[clamav-users] mirror redirect to emeksensin.com

Joel Esler (jesler) jesler at cisco.com
Tue Sep 6 17:04:28 EDT 2016


This IP has been removed from the pool.  You should see it stop shortly.

Sent from my iPad

On Sep 6, 2016, at 4:38 PM, Can Altineller <altineller at gmail.com<mailto:altineller at gmail.com>> wrote:

Hello,

I am the administrator of emeksensin.com<http://emeksensin.com>, a turkish arts and crafts web
site.

For some reason, we are getting requests from clamav users / or clients.

I emailed the clamav developers group, years ago, like two years ago,
telling them about the problem. I got no reply. I recently noticed an
anomally with our internal log analysis software and I noticed that the
problem still persist. I had thought this was some temporary forgot by
someone at clamav but it seems that either this is not the case, or maybe
someone coded a hardware with clamav perhaps?

This issue has been brought up before at:
http://lists.clamav.net/pipermail/clamav-users/2015-November/002020.html

The weblogs look like this:

emeksensin.com:80<http://emeksensin.com:80> 71.144.32.150 - - [31/Jul/2016:06:37:35 +0300] "GET
/daily-22000.cdiff HTTP/1.0" 301 - "-" "clamav/0.94.1 (OS: linux-gnu, ARCH:
x86_64, CPU: x86_64)" "-"
emeksensin.com:80<http://emeksensin.com:80> 71.144.32.150 - - [31/Jul/2016:06:37:36 +0300] "GET
/daily.cvd HTTP/1.0" 301 - "-" "clamav/0.94.1 (OS: linux-gnu, ARCH: x86_64,
CPU: x86_64)" "-"
emeksensin.com:80<http://emeksensin.com:80> 71.57.125.225 - - [31/Jul/2016:06:37:37 +0300] "GET
/daily-22000.cdiff HTTP/1.0" 301 - "-"
"ClamAV/devel-clamav-0.97-567-gb047bc0 (OS: win32, ARCH: i386, CPU: i386)"
"-"
emeksensin.com:80<http://emeksensin.com:80> 173.164.65.200 - - [31/Jul/2016:06:37:38 +0300] "GET
/daily-22000.cdiff HTTP/1.0" 301 - "-" "ClamAV/devel-clamav-0.96 (OS:
win32, ARCH: i386, CPU: i386)" "-"

A normal request to the same resource looks like this: (our site returns
404)

emeksensin.com:80<http://emeksensin.com:80> xxx.xxx.xxx.xxx - - [06/Sep/2016:23:22:37 +0300] "GET
/main.cvd HTTP/1.1" 404 836 "-" "Mozilla/5.0 (X11; Linux x86_64)
AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79
Chrome/51.0.2704.79 Safari/537.36" "

What can we do about this? If there are some people to work out on the
problem, I could assist by providing tcpdumps of the packets in question,
or I could program a special servlet returning an empty file or some
special response or redirect.

Best regards,
C.A.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list