clamav details

hello -

does anybody on on clamscan how to get the name or type of the actual infection? clamscan is reporting viruses in some large log files, and i just assume not try to read through a hundred thousand lines if possible.

i am hoping there might be a way to identify the exact location inside the large log file.

clamav does not really have a forum, and stackoverflow lately has been answering my questions with RTFM, which i did.
 
Last edited:

Quags

Administrator
Staff member
what is clamav reporting?

In logs it is probably matching some strings in the logs, like hacking attempts.

and if it is a hex, its easy to decode. Like

{HEX}exp.linux.setuid.7:0:*:7365746769642830293b207365747569642830293b

is matching

setgid(0); setuid(0);
 
here is an example of what i see:

/var/log/virtualmin/domain-name.com_access_log: sigs.InterServer.net.HEX.Topline.malware.wp-temp.1.30.2018.1023.UNOFFICIAL FOUND

i am seriously considering copying the file to a temporary area...

SCRATCH THAT - i took the file with 500k lines and meticulously chopped the file in half repeatedly until i found the offending line:

87.98.165.248 - - [30/Jan/2020:19:08:47 -0500] "GET /wp-includes/wp-tmp.php HTTP/1.1" 404 40556 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36"

i call this a "false positive"......

note, i think this may be because of the interserver definitions and not clamscan, since this is what i see:

=======


/tmp/bad.log: sigs.InterServer.net.HEX.Topline.malware.wp-temp.1.30.2018.1023.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6757246
Engine version: 0.101.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 18.687 sec (0 m 18 s)


EDIT: you can easily duplicate the results, just take the one line, stick it into a file and run clamscan on it.
 
Last edited:

Quags

Administrator
Staff member
wp-includes/wp-tmp.php should not exist. It is part of wp-vcd. This is a 404 error, it doesn't exist but its picked up on the logs because of the call.
 
Top