LinkBack URL
About LinkBacks
[SOLVED] Update Zimbra Builds to Clamav-0.91.2...
Over the weekend my development Zimbra server got hack and started sending out packets over port 6667, which apparently is used by trojans to send and receive commands, fortunately its firewalled and on a separate network so all it did was flood the switch it was attached to. Annoying yes, Super-critical, not in this situation.
So after an extensive review of all open ports and possible ways into the box, and as far we can tell there was no root access granted, we have come to several conclusions, but the only ones that really seems probable are DoS attacks based on an outdated clamav-0.91.1.
I would advise all Zimbra Admins to upgrade to clamav-0.91.2 as soon as possible as it requires a short amount of downtime but a huge increase in security.
ClamAV Multiple Vulnerabilities - Advisories - Secunia (Highly Critical)
ClamAV RAR Archive Processing Denial of Service Vulnerability - Advisories - Secunia (Moderately Critical)
This can be accomplished by following the instructions here: Updating ClamavWikiCode:Tue Aug 21 00:57:03 CEST 2007 ----------------------------- V 0.91.2 * Bugfixes and changes since 0.91.1: - libclamav/rtf.c: fix possible NULL dereference (bb#611) - libclamav/ole2_extract.c: properly initialise hdr.max_block_no (bb#603) - libclamav/htmlnorm.c: fix possible NULL dereference (bb#582), thanks to Stefanos Stamatis - libclamav/htmlnorm.c: fix call to tolower() (bb#580) - libclamav/filetypes.c: some embedded PEs were not being detected - clamav-milter: Fix compilation error on NetBSD2.0 - clamav-milter: Black-hole-mode no longer needs to be run as root - libclamav/pdf.c: Bug 618, --block-max not always honoured - libclamav/phishcheck.c, regex_list.c, phish_whitelist.c: make debug output look better (patch from Sven) - libclamav/phishcheck.c: Don't report phishing on broken urls containing '>' in the hostname. (bb #619) - libclamav, sigtool: add support for PUA databases (.hdu, .mdu, .ndu), requested by Christoph - clamscan: add --detect-pua - clamd, clamd.conf: add DetectPUA - freshclam/mirman.c: properly handle mirror access times (bb#606, only outdated installations - three versions behind the latest one were affected by this problem), Reported by David F. Skoll <dfs*roaringpenguin.com> - clamav-milter: Bug 614 - libclamav/pdf.c: Bug 608 - clamav-milter: SPF checking no longer experimental - libclamav/phishcheck.c: workaround Solaris problem with regexec() [bb #598] - libclamav/matcher-ac.c: fix matching of patterns with prefixes and some other issues spotted by Glen <daineng*gmail.com> - clamav-milter/clamav-milter.c: Better use of res_init() - clamav-milter/clamav-milter.c: HP-UX doesn't have EX_CONFIG, reported by clam * ministry.se
Obviously substitute for the correct version numbers used in the wiki.
Next Step:
The closet thing I can find for a more permanent solution to this problem, is listed here in bugzilla.
Bug 15137 - Breakout RPM packages for ClamAV, SpamAssassin and Others to allow out of cycle updates
I'll file another bug that will hopefully make it into ZCS 4.5.8. Bugzilla - 20568
