Sys::Syslog Bug Report

JWSmythe mailscanner at vvd.com
Fri Aug 23 23:31:05 IST 2002


        Works perfectly.  The patch works as given with Linux and 3.22-12

root at mail (/opt/mailscanner/bin) patch -p0 < all_bin.patch
patching file disinfect.pl
patching file explode.pl
patching file mta-specific.pl
patching file sendmail.pl
patching file sweep.pl
patching file workarea.pl


        I put the message back in that bombed it out this morning, and it was
processed with no problems.  Here's the log entries.

Aug 23 18:26:39 mail mailscanner[14761]: Scanning 1 messages, 137725 bytes
Aug 23 18:26:40 mail mailscanner[14761]: /g7N98C2j022911/%nTips.pif        Found
the W32/Klez.h at MM virus !!!
Aug 23 18:26:41 mail mailscanner[14761]: >>> Virus 'W32/Klez-H' found in file
./g7N98C2j022911/%nTips.pif
Aug 23 18:26:41 mail mailscanner[14761]: Possible MS-Dos program shortcut attack
(%nTips.pif)
Aug 23 18:26:41 mail mailscanner[14761]: Found 2 viruses in messages
g7N98C2j022911
Aug 23 18:26:41 mail mailscanner[14761]: Scanned 1 messages, 137725 bytes in 2
seconds
Aug 23 18:26:41 mail mailscanner[14761]: Saved infections to
/mail/mailscanner/quarantine/20020823/g7N98C2j022911
Aug 23 18:26:41 mail mailscanner[14761]: Saved entire message to
/mail/mailscanner/quarantine/20020823/g7N98C2j022911
Aug 23 18:26:41 mail mailscanner[14761]: Deleted infected messages
g7N98C2j022911
Aug 23 18:26:42 mail mailscanner[14761]: Notified postmaster at vvd.com about 1
infections

        In case no one else has mentioned it, I think it's very cool that you
put out new releases so frequently.  Lots of developers aren't as attentative to
their projects.

On Fri, 23 Aug 2002, Julian Field wrote:

> Date: Fri, 23 Aug 2002 22:41:14 +0100
> From: Julian Field <mailscanner at ecs.soton.ac.uk>
> To: root at voynetworks.com,
>      MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> Subject: Re: Sys::Syslog Bug Report
>
> Well spotted. I had misread the spec of the parameters to Sys::Syslog.
>
> Attached are 2 files:
> 1. all_bin.patch.gz contains a single file of all the patches combined.
> With something along the lines of
>          cd /usr/local/MailScanner/bin
>          gunzip all_bin.patch.gz
>          patch -p0 < all_bin.patch
>     you should be able to make it work (try with "-p" if "-p0" doesn't work).
>
> 2. separate_patches.tar.gz is a gzipped tar file of all the patches, with 1
> patch per file. You will need to apply these patches one at a time, which
> is obviously more work than method 1, but will work if your "patch" command
> cannot work with multiple patches in one file.
>
> I haven't had a chance to test these patches very thoroughly, so any
> reports of success/failure would be useful.
>
> I'll probably release a new version containing these patches at the start
> of next week once I've done some more testing. But if you can try it out in
> the mean time, I would be very grateful.
>
> At 19:44 23/08/2002, JWSmythe wrote:
> >         Last night at about 5am, our mail server stopped delivering mail.
> >Everything was being stored in my mqueue.in , but not being processed further.
> >         Every time mailscanner started, this error would pop up in my
> > logs, and
> >on console.
> >
> >Aug 23 13:45:05 mail mailscanner[8807]: Commercial virus checker failed
> >with real error: Modification of a read-only value attempted at
> >/usr/lib/perl5/5.8.0/i686-linux/Sys/Syslog.pm line 296, <KID> line 2.
> >
> >         We had about 2900 messages in mqueue.in/ , and reading through
> > the list
> >real quick, I noted someone had opted to delete their mqueue.in to fix the
> >problem.  That would probably have not been an acceptable choice.
> >         I modified logger.pl to print a line for every Sys::Syslog line, so I
> >could se what it was trying to do on the console..  Here's what I ended up
> >seeing:
> >
> >Printing Debug to Sys::Syslog, SpamAssassin returned 0
> >Printing Debug to Sys::Syslog, Going to scan 100 messages
> >Printing Debug to Sys::Syslog, Commencing scanning by mcafee...
> >Printing Info to Sys::Syslog /g7N98C2j022911/%nTips.pif        Found the
> >W32/Klez.h at MM virus !!!
> >Printing Debug to Sys::Syslog, Completed scanning by mcafee
> >Printing to Sys::Syslog Commercial virus checker failed with real error:
> >Modification of a read-only value attempted at
> >/usr/lib/perl5/5.8.0/i686-linux/Sys/Syslog.pm line 296, <KID> line 2.
> >Closing Sys::Syslog (2)
> >
> >         It seems when sub InfoLog tries to print the "%n", that bombs it
> > out.  I
> >didn't want to go molesting your code any more than I needed to, so I just
> >went
> >into that message's file(dfg7N98C2j022911), and changed this block:
> >
> >--- begin
> >Content-Type: application/octet-stream;
> >         name=%nTips.pif
> >Content-Transfer-Encoding: base64
> >Content-ID: <L3kHd9QbKZ9H1vv62R>
> >--- end
> >
> >To this:
> >
> >--- begin
> >Content-Type: application/octet-stream;
> >         name=Tips.pif
> >Content-Transfer-Encoding: base64
> >Content-ID: <L3kHd9QbKZ9H1vv62R>
> >--- end
> >
> >
> >         When I restarted mailscanner this time, it went through fine.
> >Unfortunately, we were up to 3400 messages in the queue at that point.  Now
> >we're down to 2900, so it's getting through, but my users are upset they
> >didn't
> >get their mail all day..  They'll live. :)
> >
> >         If you need, I can give you the message files to work with, but it's
> >just something in how Sys::Syslog is handling the '%' character.
> >
> >
> >         BTW, I'm running Perl 5.8.0 and MailScanner 3.22-12
>

---------------------------------------------------
JW Smythe - root at voynetworks.com
Office of Systems Administration
Sirus Cybernetics Corporation
---------------------------------------------------
- "Don't try to out weird me, three eyes, I get
- weirder things than you for free with my
- breakfast cereal."
- - Zaphod
---------------------------------------------------



More information about the MailScanner mailing list