ClamAV's own signature formats (.ndb, .ldb, .hdb, etc) are written in hexadecimal instead, which avoids this problem (but is a lot more cumbersome to work with). I'm not familiar with the "rfxn" signature databases you have, so I don't know what's in there or why their yara rule is also alerting on their ndb and hdb database files. Either way, no - your server is not infected.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

On Jan 4, 2019, at 9:00 AM, Tilman Schmidt <tschmidt@cardtech.de> wrote:

Do not run clamscan over your entire filesystem.
It's a bad idea.

In your case clamscan found something looking like a virus in its own
signatures, which is hardly surprising and certainly not a sign of an
infection.

Am 04.01.19 um 13:28 schrieb Kaushal Shriyan:

when i am running clamscan

#clamscan --infected --recursive /
/var/lib/clamav/rfxn.hdb:
YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.ndb:
YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND

[root@ clamav]# pwd
/var/lib/clamav
[root@ clamav]# ls -ltrh
total 268M
-rw-r--r--. 1 clamupdate clamupdate 113M Dec 13 02:31 main.cvd
-rw-r--r--. 1 clamupdate clamupdate 990K Jan 2 18:00 bytecode.cld
-rw-r--r--. 1 root root 441K Jan 4 03:52 rfxn.ndb
-rw-r--r--. 1 root root 828K Jan 4 03:52 rfxn.hdb
-rw-r--r--. 1 root root 400K Jan 4 03:52 rfxn.yara
-rw-r--r--. 1 clamupdate clamupdate 153M Jan 4 09:00 daily.cld
-rw-------. 1 clamupdate clamupdate 520 Jan 4 12:21 mirrors.dat
[root@ clamav]#

Is the CentOS Linux release 7.3.1611 (Core) server infected with
Malware? Please suggest. Thanks in Advance.

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml