# Found malware by clamscan

## x0fis

Hello, 

I'm running clamscan because something is spamming from our server(nothink in logs  :Sad:  )

```
clamscan -r --bell -i 
```

outputs 

```
/usr/lib64/perl5/vendor_perl/5.20.1/LWP/UserAgent.pm: winnow.malware.ts.url.886558.UNOFFICIAL FOUND

/usr/portage/distfiles/libwww-perl-6.05.tar.gz: winnow.malware.ts.url.886558.UNOFFICIAL FOUND

```

Maybe UserAgent.pm is attackers file? Where can I find more information like what type of malware is that, what does do, etc.?

I want to remove these files. So rm /usr/portage/distfiles/libwww-perl-6.05.tar.gz and then emerge -C dev-perl/libwww-perl-6.50.0 which belongs to UserAgent.pm and then emerge dev-perl/libwww-perl-6.50.0 back?

Thank you!

----------

## eccerr0r

There's a distinct possibility that there's a false positive here... then again everyone who has libwww-perl-6.05.tar.gz may have the problem... I haven't tested this yet however...

Theoretically if the checksum on the tar.gz file matches the Gentoo repo, then emerging it again will still test positive.  Try emerge -f libwww-perl and see if it downloads the same file again...

[EDIT]

I just freshclamed and scanned my copy of libwww-perl and there's no positive report on it...

----------

## seminiva

 *eccerr0r wrote:*   

> There's a distinct possibility that there's a false positive here... then again everyone who has libwww-perl-6.05.tar.gz may have the problem... I haven't tested this yet however...
> 
> Theoretically if the checksum on the tar.gz file matches the Gentoo repo, then emerging it again will still test positive.  Try emerge -f libwww-perl and see if it downloads the same file again...
> 
> [EDIT]
> ...

 

I also think this is a false positive. For example, on one of my sites, a report appeared in the hosting control panel that there are 11 files with possible problems. As a result, these turned out to be junk pages from the caching plugin, which for some reason were created so crookedly and were not deleted when the cache was rebuilt.

----------

