clamd DoS?
Hugo van der Kooij
hvdkooij at vanderkooij.org
Mon Sep 15 21:41:59 IST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kevin Miller wrote:
> Julian Field wrote:
>
>> In /usr/sbin/MailScanner there are a couple of calls to "Explode".
>> Immediately after them, add a line saying
>> exit;
>> and it will stop straight after the attachment unpacking.
>> Then you can go into /var/spool/MailScanner/incoming, find the
>> relevant directory and see what attachments it pulled out.
>> Then try clamscan-ing them by hand. If the attachments look okay in
>> that directory, then it's a clamd issue I think. I would be
>> interested to see what clamscan makes of them when run by hand.
>
> I was seeing a number of spam messages coming in w/the subject "Credit
> card transaction report". Every now and then one would get tagged as a
> virus, but most weren't. However, I went into MailWatch, selected one
> that wasn't marked as viral and saved the attached Report.zip to my
> linux workstation. Ark extracted the file report.doc.exe. I kicked off
> top in a term window, opened another terminal and ran 'clamscan
> report.doc.exe'. W/in a couple seconds CPU utilization was pegged.
So if you can do this on a plain file with just ClamAV as a factor I
would think you have all the stuff that is needed to report a bug with
the ClamAV team.
If that is the case would you be kind enough to report the bug to the
ClamAV team?
Hugo.
- --
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFIzsiUBvzDRVjxmYERAqpmAJ0boKU5chAkI7TDONQ57+zwweQmSACfWwK7
VU+DFDsCiGs0AvFEpfCYiJw=
=Iutn
-----END PGP SIGNATURE-----
More information about the MailScanner
mailing list