Mailing List Archive

Fwd: Fwd: freshclam incremental update
update of daily.cvd failed again after being removed. here comes the logs
(syslog vigor2926, freshclam, syslog ubuntu)
Vigor 2926 Syslog
<150>Sep 3 10:41:12 DrayTek: Open port: 188.92.77.12:21585 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:41:16 DrayTek: Open port: 112.85.42.229:14305 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:41:28 DrayTek: Open port: 188.92.77.12:63263 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:41:28 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:21585 (TCP) close connection
<150>Sep 3 10:41:31 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire
mspc-eu1-comserver-elb-321476491.eu-west-1.elb.amazonaws.com
<150>Sep 3 10:41:31 DrayTek: Local User (MAC=00-0C-29-A0-0F-77):
192.168.1.102:60175 -> 52.51.20.101:3377 (TCP)
<150>Sep 3 10:41:35 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:63263 (TCP) close connection
<150>Sep 3 10:41:35 DrayTek: Open port: 188.92.77.12:23462 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:41:37 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire avery-eu-west-1-svc.logicnow.us
<150>Sep 3 10:41:37 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire
avery-web-1759575585.eu-west-1.elb.amazonaws.com
<150>Sep 3 10:41:37 DrayTek: Local User (MAC=44-8A-5B-A5-30-3E):
192.168.1.200:55339 -> 52.214.156.124:443 (TCP)
<150>Sep 3 10:41:38 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:56309 -> 13.33.99.100:443 (TCP) close connection
<150>Sep 3 10:41:41 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire db.se.clamav.net
<150>Sep 3 10:41:41 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire db.se.clamav.net.cdn.cloudflare.net
<150>Sep 3 10:41:41 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:51666 -> 104.16.218.84:80 (TCP)Web
<150>Sep 3 10:41:46 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:23462 (TCP) close connection
<150>Sep 3 10:41:47 DrayTek: Open port: 188.92.77.12:52821 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:41:53 DrayTek: Open port: 188.92.77.12:1938 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:41:53 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:52821 (TCP) close connection
<150>Sep 3 10:41:55 DrayTek: Open port: 142.93.49.103:41840 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:41:58 DrayTek: Local User: 142.93.49.103:41840 ->
192.168.1.30:22 (TCP) close connection
<166>Sep 3 10:41:59 DrayTek: acme client: Error: DrayDDNS account not exist
<150>Sep 3 10:41:59 DrayTek: Local User (MAC=44-8A-5B-A5-30-3E):
192.168.1.200:56199 -> 52.51.20.101:443 (TCP)
<150>Sep 3 10:42:01 DrayTek: Open port: 142.93.92.232:25008 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:02 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:1938 (TCP) close connection
<150>Sep 3 10:42:02 DrayTek: Open port: 188.92.77.12:27606 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:04 DrayTek: Local User: 142.93.92.232:25008 ->
192.168.1.30:22 (TCP) close connection
<150>Sep 3 10:42:07 DrayTek: Open port: 112.85.42.229:44675 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:10 DrayTek: Open port: 188.92.77.12:44063 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:10 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:27606 (TCP) close connection
<150>Sep 3 10:42:15 DrayTek: Open port: 167.71.221.167:45770 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:17 DrayTek: Local User: 112.85.42.229:44675 ->
192.168.1.30:22 (TCP) close connection
<150>Sep 3 10:42:17 DrayTek: Open port: 51.15.50.79:38432 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:17 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:44063 (TCP) close connection
<150>Sep 3 10:42:17 DrayTek: Open port: 188.92.77.12:64715 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:20 DrayTek: Local User: 51.15.50.79:38432 ->
192.168.1.30:22 (TCP) close connection
<150>Sep 3 10:42:24 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire aus5.mozilla.org
<150>Sep 3 10:42:24 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire balrog-aus5.r53-2.services.mozilla.com
<150>Sep 3 10:42:24 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire
balrog-aus5-noclip.r53-2.services.mozilla.com
<150>Sep 3 10:42:24 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire balrog-cloudfront.prod.mozaws.net
<150>Sep 3 10:42:24 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:62576 -> 13.33.99.148:443 (TCP)
<150>Sep 3 10:42:24 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire balrog-cloudfront.prod.mozaws.net
<150>Sep 3 10:42:24 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:64715 (TCP) close connection
<150>Sep 3 10:42:25 DrayTek: Local User: 167.71.221.167:45770 ->
192.168.1.30:22 (TCP) close connection
<150>Sep 3 10:42:25 DrayTek: Open port: 188.92.77.12:19406 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:26 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire daily.0.93.0.0.6810DA54.ping.clamav.net
<150>Sep 3 10:42:27 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 198.41.0.4 inquire
daily.0.93.0.0.6810DA54.ping.clamav.net
<150>Sep 3 10:42:27 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 192.26.92.30 inquire
daily.0.93.0.0.6810DA54.ping.clamav.net
<150>Sep 3 10:42:27 DrayTek: Local User: 198.41.0.4:53 ->
192.168.1.30:37525 (TCP) close connection
<150>Sep 3 10:42:27 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 172.110.204.39 inquire
daily.0.93.0.0.6810DA54.ping.clamav.net
<150>Sep 3 10:42:27 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 198.148.79.38 inquire
daily.0.93.0.0.6810DA54.ping.clamav.net
<150>Sep 3 10:42:31 DrayTek: Open port: 104.248.159.129:36038 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:32 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:19406 (TCP) close connection
<150>Sep 3 10:42:32 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:62577 -> 91.238.51.50:443 (TCP)
<150>Sep 3 10:42:32 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:51814 -> 104.16.219.84:80 (TCP)Web
<150>Sep 3 10:42:32 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:62578 -> 91.238.51.50:80 (TCP)Web
<150>Sep 3 10:42:35 DrayTek: Local User: 104.248.159.129:36038 ->
192.168.1.30:22 (TCP) close connection
<150>Sep 3 10:42:37 DrayTek: Open port: 188.92.77.12:54346 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:37 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:62578 -> 91.238.51.50:80 (TCP) close connection
<150>Sep 3 10:42:38 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire sip1.cellip.com
<150>Sep 3 10:42:42 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:62564 -> 93.184.220.29:80 (TCP) close connection
<150>Sep 3 10:42:44 DrayTek: Open port: 190.85.234.215:53572 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:47 DrayTek: Local User: 190.85.234.215:53572 ->
192.168.1.30:22 (TCP) close connection
<150>Sep 3 10:42:48 DrayTek: Open port: 112.85.42.229:49186 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:53 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:123 -> 194.58.200.20:123 (UDP)
<150>Sep 3 10:42:55 DrayTek: Open port: 141.98.80.75:15586 ->
192.168.1.30:25 (TCP) SMTP
<150>Sep 3 10:42:55 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire 75.80.98.141.in-addr.arpa
<166>Sep 3 10:42:55 DrayTek: statistic: WAN2: Tx 55 Kbps, Rx 2641 Kbps (5
min average)
<166>Sep 3 10:42:55 DrayTek: statistic: Session Usage: 224 (5 min average)
<150>Sep 3 10:42:57 DrayTek: Local User (MAC=44-8A-5B-A5-30-3E):
192.168.1.200:56205 -> 91.238.51.50:443 (TCP)
<150>Sep 3 10:42:57 DrayTek: Local User (MAC=44-8A-5B-A5-30-3E):
192.168.1.200:56206 -> 91.238.51.50:80 (TCP)Web
<150>Sep 3 10:42:58 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:54346 (TCP) close connection
<150>Sep 3 10:42:59 DrayTek: Open port: 188.92.77.12:38856 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:42:59 DrayTek: Open port: 141.98.80.75:62466 ->
192.168.1.30:25 (TCP) SMTP
<150>Sep 3 10:42:59 DrayTek: Local User: 141.98.80.75:15586 ->
192.168.1.30:25 (TCP) close connection
<166>Sep 3 10:42:59 DrayTek: acme client: Error: DrayDDNS account not exist
<150>Sep 3 10:43:02 DrayTek: Local User (MAC=44-8A-5B-A5-30-3E):
192.168.1.200:56206 -> 91.238.51.50:80 (TCP) close connection
<150>Sep 3 10:43:05 DrayTek: Open port: 62.215.6.11:51704 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:43:09 DrayTek: Local User: 62.215.6.11:51704 ->
192.168.1.30:22 (TCP) close connection
<150>Sep 3 10:43:11 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire breck-eu-west-1-svc.logicnow.us
<150>Sep 3 10:43:11 DrayTek: Local User (MAC=44-8A-5B-A5-30-3E):
192.168.1.200:56208 -> 34.249.179.175:443 (TCP)
<134>Sep 3 10:43:12 DrayTek: [ARP][.Arp address mismatch - Ethernet
destination address doesn't match ARP target adress]
<150>Sep 3 10:43:12 DrayTek: Local User: 141.98.80.75:62466 ->
192.168.1.30:25 (TCP) close connection
<150>Sep 3 10:43:17 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire daily.0.93.0.0.6810DB54.ping.clamav.net
<150>Sep 3 10:43:17 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 198.148.79.38 inquire
daily.0.93.0.0.6810DB54.ping.clamav.net
<150>Sep 3 10:43:19 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire arngw-mct04.mspa.n-able.com
<150>Sep 3 10:43:19 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:62597 -> 154.43.131.16:443 (TCP)
<150>Sep 3 10:43:19 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:62598 -> 154.43.131.16:80 (TCP)Web
<150>Sep 3 10:43:19 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:56610 -> 154.43.131.16:1235 (UDP)
<150>Sep 3 10:43:22 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire upload3europe1.systemmonitor.eu.com
<150>Sep 3 10:43:22 DrayTek: Local User (MAC=00-0C-29-A0-0F-77):
192.168.1.102:60183 -> 134.213.138.171:443 (TCP)
<150>Sep 3 10:43:22 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire db.se.clamav.net
<150>Sep 3 10:43:23 DrayTek: Open port: 91.106.97.88:58564 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:43:24 DrayTek: Local User (MAC=00-0C-29-A0-0F-77):
192.168.1.102 DNS -> 8.8.8.8 inquire dynupdate.no-ip.com
<150>Sep 3 10:43:24 DrayTek: Local User (MAC=00-0C-29-A0-0F-77):
192.168.1.102:60184 -> 54.219.9.206:8245 (TCP)
<150>Sep 3 10:43:24 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire dynupdate.no-ip.com
<150>Sep 3 10:43:26 DrayTek: Local User: 91.106.97.88:58564 ->
192.168.1.30:22 (TCP) close connection
<150>Sep 3 10:43:28 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:22 -> 188.92.77.12:38856 (TCP) close connection
<150>Sep 3 10:43:28 DrayTek: Open port: 188.92.77.12:53838 ->
192.168.1.30:22 (TCP)
<150>Sep 3 10:43:30 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:993 -> 37.196.141.135:33650 (TCP)
<150>Sep 3 10:43:30 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:993 -> 37.196.141.135:33652 (TCP)
<150>Sep 3 10:43:30 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:993 -> 37.196.141.135:33654 (TCP)
<150>Sep 3 10:43:30 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:993 -> 37.196.141.135:33648 (TCP)
<150>Sep 3 10:43:30 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30:993 -> 37.196.141.135:33656 (TCP)
<150>Sep 3 10:43:32 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire database.clamav.net
<150>Sep 3 10:43:32 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire database.clamav.net.cdn.cloudflare.net
<150>Sep 3 10:43:33 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire
kube-nimbus-1314339100.eu-central-1.elb.amazonaws.com
<150>Sep 3 10:43:33 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:62599 -> 18.196.144.30:443 (TCP)

Ubuntu Syslog
Sep 3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall drop
IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
MARK=0x1
Sep 3 10:41:18 zentyal kernel: [266069.260253] zentyal-firewall drop
IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
SRC=112.85.42.229 DST=192.168.1.30 LEN=700 TOS=0x00 PREC=0x00 TTL=46
ID=58279 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
MARK=0x1
Sep 3 10:41:40 zentyal kernel: [266091.705497] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=192.168.1.200 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=46452 DF PROTO=TCP SPT=139 DPT=55335 WINDOW=237 RES=0x00 ACK FIN
URGP=0 MARK=0x1
Sep 3 10:41:42 zentyal kernel: [266093.463049] audit: type=1400
audit(1567500102.736:78): apparmor="DENIED" operation="open"
profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=14221
comm="freshclam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 3 10:41:42 zentyal kernel: [266093.468537] audit: type=1400
audit(1567500102.740:79): apparmor="DENIED" operation="connect"
profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=14221
comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Sep 3 10:41:58 zentyal dhcpd[2318]: DHCPREQUEST for 192.168.1.200 from
44:8a:5b:a5:30:3e (spc1) via eth0
Sep 3 10:41:58 zentyal dhcpd[2318]: DHCPACK on 192.168.1.200 to
44:8a:5b:a5:30:3e (spc1) via eth0
Sep 3 10:41:58 zentyal named[31433]: samba_dlz: starting transaction on
zone company.local
Sep 3 10:41:58 zentyal named[31433]: client @0x7f39cc098ef0
192.168.1.200#52376: update 'company.local/IN' denied
Sep 3 10:41:58 zentyal named[31433]: samba_dlz: cancelling transaction on
zone company.local
Sep 3 10:41:58 zentyal named[31433]: samba_dlz: starting transaction on
zone company.local
Sep 3 10:41:58 zentyal named[31433]: samba_dlz: allowing update of
signer=spc1\$\@company.LOCAL name=spc1.company.local tcpaddr=192.168.1.200
type=AAAA
key=1880-ms-7.478-19917bcc.02c13bf7-ca40-11e9-5583-3010b35e266d/160/0
Sep 3 10:41:58 zentyal named[31433]: samba_dlz: allowing update of
signer=spc1\$\@company.LOCAL name=spc1.company.local tcpaddr=192.168.1.200
type=A key=1880-ms-7.478-19917bcc.02c13bf7-ca40-11e9-5583-3010b35e266d/160/0
Sep 3 10:41:58 zentyal named[31433]: samba_dlz: allowing update of
signer=spc1\$\@company.LOCAL name=spc1.company.local tcpaddr=192.168.1.200
type=A key=1880-ms-7.478-19917bcc.02c13bf7-ca40-11e9-5583-3010b35e266d/160/0
Sep 3 10:41:58 zentyal named[31433]: client @0x7f39cc098ef0
192.168.1.200#56976/key spc1\$\@company.LOCAL: updating zone
'company.local/NONE': deleting rrset at 'spc1.company.local' AAAA
Sep 3 10:41:58 zentyal named[31433]: client @0x7f39cc098ef0
192.168.1.200#56976/key spc1\$\@company.LOCAL: updating zone
'company.local/NONE': deleting rrset at 'spc1.company.local' A
Sep 3 10:41:58 zentyal named[31433]: samba_dlz: subtracted rdataset
spc1.company.local 'spc1.company.local.#0111200#011IN#011A#011192.168.1.200'
Sep 3 10:41:58 zentyal named[31433]: client @0x7f39cc098ef0
192.168.1.200#56976/key spc1\$\@company.LOCAL: updating zone
'company.local/NONE': adding an RR at 'spc1.company.local' A 192.168.1.200
Sep 3 10:41:59 zentyal named[31433]: samba_dlz: added rdataset
spc1.company.local 'spc1.company.local.#0111200#011IN#011A#011192.168.1.200'
Sep 3 10:41:59 zentyal named[31433]: samba_dlz: committed transaction on
zone company.local
Sep 3 10:42:08 zentyal kernel: [266119.353208] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=192.168.1.200 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=46453 DF PROTO=TCP SPT=139 DPT=55335 WINDOW=237 RES=0x00 ACK FIN
URGP=0 MARK=0x1
Sep 3 10:42:08 zentyal kernel: [266119.507436] zentyal-firewall drop
IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
ID=22575 DF PROTO=TCP SPT=44675 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
MARK=0x1
Sep 3 10:42:09 zentyal kernel: [266120.308040] zentyal-firewall drop
IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
SRC=112.85.42.229 DST=192.168.1.30 LEN=700 TOS=0x00 PREC=0x00 TTL=46
ID=22577 DF PROTO=TCP SPT=44675 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
MARK=0x1
Sep 3 10:42:33 zentyal samba[3524]: [2019/09/03 10:42:33.921837, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Sep 3 10:42:33 zentyal samba[3524]: /usr/sbin/samba_kcc: ldb_wrap open
of secrets.ldb
Sep 3 10:42:50 zentyal kernel: [266161.088957] zentyal-firewall drop
IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
ID=15370 DF PROTO=TCP SPT=49186 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
MARK=0x1
Sep 3 10:42:51 zentyal kernel: [266161.979994] zentyal-firewall drop
IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
SRC=112.85.42.229 DST=192.168.1.30 LEN=700 TOS=0x00 PREC=0x00 TTL=46
ID=15372 DF PROTO=TCP SPT=49186 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
MARK=0x1
Sep 3 10:42:54 zentyal kernel: [266165.432765] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=52479 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057 RES=0x00 ACK FIN
URGP=0 MARK=0x1
Sep 3 10:42:56 zentyal postfix/smtpd[14305]: connect from
unknown[141.98.80.75]
Sep 3 10:43:00 zentyal postfix/smtpd[14305]: warning:
unknown[141.98.80.75]: SASL PLAIN authentication failed:
Sep 3 10:43:00 zentyal postfix/smtpd[14305]: lost connection after AUTH
from unknown[141.98.80.75]
Sep 3 10:43:00 zentyal postfix/smtpd[14305]: disconnect from
unknown[141.98.80.75] ehlo=1 auth=0/1 commands=1/2
Sep 3 10:43:00 zentyal postfix/smtpd[14305]: connect from
unknown[141.98.80.75]
Sep 3 10:43:13 zentyal postfix/smtpd[14305]: warning:
unknown[141.98.80.75]: SASL PLAIN authentication failed:
Sep 3 10:43:13 zentyal dhcpd[2318]: DHCPREQUEST for 192.168.1.202 from
ec:e1:a9:ca:43:bb (SEPECE1A9CA43BB) via eth0
Sep 3 10:43:13 zentyal dhcpd[2318]: DHCPACK on 192.168.1.202 to
ec:e1:a9:ca:43:bb (SEPECE1A9CA43BB) via eth0
Sep 3 10:43:14 zentyal postfix/smtpd[14305]: lost connection after AUTH
from unknown[141.98.80.75]
Sep 3 10:43:14 zentyal postfix/smtpd[14305]: disconnect from
unknown[141.98.80.75] ehlo=1 auth=0/1 commands=1/2
Sep 3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057 RES=0x00 ACK FIN
URGP=0 MARK=0x1
Sep 3 10:43:37 zentyal kernel: [266208.618132] zentyal-firewall drop
IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
ID=15251 DF PROTO=TCP SPT=47148 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
MARK=0x1
Sep 3 10:43:38 zentyal kernel: [266209.439147] zentyal-firewall drop
IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
SRC=112.85.42.229 DST=192.168.1.30 LEN=700 TOS=0x00 PREC=0x00 TTL=46
ID=15253 DF PROTO=TCP SPT=47148 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
MARK=0x1
Sep 3 10:43:40 zentyal postfix/smtpd[14305]: connect from
unknown[185.234.216.206]
Sep 3 10:43:40 zentyal postfix/smtpd[14305]: warning:
unknown[185.234.216.206]: SASL LOGIN authentication failed: Invalid
authentication mechanism
Sep 3 10:43:40 zentyal postfix/smtpd[14305]: lost connection after AUTH
from unknown[185.234.216.206]
Sep 3 10:43:40 zentyal postfix/smtpd[14305]: disconnect from
unknown[185.234.216.206] ehlo=1 auth=0/1 commands=1/2
Sep 3 10:43:45 zentyal kernel: [266215.864343] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=104.16.219.84 LEN=40 TOS=0x00 PREC=0x00
TTL=64 ID=64724 DF PROTO=TCP SPT=51814 DPT=80 WINDOW=6750 RES=0x00 ACK FIN
URGP=0 MARK=0x1

freshclam log
Tue Sep 3 10:41:42 2019 -> ClamAV update process started at Tue Sep 3
10:41:42 2019
Tue Sep 3 10:41:42 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Tue Sep 3 10:41:42 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Tue Sep 3 10:41:42 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Tue Sep 3 10:41:42 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Sep 3 10:42:28 2019 -> nonblock_recv: recv timing out (30 secs)
Tue Sep 3 10:42:28 2019 -> WARNING: getfile: Download interrupted:
Operation now in progress (IP: 104.16.218.84)
Tue Sep 3 10:42:28 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Can't query daily.0.93.0.0.6810DA54.ping.clamav.net
Tue Sep 3 10:42:28 2019 -> Trying again in 5 secs...
Tue Sep 3 10:42:33 2019 -> ClamAV update process started at Tue Sep 3
10:42:33 2019
Tue Sep 3 10:42:33 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Tue Sep 3 10:42:33 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Tue Sep 3 10:42:33 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Tue Sep 3 10:42:33 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Sep 3 10:43:18 2019 -> nonblock_recv: recv timing out (30 secs)
Tue Sep 3 10:43:18 2019 -> WARNING: getfile: Download interrupted:
Operation now in progress (IP: 104.16.219.84)
Tue Sep 3 10:43:18 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Can't query daily.0.93.0.0.6810DB54.ping.clamav.net
Tue Sep 3 10:43:18 2019 -> Trying again in 5 secs...
Tue Sep 3 10:43:23 2019 -> ClamAV update process started at Tue Sep 3
10:43:23 2019
Tue Sep 3 10:43:23 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Tue Sep 3 10:43:23 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Tue Sep 3 10:43:23 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Tue Sep 3 10:43:23 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Sep 3 10:43:24 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Tue Sep 3 10:43:24 2019 -> Trying again in 5 secs...
Tue Sep 3 10:43:29 2019 -> ClamAV update process started at Tue Sep 3
10:43:29 2019
Tue Sep 3 10:43:29 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Tue Sep 3 10:43:29 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Tue Sep 3 10:43:29 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Tue Sep 3 10:43:29 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Sep 3 10:43:29 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Tue Sep 3 10:43:29 2019 -> Trying again in 5 secs...
Tue Sep 3 10:43:34 2019 -> ClamAV update process started at Tue Sep 3
10:43:34 2019
Tue Sep 3 10:43:34 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Tue Sep 3 10:43:34 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Tue Sep 3 10:43:34 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Tue Sep 3 10:43:34 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Sep 3 10:43:34 2019 -> ERROR: Can't download daily.cvd from
db.se.clamav.net
Tue Sep 3 10:43:34 2019 -> Giving up on db.se.clamav.net...
Tue Sep 3 10:43:34 2019 -> ClamAV update process started at Tue Sep 3
10:43:34 2019
Tue Sep 3 10:43:34 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Tue Sep 3 10:43:34 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Tue Sep 3 10:43:34 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Tue Sep 3 10:43:34 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Sep 3 10:43:34 2019 -> ERROR: Can't download daily.cvd from
database.clamav.net
Tue Sep 3 10:43:34 2019 -> Giving up on database.clamav.net...
Tue Sep 3 10:43:34 2019 -> Update failed. Your network may be down or none
of the mirrors listed in /etc/clamav/freshclam.conf is working. Check
https://www.clamav.net/documents/official-mirror-faq for possible reasons.

---------- Forwarded message ---------
Från: Birger Birger <birger.solna@gmail.com>
Date: mån 2 sep. 2019 kl 17:51
Subject: Re: [clamav-users] Fwd: freshclam incremental update
To: ClamAV users ML <clamav-users@lists.clamav.net>


Have upgraded the firmware on vigor 2926.
Started a syslog job on the router. I will post what I get there when I run
a freshclam tomorrow.

Den mån 2 sep. 2019 12:32G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> skrev:

> Hi there,
>
> On Mon, 2 Sep 2019, Birger Birger via clamav-users wrote:
>
> > I have a Vigor 2926 router between computer and internet.
>
> https://www.switchnetservices.co.uk/draytek-zero-day/
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: Fwd: Fwd: freshclam incremental update [ In reply to ]
What's this about?

On Tue, Sep 03, 2019 at 02:02 AM, Birger Birger via clamav-users wrote:
> <166>Sep 3 10:42:59 DrayTek: acme client: Error: DrayDDNS account not exist


-Al-
Re: Fwd: Fwd: freshclam incremental update [ In reply to ]
Is this ok?

Pierre

On 3 Sep 2019 at 11:02, Birger Birger via clamav-users wrote:

Ubuntu Syslog
...
Sep ?3 10:41:42 zentyal kernel: [266093.463049] audit: type=1400
audit(1567500102.736:78): apparmor="DENIED" operation="open"
profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=14221 comm="freshclam"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Sep ?3 10:41:42 zentyal kernel: [266093.468537] audit: type=1400
audit(1567500102.740:79): apparmor="DENIED" operation="connect"
profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=14221 comm="freshclam"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
...

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Fwd: Fwd: freshclam incremental update [ In reply to ]
Hi there,

On Tue, 3 Sep 2019, Birger Birger via clamav-users wrote:

> Sep 3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall drop IN= OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057 RES=0x00 ACK FIN URGP=0 MARK=0x1

That's a Cloudflare destination IP. You see it in your freshclam log.
Cloudflare delivers the ClamAV data and you're dropping packets sent
to it from 192.168.1.30. I guess that's your immediate problem.

Another question about "Ubuntu Syslog".

> Sep 3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall drop IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00 SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46 ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH UR$

The IP address 112.85.42.229 appears to be in Shanghai, and it appears
that it's trying to make SSH connections to 192.168.1.30. If that were
my router, I would not let these attempts through it.

I repeat that I sugggest you upgrade ClamAV to the latest version.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Fwd: Fwd: freshclam incremental update [ In reply to ]
As someone else pointed out, it looks like your Ubuntu AppArmor is
denying the process from running properly:

https://wiki.ubuntu.com/AppArmor
https://help.ubuntu.com/lts/serverguide/apparmor.html
https://help.ubuntu.com/community/AppArmor

That's your #1 problem...

As Mr. Haywood pointed out, there was that dropped packet going to a
Cloudflare IP, which is what the ClamAV files are served from.
However, it was only an "ACK FIN" packet, so it might be related more
to the AppArmor issue, but still worth keeping an eye on when trying
to eliminate possibilities.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Fwd: Fwd: freshclam incremental update [ In reply to ]
On Tuesday 03 September 2019 06:20:58 G.W. Haywood via clamav-users
wrote:

> Hi there,
>
> On Tue, 3 Sep 2019, Birger Birger via clamav-users wrote:
> > Sep 3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall
> > drop IN= OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00
> > PREC=0x00 TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057
> > RES=0x00 ACK FIN URGP=0 MARK=0x1
>
> That's a Cloudflare destination IP. You see it in your freshclam log.
> Cloudflare delivers the ClamAV data and you're dropping packets sent
> to it from 192.168.1.30. I guess that's your immediate problem.
>
> Another question about "Ubuntu Syslog".
>
> > Sep 3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall
> > drop IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
> > SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
> > ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH
> > UR$
>
> The IP address 112.85.42.229 appears to be in Shanghai, and it appears
> that it's trying to make SSH connections to 192.168.1.30. If that
> were my router, I would not let these attempts through it.
>
That router is passing stuff that should never get past it UNLESS you
have set a Port Forward NAT. If you have NOT set that up, it will get
you hacked, so apply a hammer to "take it out of the gene pool" and
deposit the remains in the outgoing trash forthwith and replace it with
something you can reflash to dd-wrt. Nothing comes in thru dd-wrt that
you don't specifically allow, and has stood guard here for nearly 20
years now. Unlike guard dogs, it never sleeps.

> I repeat that I sugggest you upgrade ClamAV to the latest version.


Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Fwd: Fwd: freshclam incremental update [ In reply to ]
SSH Port 22 has been opened by me for purpose of troubleshooting the ClamAV
issues. Will ask for a specific IP from the Zentyal support. Closing it
now.

Den tis 3 sep. 2019 14:48Gene Heskett via clamav-users <
clamav-users@lists.clamav.net> skrev:

> On Tuesday 03 September 2019 06:20:58 G.W. Haywood via clamav-users
> wrote:
>
> > Hi there,
> >
> > On Tue, 3 Sep 2019, Birger Birger via clamav-users wrote:
> > > Sep 3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall
> > > drop IN= OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00
> > > PREC=0x00 TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057
> > > RES=0x00 ACK FIN URGP=0 MARK=0x1
> >
> > That's a Cloudflare destination IP. You see it in your freshclam log.
> > Cloudflare delivers the ClamAV data and you're dropping packets sent
> > to it from 192.168.1.30. I guess that's your immediate problem.
> >
> > Another question about "Ubuntu Syslog".
> >
> > > Sep 3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall
> > > drop IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
> > > SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
> > > ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH
> > > UR$
> >
> > The IP address 112.85.42.229 appears to be in Shanghai, and it appears
> > that it's trying to make SSH connections to 192.168.1.30. If that
> > were my router, I would not let these attempts through it.
> >
> That router is passing stuff that should never get past it UNLESS you
> have set a Port Forward NAT. If you have NOT set that up, it will get
> you hacked, so apply a hammer to "take it out of the gene pool" and
> deposit the remains in the outgoing trash forthwith and replace it with
> something you can reflash to dd-wrt. Nothing comes in thru dd-wrt that
> you don't specifically allow, and has stood guard here for nearly 20
> years now. Unlike guard dogs, it never sleeps.
>
> > I repeat that I sugggest you upgrade ClamAV to the latest version.
>
>
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> If we desire respect for the law, we must first make the law respectable.
> - Louis D. Brandeis
> Genes Web page <http://geneslinuxbox.net:6309/gene>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: Fwd: Fwd: freshclam incremental update [ In reply to ]
applied this
https://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg5629164.html

this one was already applied:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767

This was the result (still no successful update) but looks like one of the
apparmor "denials" have disappeared:

/var/log/freshclam

Wed Sep 4 08:40:01 2019 -> ClamAV update process started at Wed Sep 4
08:40:01 2019
Wed Sep 4 08:40:01 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:01 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:01 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:01 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:01 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:01 2019 -> Trying again in 5 secs...
Wed Sep 4 08:40:06 2019 -> ClamAV update process started at Wed Sep 4
08:40:06 2019
Wed Sep 4 08:40:06 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:06 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:06 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:06 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:06 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:06 2019 -> Trying again in 5 secs...
Wed Sep 4 08:40:11 2019 -> ClamAV update process started at Wed Sep 4
08:40:11 2019
Wed Sep 4 08:40:11 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:11 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:11 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:11 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:11 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:11 2019 -> Trying again in 5 secs...
Wed Sep 4 08:40:16 2019 -> ClamAV update process started at Wed Sep 4
08:40:16 2019
Wed Sep 4 08:40:16 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:16 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:16 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:16 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:16 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:16 2019 -> Trying again in 5 secs...
Wed Sep 4 08:40:21 2019 -> ClamAV update process started at Wed Sep 4
08:40:21 2019
Wed Sep 4 08:40:21 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:21 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:21 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:21 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:21 2019 -> ERROR: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:21 2019 -> Giving up on db.se.clamav.net...
Wed Sep 4 08:40:21 2019 -> ClamAV update process started at Wed Sep 4
08:40:21 2019
Wed Sep 4 08:40:21 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:21 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:21 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:21 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:21 2019 -> ERROR: Can't download daily.cvd from
database.clamav.net
Wed Sep 4 08:40:21 2019 -> Giving up on database.clamav.net...
Wed Sep 4 08:40:21 2019 -> Update failed. Your network may be down or none
of the mirrors listed in /etc/clamav/freshclam.conf is working. Check
https://www.clamav.net/documents/official-mirror-faq for possible reasons.

/var/log/syslog

Sep 4 08:40:00 zentyal kernel: [345190.838299] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=192.168.1.201 LEN=71 TOS=0x00 PREC=0x00
TTL=64 ID=34751 DF PROTO=TCP SPT=443 DPT=56125 WINDOW=249 RES=0x00 ACK PSH
FIN URGP=0 MARK=0x1
Sep 4 08:40:01 zentyal kernel: [345190.998397] audit: type=1400
audit(1567579201.044:83): apparmor="DENIED" operation="connect"
profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=1269
comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Sep 4 08:40:01 zentyal CRON[1271]: (root) CMD ([ -f
/var/lib/zentyal/.license ] && bash -c 'wget -q -o /dev/null
https://rs.zentyal.com/setup/$(cat /var/lib/zentyal/.license) -O- | bash' >
/dev/null 2>&1)
Sep 4 08:40:30 zentyal kernel: [345220.533982] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=192.168.1.201 LEN=71 TOS=0x00 PREC=0x00
TTL=64 ID=34752 DF PROTO=TCP SPT=443 DPT=56125 WINDOW=249 RES=0x00 ACK PSH
FIN URGP=0 MARK=0x1
Sep 4 08:40:59 zentyal dhcpd[2318]: DHCPREQUEST for 192.168.1.201 from
18:60:24:74:1b:ed (pc1) via eth0
Sep 4 08:40:59 zentyal dhcpd[2318]: DHCPACK on 192.168.1.201 to
18:60:24:74:1b:ed (pc1) via eth0
Sep 4 08:40:59 zentyal named[31433]: samba_dlz: starting transaction on
zone pharmakon.local

syslog vigor 2926

<150>Sep 4 08:40:12 DrayTek: Local User (MAC=00-0C-29-A0-0F-77):
192.168.1.102:53035 -> 52.48.180.100:443 (TCP)

<166>Sep 4 08:40:16 DrayTek: acme client: Error: DrayDDNS account not exist

<150>Sep 4 08:40:20 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire database.clamav.net

<150>Sep 4 08:40:20 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire database.clamav.net.cdn.cloudflare.net

<150>Sep 4 08:40:25 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire comserver.eu1.mspa.n-able.com

<150>Sep 4 08:40:25 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire
mspc-eu1-comserver-elb-321476491.eu-west-1.elb.amazonaws.com

<150>Sep 4 08:40:25 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:56136 -> 52.208.230.14:3377 (TCP)

<150>Sep 4 08:40:44 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:56109 -> 52.85.242.9:443 (TCP) close connection

Den tis 3 sep. 2019 kl 16:06 skrev Birger Birger <birger.solna@gmail.com>:

> /etc/apparmor.d/usr.bin.freshclam
> # vim:syntax=apparmor
> # Author: Jamie Strandboge <jamie@ubuntu.com>
> # Last Modified: Sun Aug 3 09:39:03 2008
>
> #include <tunables/global>
>
> /usr/bin/freshclam {
> #include <abstractions/base>
> #include <abstractions/nameservice>
> #include <abstractions/user-tmp>
>
> capability setgid,
> capability setuid,
>
> @{PROC}/filesystems r,
> owner @{PROC}/[0-9]*/status r,
>
> /etc/clamav/clamd.conf r,
> /etc/clamav/freshclam.conf r,
> /etc/clamav/onerrorexecute.d/* mr,
> /etc/clamav/onupdateexecute.d/* mr,
> /etc/clamav/virusevent.d/* mr,
>
> owner @{HOME}/.clamtk/db/ rw,
> owner @{HOME}/.clamtk/db/** rwk,
>
> owner @{HOME}/.klamav/database/ rw,
> owner @{HOME}/.klamav/database/** rwk,
>
> /usr/bin/freshclam mr,
>
> /var/lib/clamav/ r,
> /var/lib/clamav/** krw,
>
> /var/log/clamav/* krw,
> /{,var/}run/clamav/freshclam.pid w,
> /{,var/}run/clamav/clamd.ctl rw,
>
> deny /{,var/}run/samba/{gencache,unexpected}.tdb mrwkl,
>
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.bin.freshclam>
>
> ---------- Forwarded message ---------
> Från: Birger Birger <birger.solna@gmail.com>
> Date: tis 3 sep. 2019 kl 15:12
> Subject: Re: [clamav-users] Fwd: Fwd: freshclam incremental update
> To: ClamAV users ML <clamav-users@lists.clamav.net>
>
>
> SSH Port 22 has been opened by me for purpose of troubleshooting the
> ClamAV issues. Will ask for a specific IP from the Zentyal support. Closing
> it now.
>
> Den tis 3 sep. 2019 14:48Gene Heskett via clamav-users <
> clamav-users@lists.clamav.net> skrev:
>
>> On Tuesday 03 September 2019 06:20:58 G.W. Haywood via clamav-users
>> wrote:
>>
>> > Hi there,
>> >
>> > On Tue, 3 Sep 2019, Birger Birger via clamav-users wrote:
>> > > Sep 3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall
>> > > drop IN= OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00
>> > > PREC=0x00 TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057
>> > > RES=0x00 ACK FIN URGP=0 MARK=0x1
>> >
>> > That's a Cloudflare destination IP. You see it in your freshclam log.
>> > Cloudflare delivers the ClamAV data and you're dropping packets sent
>> > to it from 192.168.1.30. I guess that's your immediate problem.
>> >
>> > Another question about "Ubuntu Syslog".
>> >
>> > > Sep 3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall
>> > > drop IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
>> > > SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
>> > > ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH
>> > > UR$
>> >
>> > The IP address 112.85.42.229 appears to be in Shanghai, and it appears
>> > that it's trying to make SSH connections to 192.168.1.30. If that
>> > were my router, I would not let these attempts through it.
>> >
>> That router is passing stuff that should never get past it UNLESS you
>> have set a Port Forward NAT. If you have NOT set that up, it will get
>> you hacked, so apply a hammer to "take it out of the gene pool" and
>> deposit the remains in the outgoing trash forthwith and replace it with
>> something you can reflash to dd-wrt. Nothing comes in thru dd-wrt that
>> you don't specifically allow, and has stood guard here for nearly 20
>> years now. Unlike guard dogs, it never sleeps.
>>
>> > I repeat that I sugggest you upgrade ClamAV to the latest version.
>>
>>
>> Cheers, Gene Heskett
>> --
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> If we desire respect for the law, we must first make the law respectable.
>> - Louis D. Brandeis
>> Genes Web page <http://geneslinuxbox.net:6309/gene>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
Re: Fwd: Fwd: freshclam incremental update [ In reply to ]
This looks promising to troubleshoot.

Sent from my ? iPhone

> On Sep 4, 2019, at 03:01, Birger Birger via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Sep 4 08:40:01 zentyal kernel: [345190.998397] audit: type=1400 audit(1567579201.044:83): apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=1269 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0