':
: undefined reference to `clamav_scan'
gmake: *** [proftpd] Error 1
 
TonyTran said:
Hi,

I dont know why, when i run:

It's error:


I run:

The mod_clamav.c under Loaded modules.

I try:

It's detected virus.

But i upload it via FTP, it's not work. :(
Click to expand...

I have the same problem, i use Debian 5.

Thanks!
 
everything installed, but clamd not scanning uploaded files

Hi all - i got most of it working, but am still having problems with clamd actually scanning the files when they are uploaded. proftpd works fine.

clamscan can scan and find the virus fine:

Code: 
# clamscan eicar.com
eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 833885
Engine version: 0.96.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 4.997 sec (0 m 4 s)



here is the end of my /etc/proftpd.conf:

Code: 
 # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayChdir                  .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
</Anonymous>
<Global>
DefaultRoot ~
<IfModule mod_clamav.c>
ClamAV on
ClamServer 127.0.0.1
ClamPort 3310
ClamMaxSize 5 Mb
</IfModule>
</Global>



here is part of my /etc/clamd.conf

Code: 
# Default: disabled (must be specified by a user)
# LocalSocket /var/run/clamav/clamd.sock

# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup

# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
# LocalSocketMode 660

# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes

# TCP port address.
# Default: no
 TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
 TCPAddr 127.0.0.1



and lastly, here is part of my proftpd log on debug 10:

Code: 
 ClamMaxSize
chrslinux (192.168.0.141[192.168.0.141]) - ROOT PRIVS at mod_auth.c:1129
chrslinux (192.168.0.141[192.168.0.141]) - opening TransferLog '/var/log/xferlog'
chrslinux (192.168.0.141[192.168.0.141]) - setting group ID: 500
chrslinux (192.168.0.141[192.168.0.141]) - RELINQUISH PRIVS at mod_auth.c:1168
chrslinux (192.168.0.141[192.168.0.141]) - USER PRIVS 500 at mod_auth.c:598
chrslinux (192.168.0.141[192.168.0.141]) - retrieved UID 500 for user 'chris'
chrslinux (192.168.0.141[192.168.0.141]) - RELINQUISH PRIVS at mod_auth.c:602
chrslinux (192.168.0.141[192.168.0.141]) - set TZ environment variable to 'MST'
chrslinux (192.168.0.141[192.168.0.141]) - Preparing to chroot to directory '/home/chris'
chrslinux (192.168.0.141[192.168.0.141]) - ROOT PRIVS at auth.c:1352
chrslinux (192.168.0.141[192.168.0.141]) - RELINQUISH PRIVS at auth.c:1354
chrslinux (192.168.0.141[192.168.0.141]) - Environment successfully chroot()ed
chrslinux (192.168.0.141[192.168.0.141]) - ROOT PRIVS at mod_auth.c:1209
chrslinux (192.168.0.141[192.168.0.141]) - SETUP PRIVS at mod_auth.c:1221
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/', fullpath = '/home/chris/'.
chrslinux (192.168.0.141[192.168.0.141]) - dispatching POST_CMD command 'PASS (hidden)' to mod_cap
chrslinux (192.168.0.141[192.168.0.141]) - mod_cap/1.0: capabilities '= cap_net_bind_service+ep'
chrslinux (192.168.0.141[192.168.0.141]) - dispatching POST_CMD command 'PASS (hidden)' to mod_delay
chrslinux (192.168.0.141[192.168.0.141]) - dispatching POST_CMD command 'PASS (hidden)' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - dispatching POST_CMD command 'PASS (hidden)' to mod_ls
chrslinux (192.168.0.141[192.168.0.141]) - dispatching POST_CMD command 'PASS (hidden)' to mod_auth
chrslinux (192.168.0.141[192.168.0.141]) - RELINQUISH PRIVS at mod_auth.c:1582
chrslinux (192.168.0.141[192.168.0.141]) - dispatching POST_CMD command 'PASS (hidden)' to mod_xfer
chrslinux (192.168.0.141[192.168.0.141]) - dispatching POST_CMD command 'PASS (hidden)' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'PASS (hidden)' to mod_auth
chrslinux (192.168.0.141[192.168.0.141]) - USER chris: Login successful.
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'CWD /Downloads/eicar_virus_test/from_ftp' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'CWD /Downloads/eicar_virus_test/from_ftp' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching CMD command 'CWD /Downloads/eicar_virus_test/from_ftp' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test/from_ftp', fullpath = '/home/chris/Downloads/eicar_virus_test/from_ftp'.
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'CWD /Downloads/eicar_virus_test/from_ftp' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'PWD' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'PWD' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching CMD command 'PWD' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test/from_ftp', fullpath = '/home/chris/Downloads/eicar_virus_test/from_ftp'.
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'PWD' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'TYPE I' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'TYPE I' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching CMD command 'TYPE I' to mod_xfer
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'TYPE I' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'PASV' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'PASV' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching CMD command 'PASV' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test/from_ftp', fullpath = '/home/chris/Downloads/eicar_virus_test/from_ftp'.
chrslinux (192.168.0.141[192.168.0.141]) - Entering Passive Mode (192,168,0,192,149,41).
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'PASV' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'STOR eicar.com' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'STOR eicar.com' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'STOR eicar.com' to mod_xfer
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test/from_ftp/eicar.com', fullpath = '/home/chris/Downloads/eicar_virus_test/from_ftp/eicar.com'.
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): setting umask to 0022 (was 0022)
chrslinux (192.168.0.141[192.168.0.141]) - dispatching CMD command 'STOR eicar.com' to mod_xfer
chrslinux (192.168.0.141[192.168.0.141]) - passive data connection opened - local  : 192.168.0.192:38185
chrslinux (192.168.0.141[192.168.0.141]) - passive data connection opened - remote : 192.168.0.141:55920
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'STOR eicar.com' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'STOR eicar.com' to mod_xfer
chrslinux (192.168.0.141[192.168.0.141]) - Transfer completed: 68 bytes in 0.00 seconds
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'PASV' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'PASV' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching CMD command 'PASV' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test/from_ftp', fullpath = '/home/chris/Downloads/eicar_virus_test/from_ftp'.
chrslinux (192.168.0.141[192.168.0.141]) - Entering Passive Mode (192,168,0,192,159,200).
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'PASV' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'MLSD' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching PRE_CMD command 'MLSD' to mod_core
chrslinux (192.168.0.141[192.168.0.141]) - dispatching CMD command 'MLSD' to mod_facts
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test/from_ftp', fullpath = '/home/chris/Downloads/eicar_virus_test/from_ftp'.
chrslinux (192.168.0.141[192.168.0.141]) - passive data connection opened - local  : 192.168.0.192:40904
chrslinux (192.168.0.141[192.168.0.141]) - passive data connection opened - remote : 192.168.0.141:43086
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test/from_ftp/eicar.com', fullpath = '/home/chris/Downloads/eicar_virus_test/from_ftp/eicar.com'.
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test/from_ftp', fullpath = '/home/chris/Downloads/eicar_virus_test/from_ftp'.
chrslinux (192.168.0.141[192.168.0.141]) - in dir_check_full(): path = '/Downloads/eicar_virus_test', fullpath = '/home/chris/Downloads/eicar_virus_test'.
chrslinux (192.168.0.141[192.168.0.141]) - dispatching LOG_CMD command 'MLSD' to mod_log
chrslinux (192.168.0.141[192.168.0.141]) - FTP session closed.
chrslinux (192.168.0.141[192.168.0.141]) - FTP session closed.


it looks to me like the scan isn't being invoked whatsoever.

with nmap, it seems that the clamd 3310 port is open...
Code: 
 #nmap -p 3310 127.0.0.1

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-18 01:42 MDT
Nmap scan report for chrislinux (127.0.0.1)
Host is up (0.00012s latency).
PORT     STATE SERVICE
3310/tcp open  unknown


Please if anyone can offer any help/suggestions, it would be GREATLY appreciated!!!

thank you all in advance. - hopefully it's something small I just messed up.
 
mod_clamav.c is loaded

Also forgot to post this, to show that mod_clamav.c is loaded:

Code: 
#proftpd -vv

ProFTPD Version: 1.3.3 (stable)
  Scoreboard Version: 01040003
  Built: Fri Sep 17 2010 20:52:53 MDT

Loaded modules:
  mod_cap/1.0
  mod_clamav.c
  mod_ident/1.0
  mod_facts/0.1
  mod_delay/0.6
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/0.8.3
  mod_auth_unix.c
  mod_xfer.c
  mod_core.c
 
I got it all running now.

I recompiled the source using mod_clamav-0.11rc instead of mod_clamav-0.10 (i wasn't using the scripts provided... sorry)

This would invoke the virus scan (which I could see in my proftpd debug mode).

It was not scanning the virus because of permission errors (also seen in the proftpd debug mode).

I edited /etc/clamd.conf:

Code: 
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User root

it was previously set to:
Code: 
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav


This now scans and removes the eicar test virus when uploaded to the ftp.

Thanks for all the help!
 
Sweet, yea it helped me as well. I spent about 30 minutes on google trying to find the answer to this crap. I had to sign up and post up some appreciation. :cool:
 
Code: 
Loaded modules:
  mod_lang/0.9
  mod_cap/1.0
  mod_tls/2.4.2
  mod_readme.c
  mod_ratio/3.3
  mod_ident/1.0
  mod_facts/0.1
  mod_delay/0.6
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/0.8.3
  mod_auth_unix.c
  mod_xfer.c
  mod_core.c

dose not show up for me i have centos 6.2 final 64 bit i did follow the instructions as mentioned
 
sHuKKo said:
Code: 
cd ~
wget http://www.serverdirekt.com/DA/FTPAV/ftpantivirus
Click to expand...

Hello and thank you for this great How-to

wgetting, I get the following error:

Code: 
--2013-04-01 21:19:37--  http://www.serverdirekt.com/DA/FTPAV/ftpantivirus
Resolving www.serverdirekt.com... 67.215.66.132
Connecting to www.serverdirekt.com|67.215.66.132|:80... failed: Connection timed out.
Retrying.

--2013-04-01 21:23:07--  (try: 2)  http://www.serverdirekt.com/DA/FTPAV/ftpantivirus
Connecting to www.serverdirekt.com|67.215.66.132|:80... failed: Connection timed out.
Retrying.

--2013-04-01 21:26:18--  (try: 3)  http://www.serverdirekt.com/DA/FTPAV/ftpantivirus
Connecting to www.serverdirekt.com|67.215.66.132|:80...

Any verified user having the code so that I can use? (or some semi-official place to have a mirror?)

Thank you very much
 
ClamAV scan for ProFTPd is now included into CustomBuild 2.0 :)
 
i want to uninstall clamav but i dont know how ..
some guide? it's important, clamav eat a lot of processes ..
 
How did you install it?

How is it started?

Are you asking specifically about ClamAV for ProFTPd?

Jeff
 
You must log in or register to reply here.
Back
Top