• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

[Dr.Web] How to use Plesk antivirus

Noturns

Regular Pleskian
Dear comrads,

Code:
/opt/drweb/drweb32.key - Key file was not found!
How can i check where my current license for DrWeb is?

I received a couple of important postmaster reports from Dr.Web that a virus has been found in a user his mailbox on my server. Attached below are relevant details. I have been looking into the situation and tried to find the source and a solution.

I found many topics about how to install, configure Dr.Web antivirus but not how to can remove a virus/malware. I understand it also depends on which virus is installed.

Could someone please advise me which steps i should proceed?
- Is there a command i can run?
- Or create a new mailbox for [email protected]?

Server specifications:
Version Plesk v12.5.30_build1205150826.19
OS CentOS 6.7 (Final)

After server reboot:
Services = Problem
Disk = Ok
Memory = Ok
CPU = Problem
Network = Ok

For privacy concerns i have changed the Sender and Recipients in the email.
I look forward in reading your replies.

Kind regards,

Postmaster warning:
Code:
Dear Postmaster,

A message with the following attributes was not delivered because it
contains an infected object.

Sender = [email protected] (may be forged)
Recipients = [email protected]
Subject =  Emailing: photo 05-18-2016, 24 44 87
Message-ID =  <6280eb4fd4ad$74a136de5470acd25$domain.com>

--- Antivirus report ---
The following viruses were found:
Known virus(es):
JS.DownLoader.1225

Detailed report:
127.0.0.1 [17737] drweb.tmp.FnfZAz - archive MAIL
127.0.0.1 [17737] >drweb.tmp.FnfZAz/1.part - Ok
127.0.0.1 [17737] >drweb.tmp.FnfZAz/4.part - Ok
127.0.0.1 [17737] >drweb.tmp.FnfZAz/5.part infected with
JS.DownLoader.1225

Scanning statistics:
Known viruses : 1

--- Antivirus report ---

The original message was stored in an archive record named:
drweb.quarantine.AJbFnp

Received-SPF: none (no valid SPF record)
From: <[email protected]>
To: <[email protected]>
Subject: Emailing: photo 05-18-2016, 24 44 87
Date: Wed, 18 May 2016 23:33:12 +0600
Message-ID: <6280eb4fd4ad$74a136de5470acd25$domain.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_NextPart_000_F728_49B7C393.BA9BA985"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-gb
Envelope-To: <[email protected]>

File location
May 20 17:04:04 vps2 drwebd.real: 127.0.0.1 [5029] /var/spool/drweb/spool/drweb.tmp.tRczY0 - archive MAIL
May 20 17:04:04 vps2 drwebd.real: 127.0.0.1 [5029] >/var/spool/drweb/spool/drweb.tmp.tRczY0/1.part - Ok
May 20 17:04:04 vps2 drwebd.real: 127.0.0.1 [5029] /var/spool/drweb/spool/drweb.tmp.tRczY0 - Ok

Watchdog

I found a suspicious file in watchdog-log. What do you guys think these are safe to delete?
[07:02:01] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[07:02:01] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[07:02:01] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression

System logs

Code:
May 20 20:00:33 vps2 drwebd.real: Daemon is installed, active interfaces:  /var/drweb/run/.daemon  127.0.0.1:3000
May 20 20:03:35 vps2 drwebd.real: 127.0.0.1 [5942] /var/spool/drweb/spool/drweb.tmp.12QJn7 - archive MAIL
May 20 20:03:35 vps2 drwebd.real: 127.0.0.1 [5942] >/var/spool/drweb/spool/drweb.tmp.12QJn7/1.part - Ok
May 20 20:03:35 vps2 drwebd.real: 127.0.0.1 [5942] /var/spool/drweb/spool/drweb.tmp.12QJn7 - Ok
May 20 20:04:20 vps2 wdcollect[3698]: Connection to server has been established.
May 20 20:04:20 vps2 drwebd.real: 127.0.0.1 [5942] /var/spool/drweb/spool/drweb.tmp.tt0XoN - archive MAIL
May 20 20:04:20 vps2 drwebd.real: 127.0.0.1 [5942] >/var/spool/drweb/spool/drweb.tmp.tt0XoN/1.part - Ok
May 20 20:04:20 vps2 drwebd.real: 127.0.0.1 [5942] /var/spool/drweb/spool/drweb.tmp.tt0XoN - Ok
May 20 20:05:21 vps2 wdcollect[3698]: Connection to SMTP server has been closed.
May 20 20:13:09 vps2 drwebd.real: 127.0.0.1 [10712] /var/spool/drweb/spool/drweb.tmp.KucKrF - archive MAIL
May 20 20:13:09 vps2 drwebd.real: 127.0.0.1 [10712] >/var/spool/drweb/spool/drweb.tmp.KucKrF/3.part - Ok
May 20 20:13:09 vps2 drwebd.real: 127.0.0.1 [10712] >/var/spool/drweb/spool/drweb.tmp.KucKrF/4.part - Ok
May 20 20:13:09 vps2 drwebd.real: 127.0.0.1 [10712] >/var/spool/drweb/spool/drweb.tmp.KucKrF/5.reexport - Ok
May 20 20:13:09 vps2 drwebd.real: 127.0.0.1 [10712] >/var/spool/drweb/spool/drweb.tmp.KucKrF/6.reexport - Ok
May 20 20:13:09 vps2 drwebd.real: 127.0.0.1 [10712] /var/spool/drweb/spool/drweb.tmp.KucKrF - Ok

Whats going on here?

System log
Code:
May 20 20:26:09 vps2 sshd[16850]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
May 20 20:26:09 vps2 sshd[16850]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 20 20:26:14 vps2 sshd[16861]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
May 20 20:26:14 vps2 sshd[16861]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 20 20:26:17 vps2 sshd[16897]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
May 20 20:26:17 vps2 sshd[16897]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 20 20:30:37 vps2 sshd[18709]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
May 20 20:30:37 vps2 sshd[18709]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key

Whats going on?
 
Last edited:
Back
Top