Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

False positive submission page down (for a few days now)?

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


Ralf.Hildebrandt at charite

Apr 19, 2012, 4:59 AM

Post #1 of 19 (1281 views)
Permalink
False positive submission page down (for a few days now)?
Is there an alternative way of submitting FP's?

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Apr 19, 2012, 5:15 AM

Post #2 of 19 (1243 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote:
> Is there an alternative way of submitting FP's?
>

Are you using this page?
http://www.clamav.net/lang/en/sendvirus/submit-fp/

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

Apr 19, 2012, 5:24 AM

Post #3 of 19 (1243 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
* Török Edwin <edwin [at] clamav>:
> On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote:
> > Is there an alternative way of submitting FP's?
> >
>
> Are you using this page?
> http://www.clamav.net/lang/en/sendvirus/submit-fp/

Yep.

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tkojm at clamav

Apr 19, 2012, 5:59 AM

Post #4 of 19 (1243 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
W dniu 04/19/12 14:24, Ralf Hildebrandt pisze:
> * Török Edwin <edwin [at] clamav>:
>> On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote:
>>> Is there an alternative way of submitting FP's?
>>>
>>
>> Are you using this page?
>> http://www.clamav.net/lang/en/sendvirus/submit-fp/
>
> Yep.

I just tested and it worked fine for me.

What's exactly the problem on your side?

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu Apr 19 14:57:05 CEST 2012
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

Apr 19, 2012, 6:10 AM

Post #5 of 19 (1246 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
> I just tested and it worked fine for me.
>
> What's exactly the problem on your side?

I keep getting:

Under maintenance. Try again later.

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


azidouemba at sourcefire

Apr 19, 2012, 6:14 AM

Post #6 of 19 (1248 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
Just tried it, works for me.

-Alain

On Apr 19, 2012, at 9:11 AM, Ralf Hildebrandt
<Ralf.Hildebrandt [at] charite> wrote:

>
>> I just tested and it worked fine for me.
>>
>> What's exactly the problem on your side?
>
> I keep getting:
>
> Under maintenance. Try again later.
>
> --
> Ralf Hildebrandt Charite Universitätsmedizin Berlin
> ralf.hildebrandt [at] charite Campus Benjamin Franklin
> http://www.charite.de Hindenburgdamm 30, 12203 Berlin
> Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Apr 19, 2012, 6:17 AM

Post #7 of 19 (1243 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
On 04/19/2012 04:10 PM, Ralf Hildebrandt wrote:
>
>> I just tested and it worked fine for me.
>>
>> What's exactly the problem on your side?
>
> I keep getting:
>
> Under maintenance. Try again later.
>

How big is the file that you're trying to upload?


--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tshaw at oitc

Apr 19, 2012, 6:17 AM

Post #8 of 19 (1243 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
On Apr 19, 2012, at 8:24 AM, Ralf Hildebrandt wrote:

> * Török Edwin <edwin [at] clamav>:
>> On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote:
>>> Is there an alternative way of submitting FP's?
>>>
>>
>> Are you using this page?
>> http://www.clamav.net/lang/en/sendvirus/submit-fp/
>
> Yep.
>

Works here in Safari and Chrome and Firefox.

Tom

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

Apr 19, 2012, 6:19 AM

Post #9 of 19 (1249 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
* Török Edwin <edwin [at] clamav>:
> On 04/19/2012 04:10 PM, Ralf Hildebrandt wrote:
> >
> >> I just tested and it worked fine for me.
> >>
> >> What's exactly the problem on your side?
> >
> > I keep getting:
> >
> > Under maintenance. Try again later.
> >
>
> How big is the file that you're trying to upload?

I'm not getting a form, all I get is "Under maintenance. Try again
later." - must be a cachin issue somewhere

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

Apr 19, 2012, 6:21 AM

Post #10 of 19 (1232 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
> > How big is the file that you're trying to upload?
>
> I'm not getting a form, all I get is "Under maintenance. Try again
> later." - must be a cachin issue somewhere

Varnish (reverse proxy) is giving my this:

$ telnet proxy.charite.de 8080
Trying 141.42.1.205...
Connected to proxy.charite.de.
Escape character is '^]'.
GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0

HTTP/1.0 503 Service Unavailable
Server: Varnish
Content-Type: text/html; charset=utf-8
Retry-After: 5
Content-Length: 284
Accept-Ranges: bytes
Date: Thu, 19 Apr 2012 13:20:02 GMT
X-Varnish: 216808379
Age: 0
X-Cache: MISS from proxy-cvk-1
Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444)
Connection: close


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"
<html>
<head>
<title>Maintenance</title>
</head>
<body>
<h1>Under maintenance. Try again later.</h1>
</body>
</html>
Connection closed by foreign host.

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

Apr 19, 2012, 6:25 AM

Post #11 of 19 (1234 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
> GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0
>
> HTTP/1.0 503 Service Unavailable
> Server: Varnish
> Content-Type: text/html; charset=utf-8
> Retry-After: 5
> Content-Length: 284
> Accept-Ranges: bytes
> Date: Thu, 19 Apr 2012 13:20:02 GMT
> X-Varnish: 216808379
> Age: 0
> X-Cache: MISS from proxy-cvk-1
> Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444)
> Connection: close

This happens if I access the site via a proxy.
From the proxy machine itself, I'm getting this:

GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
Vary: Accept-Encoding
Content-Type: text/html; charset=ISO-8859-1
X-Cacheable: VarnishResNoCacheHost
Content-Length: 2495
Accept-Ranges: bytes
Date: Thu, 19 Apr 2012 13:23:34 GMT
X-Varnish: 216809483
Age: 0
Via: 1.1 varnish
Connection: close
... remained of page sent correctly ...

The FP submission page used to work for us uptill now. Hm.

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Apr 19, 2012, 6:27 AM

Post #12 of 19 (1231 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
On 04/19/2012 04:21 PM, Ralf Hildebrandt wrote:
>>> How big is the file that you're trying to upload?
>>
>> I'm not getting a form, all I get is "Under maintenance. Try again
>> later." - must be a cachin issue somewhere
>
> Varnish (reverse proxy) is giving my this:
>
> $ telnet proxy.charite.de 8080
> Trying 141.42.1.205...
> Connected to proxy.charite.de.
> Escape character is '^]'.
> GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0
>
> HTTP/1.0 503 Service Unavailable

Can you try flushing your varnish cache, and trying again?
Maybe for some reason it cached an older 503 page.

I get this when connecting directly to cgi.clamav.net:
GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
Vary: Accept-Encoding
Content-Type: text/html; charset=ISO-8859-1
X-Cacheable: VarnishResNoCacheHost
Content-Length: 2495
Accept-Ranges: bytes
Date: Thu, 19 Apr 2012 13:25:30 GMT
X-Varnish: 216809903
Age: 0
Via: 1.1 varnish
Connection: close

> Server: Varnish
> Content-Type: text/html; charset=utf-8
> Retry-After: 5
> Content-Length: 284
> Accept-Ranges: bytes
> Date: Thu, 19 Apr 2012 13:20:02 GMT
> X-Varnish: 216808379
> Age: 0
> X-Cache: MISS from proxy-cvk-1
> Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444)
> Connection: close
>
>
> <?xml version="1.0" encoding="utf-8" ?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"
> <html>
> <head>
> <title>Maintenance</title>
> </head>
> <body>
> <h1>Under maintenance. Try again later.</h1>
> </body>
> </html>
> Connection closed by foreign host.
>

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

Apr 19, 2012, 6:30 AM

Post #13 of 19 (1233 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
* Török Edwin <edwin [at] clamav>:

> Can you try flushing your varnish cache, and trying again?

It's your varnish cache :) (we don't have any here)

I already restarted my squid servers, no change. It's very odd.

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

Apr 19, 2012, 6:43 AM

Post #14 of 19 (1232 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
* Ralf Hildebrandt <Ralf.Hildebrandt [at] charite>:
> * Török Edwin <edwin [at] clamav>:
>
> > Can you try flushing your varnish cache, and trying again?
>
> It's your varnish cache :) (we don't have any here)
>
> I already restarted my squid servers, no change. It's very odd.

Now I emptied my cache partitions as well: Still the same.

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


edwin at clamav

Apr 19, 2012, 6:46 AM

Post #15 of 19 (1236 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
On 04/19/2012 04:43 PM, Ralf Hildebrandt wrote:
> * Ralf Hildebrandt <Ralf.Hildebrandt [at] charite>:
>> * Török Edwin <edwin [at] clamav>:
>>
>>> Can you try flushing your varnish cache, and trying again?
>>
>> It's your varnish cache :) (we don't have any here)
>>
>> I already restarted my squid servers, no change. It's very odd.
>
> Now I emptied my cache partitions as well: Still the same.
>

Does it work if you append a random GET parameter to the URL (like ?unused=test).

--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

Apr 19, 2012, 6:52 AM

Post #16 of 19 (1242 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
> Does it work if you append a random GET parameter to the URL (like ?unused=test).

Nope, still the same. Maybe somebody configured varnish to give my IP
address range (193.175.73.20x) a 503: Service Unavailable?

$ wget -nd -S "http://cgi.clamav.net/sendfp.cgi?unused=test"
--2012-04-19 15:50:26-- http://cgi.clamav.net/sendfp.cgi?unused=test
Resolving proxy.charite.de (proxy.charite.de)... 141.42.1.205


Connecting to proxy.charite.de
(proxy.charite.de)|141.42.1.205|:8080... connected.
Proxy request sent, awaiting response...
HTTP/1.0 503 Service Unavailable
Server: Varnish
Content-Type: text/html; charset=utf-8
Retry-After: 5
Content-Length: 284
Accept-Ranges: bytes
Date: Thu, 19 Apr 2012 13:50:26 GMT
X-Varnish: 216817722
Age: 0
Via: 1.1 varnish
X-Cache: MISS from proxy-cvk-1
Connection: keep-alive
2012-04-19 15:50:27 ERROR 503: Service Unavailable.

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


luca at clamav

Apr 19, 2012, 12:29 PM

Post #17 of 19 (1230 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
Hello Ralf,

> $ telnet proxy.charite.de 8080
> Trying 141.42.1.205...
> Connected to proxy.charite.de.
> Escape character is '^]'.
> GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0

we use name based virtual hosting, you must switch to HTTP/1.1 and
send a Host: header as well

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html and
http://www8.org/w8-papers/5c-protocols/key/key.html

Most likely your proxy is issuing a HTTP/1.0 request upstream?

Best regards

--
Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit
[Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it
PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

May 3, 2012, 7:00 AM

Post #18 of 19 (1137 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
* Luca Gibelli <luca [at] clamav>:
> Hello Ralf,
>
> > $ telnet proxy.charite.de 8080
> > Trying 141.42.1.205...
> > Connected to proxy.charite.de.
> > Escape character is '^]'.
> > GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0
>
> we use name based virtual hosting, you must switch to HTTP/1.1 and
> send a Host: header as well
>
> See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html and
> http://www8.org/w8-papers/5c-protocols/key/key.html
>
> Most likely your proxy is issuing a HTTP/1.0 request upstream?

It's still not working and unfortunately your admin is not willing to
check the logs to see whats being logged for my source IP.

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Ralf.Hildebrandt at charite

May 4, 2012, 3:30 AM

Post #19 of 19 (1113 views)
Permalink
Re: False positive submission page down (for a few days now)? [In reply to]
* Luca Gibelli <luca [at] clamav>:

> Most likely your proxy is issuing a HTTP/1.0 request upstream?

Could you PLEASE check the server's logs?

We're definitely sending HTTP/1.1 requests with all the headers, see
below:

output from tcpdump:

GET /sendfp.cgi HTTP/1.1
Host: cgi.clamav.net
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.168 Chrome/18.0.1025.168 Safari/535.19
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: de,en;q=0.8,en-US;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165234925.7124351.1326790435.1336028009.1336053668.11; __utmz=165234925.1326790435.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Via: 1.1 proxy-cbf-1 (squid/3.1.19-20120418-r10444)
X-Forwarded-For: unknown
Cache-Control: max-age=0
Connection: keep-alive

answer:

HTTP/1.1 503 Service Unavailable
Server: Varnish
Content-Type: text/html; charset=utf-8
Retry-After: 5
Content-Length: 284
Accept-Ranges: bytes
Date: Fri, 04 May 2012 10:29:21 GMT
X-Varnish: 221993613
Age: 0
Via: 1.1 varnish
Connection: close

--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebrandt [at] charite Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.