[PLUGIN] EN-ClamAV - ClamAV Interface for DirectAdmin

[SmaragdnaDolina]

Hello.

I installed both the plugin and the IonCube loader but I get the error:

Site error: the ionCube PHP Loader needs to be installed. This is a widely used PHP extension for running ionCube protected PHP code, website security and malware blocking. Please visit get-loader.ioncube.com for install assistance.

I checked it with a php.info script and the loader is there.

We have been going into this with a tech assistance from IonCube. This is part of the problem, as much as we have got so far:

Alastair Telford

10:40 AM (5 hours ago)

to me

Hi,

The 7.2 Loader *is* being found, that is not the problem. As you pasted in you were getting the following error:

Starting php-fpm56: Failed loading
/usr/local/lib/php/extensions/no-debug-non-zts-20060613/
ioncube_loader_lin_7.2.so: /
usr/local/lib/php/extensions/no-debug-non-zts-20060613/
ioncube_loader_lin_7.2.so: undefined symbol: zend_hash_str_find

So the Loader exists and has been found by php-fpm56 at /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
ioncube_loader_lin_7.2.so

However, it is the incompatibility that is the problem: it fails because the 7.2 Loader references the symbol zend_hash_str_find and PHP 5.6 does not have such a function.

The problem is simply that there is no php-fpm72 being run.

If you look at the "build ioncube.txt" document you attached you will see lines like the following:

Restarting php-fpm56
Restarting php-fpm70
Restarting php-fpm73

However, you will note there is no such line for php-fpm72.
----------------------------------------------------------------------------------

Can you make anything of it?

Thanks.

 

[roman_m]

This plugin requires console php. Check Loader is here with

php -i |grep ionCube

 

[SmaragdnaDolina]

[root@server ~]# php -i |grep ionCube
Cannot load the ionCube PHP Loader - it was already loaded
Cannot load the ionCube PHP Loader - it was already loaded
with the ionCube PHP Loader + ionCube24 v10.3.9, Copyright (c) 2002-2019, by ionCube Ltd.
ionCube Loader
ionCube24 features => unconfigured

 

[roman_m]

create the file info.php containing

<?php
    phpinfo();
?>

in /usr/local/directadmin/plugins/clamscan/admin/

then visit https://your_diradmin_hostort/plugins/clamscan/info.php with browser authorized as admin.

Then look at output, search for Loader. If it's active, I dont' know how to help you. Try to contact plugin developer (I already try to contact him, but there is no reply).

 

[SmaragdnaDolina]

THANK YOU, I have been wasting hours in trying different locations for the blessed phpinfo script!

Apart from the one I already have, in the root of my html docs.

The IonCube tech assistance was asking me to place a phpinfo on port 2222 but I could not find the exact location to do that.

I'll be back in a few minutes.

 

[roman_m]

You welcome

 

[SmaragdnaDolina]

http://mydomain:2222/plugins/en-clamav/phpinfo.php

Now... this is my DA login page, but when I login as admin and point to the plugin folder where I have uploaded the script, I get a

Error: document not found

Obviously I am doing something wrong.

 

[roman_m]

Place file exactly in /usr/local/directadmin/plugins/en-clamav/admin/ then make it executable.

file contents follows

#!/usr/local/bin/php -nc/usr/local/directadmin/plugins/en-clamav/php.ini

<?php

phpinfo();

?>

Also, I think you forget to load the Loader in /usr/local/directadmin/plugins/en-clamav/php.ini

If so, place a loader string into /usr/local/directadmin/plugins/en-clamav/php.ini like

zend_extension="/usr/local/php/ioncube/ioncube_loader_fre_7.2.so"

(replace path with your Loader path & filename)

 

[SmaragdnaDolina]

Everything was already there.

Except for the script not being in the admin folder. I moved it there but I still get the "document not found" error.

 

[roman_m]

Hmmm... Im' sorry, can't help with it, because I dont' know the structure of your system.

 

[SmaragdnaDolina]

Hmmm... Im' sorry, can't help with it, because I dont' know the structure of your system.

A classical DirectAdmin installation.

 

[roman_m]

Pease contact me in private messages.

 

[edvanleeuwen]

Where are the logs of the scans stored ?

 

[SmaragdnaDolina]

They are in var/log/clamav

 

[edvanleeuwen]

Nope.

 

[Richard G]

On install via custombuild clamav is logging to the default system log, so /var/log/messages or /var/log/syslog depending on the distro you're using.
If you want to use a seperate logfile for clamav, you have to specify and enable this in the /etc/clamd.conf configuration file.

 

[SmaragdnaDolina]

My php72 installation is not fpm.

Apparently, this is the problem.

 

[SmaragdnaDolina]

SOLVED.

A completely different issue.

The plugin could not find the correct directory.

The ClamAV package includes a php.ini file pointing to loader files for 4 versions of php. I had not noticed that in the beginning, I used the wizard to install.

Since the plugin was then complaining that ioncube was not installed, I proceeded to install it.

But the plugin was reading its own php.ini file and could not find ioncube.

Now that I put the correct directory in, it is finally working.

 

[ssgill]

Hello, i am getting blank screen. I have gone over the old posts and everything seems to be in order. Also added system ioncube file in php.ini
zend_extension = "/usr/local/lib/ioncube/ioncube_loader_lin_7.0.so"

Noticed that file permissions are different than other installed pluggins.

[root@matrix rspamd]#
rspamd

drwxr-xr-x 10 diradmin _rspamd    4096 Jul  9 15:47 .
drwx--x--x  7 diradmin diradmin     80 Jul 17 13:30 ..
drwxr-xr-x  2 diradmin _rspamd    4096 Jul  9 15:47 admin

csf
drwxr-xr-x 2 diradmin diradmin   39 Jun 17 08:55 admin
-rw-r--r-- 1 diradmin diradmin    0 Jul 17 14:02 available_version.txt
drwxr-xr-x 2 diradmin diradmin   59 Jun 17 22:18 exec

comodo_waf
drwxr-xr-x 3 diradmin root      133 Oct 22  2019 admin
-rw-r--r-- 1 diradmin root        6 Jul 17 13:55 available_version.txt
drwxr-xr-x 2 diradmin root       48 Nov 15  2019 hooks

They all have directadmin, but for en-clamav

drwxr-xr-x  2 root     root        4096 Jul 17 14:03 admin
-rw-r--r--  1 diradmin diradmin       5 Jul 17 13:55 available_version.txt
drwxr-xr-x  2 root     root         117 Jul 17 13:41 exec
drwxr-xr-x  2 root     root         136 Jul 17 13:41 hooks
drwxr-xr-x  5 root     root          35 Jul 17 13:30 images
-rw-r--r--  1 root     root     1491608 Jul 17 13:41 ioncube_loader_lin_5.6.so
-rw-r--r--  1 root     root     1551096 Jul 17 13:41 ioncube_loader_lin_5.6_ts.so
-rw-r--r--  1 root     root     1249512 Jul 17 13:41 ioncube_loader_lin_7.0.so
-rw-r--r--  1 root     root     1306888 Jul 17 13:41 ioncube_loader_lin_7.0_ts.so
-rw-r--r--  1 root     root     1355576 Jul 17 13:41 ioncube_loader_lin_7.1.so
-rw-r--r--  1 root     root     1436024 Jul 17 13:41 ioncube_loader_lin_7.1_ts.so
-rw-r--r--  1 root     root     1410120 Jul 17 13:41 ioncube_loader_lin_7.2.so
-rw-r--r--  1 root     root     1483880 Jul 17 13:41 ioncube_loader_lin_7.2_ts.so
-rw-r--r--  1 root     root     1320168 Jul 17 13:41 ioncube_loader_lin_7.3.so
-rw-r--r--  1 root     root     1385640 Jul 17 13:41 ioncube_loader_lin_7.3_ts.so
-rw-r--r--  1 root     root           3 Jul 17 13:41 ioncube.ver
drwxr-xr-x  2 root     root           6 Jul 17 13:30 logs
-rw-r--r--  1 root     root        1194 Jul 17 13:57 php.ini
-rw-------  1 diradmin diradmin     314 Jul 17 13:41 plugin.conf
-rwx------  1 diradmin diradmin 6038625 Jul 17 13:41 plugin.tar.gz
drwxr-xr-x  2 root     root         118 Jul 17 13:41 reseller
drwxr-xr-x  2 root     root          58 Jul 17 13:41 scripts
drwxr-xr-x  2 root     root         118 Jul 17 13:41 user

I checked directadmin log file and it does have these errors:

2020:07:17-13:31:04: Execl error on /usr/local/directadmin/plugins/en-clamav/admin/index.html : Permission denied
2020:07:17-13:46:59: Can't connect to ssl!
2020:07:17-13:55:08: Execl error on /usr/local/directadmin/plugins/en-clamav/admin/index.html : Permission denied
2020:07:17-13:57:30: Execl error on /usr/local/directadmin/plugins/en-clamav/admin/index.html : Permission denied
2020:07:17-14:02:19: Execl error on /usr/local/directadmin/plugins/en-clamav/admin/index.html : Permission denied
2020:07:17-14:02:42: Execl error on /usr/local/directadmin/plugins/en-clamav/admin/index.html : Permission denied
2020:07:17-14:02:47: Execl error on /usr/local/directadmin/plugins/en-clamav/admin/index.html : Permission denied
2020:07:17-14:14:47: Execl error on /usr/local/directadmin/plugins/en-clamav/admin/index.html : Permission denied

System: centos 7
Cli php 7.0.3
CustomBuild 2.0
ClamAV 0.102.3/25876/Fri Jul 17 08:21:26 2020

I used custombuild web install plugin, thanks

 

[kalibzen]

I got false positive signature of this:

YARA.eval_post.UNOFFICIAL

I tried to exclude this in the local.ign2 file like this:

$ cat /usr/local/share/clamav/whitelist.ign2
{HEX}Malware.Expert.generic.eval.post.2
{HEX}php.malware.magento.594
{HEX}Malware.Expert.malware.url.hastebin.com.0
{multi}Malware.Expert.wget.curl.lwp-download.exec.system.signature
YARA.php_malware_hexinject
YARA.shankar_php_php
YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php
{HEX}Malware.Expert.generic.eval.gzinflate.base64.9
{HEX}Malware.Expert.generic.malware.127
YARA.r57shell_php_php
YARA.eval_post

From my tests, most of the YARA signature in the excluded list didn't get excluded from the scan (still found by clamav). This is weird. I also try the custom rule using URL like:

# WhiteList
DatabaseCustomURL http://mywhitelistsite.com/whitelist.ign2

But this doesn't seems to work. Anyone experience this ? I never been able to exclude YARA signature from detected. The other signatures are excluded perfectly in the whitelist.ign2

Thanks.